How to have an anonymous website
You want to have an anonymous website for *reasons*. I’m a big believer in personal privacy – as opposed to operating something illegal. I enjoy thinking through scenarios I don’t actually need to worry about… how would I handle a zombie apocalypse in NYC? How to design the best user-experience for an ATM… ? Then Julien asked this on Bluesky and I fumbled some responses on the subway and so here we are.
How do you register a domain anonymously (and the domain is useless unless you host it)?
As part of this guide, I assume you’re hosting at least a personal blog. Hosting a forum, wiki, or web apps gets into the features of your hosting provider, and that’s all on you.
This guide attempts to cover registering and renewing a domain over a period of years, having hosting in place for the website, and being able to run and update it safely.
Warning: I don’t believe anything I’m suggesting here is illegal, but it might be in your state or country. I am not a lawyer. There is definitely an element of giving false information to a service provider, but all this should be no more than a breach of terms of service. Do your research and get legal advice if you have concerns.
Lastly: I mention some specific service providers. There is no referral or affiliate play going on here. Zilch.
What Does Anonymous Mean?
For me, it’s making sure that your association with a website is not easily traceable.
Depending on whether you are worried about the general public, a corporation, or a state entity, some of these approaches are overkill (or may not go far enough). Do you just not want your friends and family to know it’s you? Easy. Do you want to obfuscate in case a company might sue you? That’s more work. Are you advancing a cause, being a whistle-blower, and are worried about being persecuted/arrested by the state?
There are no guarantees here, and you need to pay attention to many details.
The goal is that you can set up and operate this without being linked to it. Here is what I would consider. Please note, I’ve not done this IRL and offer no guarantee on the effectiveness of any of this.
Advance Preparation
You will need to interact with various service providers. Many will require some form of payment, and cash will not be an option. They will ask for names, addresses, and email addresses that you won’t want to give but will need answers for.
It’s good to be ready for this. Prepare a new name, a valid mailing address, phone number, and working email address.
- Address: For a valid mailing address, I would look for a very large apartment building. I would try and see if I can determine a unit designation that doesn’t exist. For example, apartment 8F might work if there is no 8th floor, or the last letter designation was E. Don’t overthink it. Be prepared to redo this if the prepaid credit card insists on a specific Zip code.
- Phone: The phone number might be the most difficult. Some services will not allow for VOIP numbers. I’ve found that Google Voice numbers will mostly work. I would be prepared to create a new Google account specifically just for a VOIP number.
These should not be linked to you in any way, and you should never use them for any other purpose than this one.
Payment & Money
You need to estimate the amount of money it will take to get set up, and the ongoing annual costs. For this, I’ve decided that I want to plan for 3 years of costs.
- $11 for a .com domain per year
- $100 for a hosting provider per year
- $5.25 for a VPN for a month
(11 + 100 + (5.25 * 3) * 3 = USD$ 158.25
There are other services I assume you can get safely for free, or I would expect as part of the hosting package:
- $0 for email account – ProtonMail has free tier
- $0 for SSL Certificate – ensure hosting provider includes this or that they work with LetsEncrypt
- $0 for WHOIS privacy – ensure register has option for them to mask this on your behalf
I am going to round that up to $195, but this will go up or down once you’ve decided on a hosting provider and know the costs involved.
All providers need a credit card, though you might find someone who takes crypto, but imho that limits your options significantly.
I’m based in the US, so I would purchase a Vanilla Visa Gift Card at a CVS store and put $195 on it using cash.
I believe that the threshold is $200 where they will ask for ID. The threshold is per transaction, so if you got 2 cards for $100, you’d be asked for ID. This card is not reloadable. There is a small risk that your preferred service provider has a payment processor that won’t accept this.
Note: If the gift card requires you to use a specific Zip code, then I would adjust your information you give to a service provider to reflect a real address with that Zip code.
Domain Registration
Many hosting providers will allow you to register a domain as part of the hosting package. This can make the process easier as it’s one less account to manage. I would avoid free subdomain services.
If you want to register a domain separately, I would recommend PorkBun. Their prices are low, provide a good service, and include free WHOIS privacy that works in hiding your domain’s contact details.
The main advantage of not using a hosting provider as a registrar is if you need to point your domain to another provider independently. Eggs in one basket, etc. You do you.
Hosting
I use DreamHost, which is based in the USA. They manage domain registration and hosting and allow me to run whatever apps I like.
If you care about a country’s data privacy laws, then consider a country like Norway. I would argue it has stronger data privacy and freedom of press rankings than both Sweden and Denmark (which are also very good). I’ve heard Germany and Iceland come recommended, but you should do your own research.
I rolled the dice and saved picked UltaHost as a Norway-based hosting provider. I’ve never used them. You’ll likely find others. At the time of writing, their most basic VPS is $4 a month if you commit to 3 years, which is $48 a year and $144 for 3 years.
Make sure the provider you pick has all the services you need. Are you okay installing WordPress yourself, or do you want a one-click solution? Do you care about SSH and SFTP access, or need them to provide a web interface to upload content?
Think about this and ensure you are getting what you need.
Almost Ready
By now, you should have done some digging and assessed your own needs. I believe there is value in hiding your presence in terms of connection and reducing your footprint as much as possible.
Depending on how deep down the rabbit hole you’d like to go, many of these steps are a bit much.
Fresh Start
I use macOS. I create a new generic account on my MacBook. I enable FileVault. I use a strong unique password. I decide to use Safari or install Firefox and make that my default browser. I adjust settings to maximize privacy (more info here or here). I install extensions to block tracking and ads.I promise to only use this account for dealing with my anon website.
Paranoia Bonus: For extra points, create an encrypted disk mountable image. Use a different password from your user account – and do not save it to the Keychain. This is the location for storing account details, notes, drafts, and materials related to the website or that could link you to the website. You should keep any records minimal and review things for deletion often.
Honestly, create 10 of these. Flood the zone. Scatter public domain ebooks and Creative Commons images in a few. Give them crazy long unique passwords and then forget about them – except the one you actually use.
Wi-Fi and VPN
I recommend you use a public Wi-Fi, one that still requires a password. I also recommend that you use a VPN and have it appear you are connected from a different country. Use the VPN always. Like, always.
For example: What happens if you are at home and you log in to your new shiny blog on your anonymously setup website to write the very important thoughts you need to world to see? The risk if that the entity you irked goes to your hosting provider with their lawyers and demands logs on who accessed it. The hosting provider gives them an IP address which they trace to your service provider (Verizon, Comcast, etc).
They check their logs and say that this IP address at that date and time was in use by this particular customer (you) and now you’ve been identified IRL. Very often your service provider will not immediately hand that over but it varies based on context and their policies etc.
Just use a VPN, ok.
Update: Many routers have VPN support built in. (Thanks Julian)
Email Account
ProtonMail. It has a free tier that just works. You will need this for all account based creation and correspondence.
Use a dull boring username and a long strong password. No favorite sport teams or clever pop culture references. Make a note of it in your secure encrypted workspace.
Registering for Services
You’re still on VPN and you have already written out all the information of this persona you are using. You have credit card details, a working Proton email address, and a phone number where you can acknowledge texts.
This is the big unknown. Will they accept your information and improvised credit card? Likely yes, and you’re done.
Hopefully all very anti-climatic.
So now what…
You are on your own. Just always use the VPN and make sure to monitor your balance. Get used to switching account on your computer (yeah, its may be mildly annoying but its a huge form of protection). At some point you’ll need a new prepaid credit card.
See anything thats factually incorrect? Email me and I’ll make updates.