[$ xmrhost] _

$ man 7 host-website-anonymously

[$ ] How to host a website anonymously in 2026 — a three-tier guide

// NAME

host-website-anonymously — practical guide for hosting a site without surfacing identity to the host, the payment processor, or the audience. Maps three realistic threat models to three deployment patterns; matches each to a xmrhost.io plan.

// SYNOPSIS 

tier 1 — casual:    no-KYC VPS + Monero + clearnet site
tier 2 — moderate:  no-KYC VPS + Monero + hidden service + clean OpSec
tier 3 — strict:    onion-only + onion-auth sshd + airgap management

// THE THREAT-MODEL QUESTION FIRST

$ man 7 threat-model

Anonymity is not a binary, it is a threat-model trade-off. Skip this question and you waste effort defending against adversaries that don't apply to you, or worse, under-defend against the ones that do. The three realistic threat models for "I want to host a website without it being tied to me" are:

  • Tier 1 — casual. Adversary is a curious internet user, a competitor, a former associate. They Google, run whois, check the IP, send a polite email. Goal: make identification through these channels return nothing. Stakes: embarrassment, doxing, minor harassment.
  • Tier 2 — moderate. Adversary is a civil plaintiff, a copyright complainant, a domestic regulator with subpoena power but no significant intelligence resource. They file process to the host, the registrar, the payment processor. Goal: ensure that subpoenas to those parties either return nothing or return a dead end. Stakes: civil suit, content takedown, fines.
  • Tier 3 — strict. Adversary is a state-level actor with chain-analytics tooling, MLAT cooperation, and long-game intelligence resource. Goal: defend against the composition of every prior channel plus active investigation. Stakes: criminal proceedings, source compromise, physical risk.

Most use cases sit at Tier 2. Most operators over-build for Tier 3 (which costs effort and degrades usability) or under-build for Tier 2 (which puts them at material risk). Pick honestly.

// TIER 1 — CASUAL

$ deploy --tier=1

Minimum-viable anonymous hosting for a low-stakes site. Goal: nothing in the public surface (whois, IP, DNS) points to the operator. The site itself is on the clearnet (DNS + IPv4 reachable).

  1. Pick an offshore VPS plan. For a typical static site or small CMS, vps-1 ($15/mo, 1 vCPU / 2 GB RAM / 30 GB NVMe) is plenty. For a dynamic site or moderate traffic, vps-2.
  2. Pay in Monero (recommended) or any accepted crypto. The checkout flow uses OxaPay; pick the rail at the OxaPay page. No email required; account creation accepts a pseudonym. See /guide/buy-vps-with-monero for the step-by-step.
  3. Register a domain via a privacy-friendly registrar. Njalla, Orange (the Iceland registrar, not the French ISP), or NameSilo with WHOIS privacy enabled. Pay in crypto. NEVER use the registrar that comes bundled with US-cloud hosting.
  4. Point DNS at the VPS, set up TLS via Caddy. Caddy auto-provisions via Let's Encrypt directly to your server — no Cloudflare, no CDN in front. Adding Cloudflare undermines the entire deployment — it puts US-incorporated infrastructure between visitor and operator.
  5. Configure sshd properly. Disable password auth, Ed25519 keys only, fail2ban. See /docs/harden-sshd.

// Tier-1 result: whois shows registrar privacy. IP traces to the operator (offshore upstream). No payment trail except what the operator chooses to retain (xmrhost.io retains the minimum needed to support the account). Total cost: $15-25/mo + ~$15/yr for the domain.

// TIER 2 — MODERATE

$ deploy --tier=2

For sites that draw civil-litigation interest (controversial editorial, file-sharing, leak repositories, political organising). The site can still be clearnet-reachable, but the management surface and the payment trail are hardened.

  1. Pay in Monero only. At this tier the chain-analytics surface matters. Acquire XMR via Bisq or Haveno (no-KYC P2P), see /vs/bisq-vs-haveno-no-kyc-monero. BTC / Lightning are still accepted by the host but you should not use them.
  2. Pick vps-2 or vps-4. Headroom matters if the site grows or attracts traffic spikes.
  3. Mirror to a Tor hidden service. Run the same site on a v3 onion address as a fail-over channel. If the clearnet IP gets blocked or seized, the audience knows the .onion URL and continues. See /docs/provision-tor-hidden-service.
  4. sshd via Tor only. Bind sshd to a Tor hidden service with onion-auth. Disable clearnet port 22. Management sessions never touch the clearnet IP — defeats the most common deanonymisation correlation attack (sshd uptime + load + traffic patterns probed from outside).
  5. Domain registrar — pseudonym + Monero. Njalla accepts Monero and a pseudonym; Orange similar. Avoid any registrar that requires email verification through a KYC'd provider.
  6. OpSec for the operator side. Use Tor Browser or a Whonix workstation for every management session. Never access the management surface from a network associated with your identity. Use a separate password manager for the xmrhost.io account.

// Tier-2 result: the chain from visitor → clearnet IP → operator IP requires either (a) breaking Tor or (b) compelled cooperation from the offshore host. Both are materially expensive in time and money. Civil plaintiffs typically give up. Total cost: $25-45/mo + ~$15-30/yr.

// TIER 3 — STRICT

$ deploy --tier=3

For source-protection journalism, leak repositories, dissident platforms in repressive jurisdictions, and other high-stakes deployments. The site is onion-only; the management is air-gap; the payment is unrecoverable.

  1. Tor hidden service only — no clearnet. The DNS / clearnet IP attack surface does not exist. Visitors reach the site only through Tor Browser. Use a tor-2 ($42/mo) plan that ships with hardened tor.conf and onion-auth-gated sshd by default.
  2. OXEN-tier OpSec on the operator side. All management from a Whonix VM running on a dedicated air-gapped laptop. No password manager that syncs to the cloud. Hardware token (YubiKey or similar) for sshd auth on top of the onion-auth gate. Never copy files between the management VM and the daily-driver host.
  3. Payment — Monero, post-KYC-mixing. Acquire XMR through Bisq or Haveno with cash-by-mail or via a previously-held BTC stake swapped through a no-KYC atomic- swap broker. The funding chain has to be clean from the on-ramp forward. See /why-monero for the chain-analytics rationale.
  4. Domain — onion only. No clearnet DNS at all. The .onion address is the only handle. Distribute the .onion via out-of-band trust channels (signed Mastodon post, PGP-signed email, Tor Project's onion-name protocol).
  5. Hardening — KSPP + auditd + restrictive nftables. See /hardening for the baseline. Tier-3 adds: full-disk encryption with LUKS (the operator unlocks at boot via dropbear-over-onion), no swap, kernel-build-from-source if paranoia justifies it.

// Tier-3 result: even a state-level adversary with the offshore host's full cooperation recovers a hardened-LUKS disk image, not a running system or identity-linked log. Total cost: $42-85/mo + non-trivial operator time (1-2 days initial setup + ~1-2 hours/month maintenance). Threat-model fit: /threat-models#journalism.

// DECISION MATRIX

$ compare --tiers

// dimension // tier 1 // tier 2 // tier 3
clearnet site yes yes + onion mirror no (onion only)
payment rail any accepted crypto Monero only Monero (post-KYC-mixing)
management surface clearnet sshd (hardened) onion sshd onion sshd + onion-auth + hardware token
operator-side OpSec basic (separate password) Tor Browser / Whonix airgap Whonix on dedicated host
recommended plan vps-1 / vps-2 vps-2 / vps-4 tor-2 / tor-4
total monthly $15-25 $25-45 $42-85
defends against casual investigation civil litigation, regulators state-level adversary

// FAQ

$ faq anonymous-hosting

Q. Can I actually host a website 100% anonymously?

A. No — "100% anonymous" is the wrong target. The right target is a threat model: "anonymous against whom?". Against a casual investigator: yes, easy. Against a state-level adversary with legal-process leverage on every upstream: very hard, requires hidden-service operation + careful OpSec. The three tiers in this guide map to three realistic threat models.

Q. What's the difference between a clearnet site and a Tor hidden service?

A. Clearnet: reachable from any browser via DNS + public IP. Tor hidden service: reachable only via the Tor network at a 56-character .onion address. Hidden services have no clearnet IP for an adversary to subpoena upstream of, but only Tor-Browser users reach them. Choice depends on whether the audience is general-public (clearnet) or already-Tor-aware (hidden service).

Q. Do I need to pay in Monero for the hosting to be anonymous?

A. Monero is the recommended rail for chain-analytics-aware threat models. Paying in BTC, Lightning, LTC, ETH, or USDT works but leaves a chain-of-custody record on the public ledger — the host's offshore jurisdiction doesn't cover that record. For casual / low-stakes anonymity, any rail works; for source-protection or high-stakes operation, default to XMR. See /why-monero for the threat-model trade-off.

Q. What jurisdictions actually offer anonymous hosting?

A. Jurisdiction matters less than three properties: (1) no DMCA-§512-equivalent private-notice takedown, (2) court-issued process required for content removal, (3) operator practice not to log identity-mapping data. Iceland (Höfundalög nr. 73/1972) and Romania (Legea nr. 8/1996) both satisfy (1) and (2); the operator handles (3). xmrhost.io operates in both.

Q. Does using Cloudflare break the anonymity?

A. Yes — Cloudflare is a US-incorporated entity that terminates TLS for your site, holds the keys, and complies with US legal process. Cloudflare in front of an offshore VPS converts the deployment into a US-subpoenable surface. Never put Cloudflare in front of an anonymity-targeting site. xmrhost.io serves direct without a CDN-edge layer.

Q. Can I use a free hosting service for anonymity?

A. No. Free hosting requires either advertising (which fingerprints visitors) or sign-up with email/phone (which creates the chain-of-custody trail the rest of this guide is designed to avoid). Paid offshore hosting with crypto is the cheapest realistic option that doesn't undermine the threat model.

Q. What if the operator is compelled to reveal my identity?

A. Two layers of defense: (1) the operator does not collect identity data — no KYC at signup, no email required, payment in non-rebuttable crypto. (2) For high-stakes deployments, route the management surface (sshd) over a separate Tor hidden service with onion-auth gating, so even a compromised operator cannot link the management session to a public-IP fingerprint. Both layers are documented under /docs.

// SEE ALSO

$ ls /usr/share/doc/xmrhost/guide