This blog is now accessible via Tor to an Onion address!

http://maxxer7ndgxqsbwu.onion

While basically useless for me, I’ve always been a fan of the Tor network and I always desired to serve the blog on an .onion url!

How to make your WordPress blog work via clearnet domain and onion address

By default WordPress is bonded to an url which is defined into the general settings:

This setting is used for generating internal links, like navigating from one post to another. In our case we would like to serve the blog to the clearnet url https://lorenzo.mile.si but also to http://maxxer7ndgxqsbwu.onion. This is generally a bad pratice on clearnet domains, because it affects SEO.

There are two advanced settings in WordPress (WP_SITEURL and WP_HOME) which allows you to define the url via config. Being the config file a PHP one, it can be dynamically generated. By setting them to the current HTTP HOST will make the URL dynamic:

define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST']);
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST']);

Done!

Unfortunately, as clearly stated on the WordPress codex page, this exposes your blog to local file inclusion vulnerability! This means a malicious visitor could steal your server files.

To mitigate the risk we can add a check for the value of the variable: if it contains something we don’t like we just stop.
So the complete edit to wp-config.php to make your WordPress blog listen to multiple hostname is the following:

// Avoid LFI in HTTP_HOST header
if (preg_match('/^(([A-Z0-9][A-Z0-9_-]*)(\.[A-Z0-9][A-Z0-9_-]*)+)$/i', $_SERVER['HTTP_HOST']) === FALSE) {
    die("NOMATCH");
}
define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST']);
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST']);

This should keep you resonably safe.

The only thing missing to make my blog completely safe in the Tor network is to remove Google Fonts. Analytics is already disabled if you opted out or enabled DNT.