How to host a website anonymously

Before you type a command, decide who you are hiding from. "Anonymous" against a curious neighbour is trivial; anonymous against a well-resourced civil litigant or a nation-state is a different discipline. Your operational rules — which device you SSH from, whether you ever touch the box from your home IP, whether the domain and the server can be correlated — all flow from this answer.

Three identities to keep apart

• Compute identity — who paid for and controls the server. Defeated by a KYC signup or a traceable card. Solution: a no-KYC VPS paid in Monero.
• Name identity — who owns the domain. Defeated by WHOIS, registrar payment records, or DNS that resolves your real nameservers. Solution: register the domain through a separate anonymous path (see register a domain anonymously).
• Operator identity — the fingerprints you leave while running it. Defeated by reused SSH keys, logging in from home, a CMS that embeds your username, or analytics/fonts/scripts loaded from third parties.

Write down which of these matters for your project. A privacy-respecting marketing site needs the first two. A leak archive or a journalist's dropbox needs all three, plus the Tor hidden service approach below.

What anonymity is NOT

It is not a single "private mode." It is not trusting a CDN's "hide my IP" toggle while your origin still answers on its real address. And it is not legal cover for prohibited activity — NoKycVPS has one zero-tolerance line (CSAM) and acts on binding judicial orders. Anonymity here means you are not casually identifiable and the operator holds no documents that identify you, not that the laws of physics or your jurisdiction stop applying.

Where the bytes live determines whose courts can compel what. NoKycVPS runs the same hardware in four regions, so you choose venue without sacrificing performance:

• Reykjavik, Iceland (REK) — the IMMI press-freedom initiative, no mandatory data-retention law, and renewable geothermal power. Strong choice for journalism and leak archives.
• Zurich, Switzerland (ZRH) — strong constitutional privacy (FADP), outside the 14-Eyes intelligence-sharing arrangement, and Art. 271 of the penal code restricts assisting foreign authorities. The conservative pick for adversarial threat models.
• Bucharest, Romania (OTP) — EU member, excellent connectivity, historically resistant to overbroad takedown pressure, lowest cost in the EU set.
• Paris, France (PAR) — EU, robust peering and infrastructure, GDPR. Cheapest region and lowest latency for most of Europe.

For the strongest separation between you and any single legal system, host in Reykjavik or Zurich and register your domain through a registrar in yet another jurisdiction. See the jurisdiction overview for the full legal-hook breakdown. Whichever region you pick, the corporate venue for any legal demand is Saint Kitts and Nevis, and the operator notifies you before acting on a properly served order.

Create an account with a disposable email and a strong password — that is the entire signup, no verification email, no phone, no captcha. Then top up your balance with crypto. Monero (XMR) is the privacy default: it credits in about 30 seconds and leaves no public on-chain trail linking the payment to you. Bitcoin works too but settles in a few minutes and is transparent on-chain, so prefer XMR for this use case.

Top up and deploy

• Top up the balance, then deploys debit it. Bonuses scale with size: +30% at $100, +70% at $1000 (linear between).
• Pick a plan. The S1 (2 vCPU / 4 GB DDR5 / 80 GB NVMe, from $5/mo) is plenty for a static or small dynamic site. Step up to S2 Pro (4 vCPU / 16 GB / 320 GB, from $15/mo) for a CMS, database, and headroom.
• Choose an OS image — Debian 13 is the lean default used in the commands below. Ubuntu 24.04, Rocky 9, Alma 9, Alpine, Arch, and FreeBSD 14 are also available.
• Pick a billing cycle. Cycle discounts are steep and one-shot (no auto-renew): 3-month 25%, 6-month 35%, 12-month 50%.

Deploy. Median boot is about 47 seconds; you'll get the IPv4 address, a /64 IPv6 block, and initial root credentials in the panel. Add your SSH public key during ordering if the option is offered, or paste it on first login as shown next. Ready to go? Order a VPS.

# From the order panel you receive an IPv4 like 203.0.113.10
# First login (replace with your address):
ssh [email protected]

A box exposed on the public internet is scanned within minutes. Lock it down before you serve a single byte. Do all of this in your first session.

1. Key-only SSH, no root password login

Generate a key on your local machine if you don't have one (use a dedicated key for this project — do not reuse your work key):

# Local machine
ssh-keygen -t ed25519 -f ~/.ssh/anon_site -C ""
ssh-copy-id -i ~/.ssh/anon_site.pub [email protected]

Then on the server, disable password and root-password logins:

# /etc/ssh/sshd_config.d/hardening.conf
PasswordAuthentication no
PermitRootLogin prohibit-password
KbdInteractiveAuthentication no
AuthenticationMethods publickey

systemctl restart ssh

The -C "" strips the user@hostname comment so your key file doesn't embed your laptop's hostname or username — a small but real operator-identity leak.

2. A default-deny firewall

apt update && apt install -y nftables
# Allow SSH, HTTP, HTTPS only; drop the rest inbound.
cat > /etc/nftables.conf <<'EOF'
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    ct state established,related accept
    iif lo accept
    tcp dport { 22, 80, 443 } accept
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept
  }
}
EOF
systemctl enable --now nftables

3. fail2ban for brute-force noise

apt install -y fail2ban
cat > /etc/fail2ban/jail.local <<'EOF'
[sshd]
enabled = true
maxretry = 3
bantime  = 1h
findtime = 10m
EOF
systemctl enable --now fail2ban

Also run unattended security updates (apt install unattended-upgrades) and create a non-root sudo user for day-to-day work. The VPS hardening guide goes deeper on auditd, kernel sysctl, and log minimisation.

For a normal public website you serve on the server's real IP over HTTPS. The anonymity comes from the fact that the IP and domain trace back to nobody, not from hiding the IP. (If you also want a CDN in front, that is fine — but never leave the origin answering your real domain on a guessable address; lock the origin to the CDN's IP ranges in nftables, or you've leaked your origin.)

Install and get a certificate

apt install -y nginx certbot python3-certbot-nginx
# Point your domain's A/AAAA records at the VPS IPs first, then:
certbot --nginx -d example.org -d www.example.org \
  --agree-tos --no-eff-email -m [email protected]

Use a domain-scoped address such as [email protected] for the ACME contact — never a personal mailbox. Certbot installs a renewal timer automatically.

A minimal, log-light nginx site

# /etc/nginx/sites-available/example.org
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.org www.example.org;
    root /var/www/example.org;

    ssl_certificate     /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;

    # Privacy: don't store visitor IPs in access logs.
    access_log off;
    server_tokens off;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
}
server {
    listen 80; listen [::]:80;
    server_name example.org www.example.org;
    return 301 https://$host$request_uri;
}

access_log off means you never accumulate a database of visitor IPs that could be subpoenaed — you can't hand over what you don't keep. Set server_tokens off so the version banner doesn't fingerprint your stack. And do not embed third-party analytics, fonts, or scripts: every external request from a visitor's browser is a correlation handle. Self-host everything. Reload with nginx -t && systemctl reload nginx.

For the strongest cut between the site and any IP address, expose it as a Tor onion service. There is no public IP for an adversary to seize, geolocate, or correlate — the address is derived from a keypair and reachable only over Tor. You can run an onion service alongside the clean-IP site or instead of it.

apt install -y tor
# /etc/tor/torrc
HiddenServiceDir /var/lib/tor/site/
HiddenServicePort 80 127.0.0.1:8080

systemctl restart tor
cat /var/lib/tor/site/hostname   # your xxxxxxxx.onion address

Point nginx at 127.0.0.1:8080 for the onion vhost and bind it to localhost only — Tor handles all external reachability, so the firewall above (which drops everything except 22/80/443) keeps the onion backend invisible to the clean internet. NoKycVPS explicitly permits Tor relays, exits, and hidden services. For a public site that also wants .onion discoverability, advertise it with an Onion-Location header from your clearnet vhost so Tor Browser offers the upgrade automatically.

This is the right architecture for leak archives, journalist dropboxes, and anything where even a seized server should reveal nothing about its operator or its visitors. Pair it with full-disk-encryption awareness: root passwords are already AES-256 encrypted at rest under an operator-held key.

You have done the hard part — a no-KYC, crypto-paid, hardened, log-light server. Now don't undo it at the name layer. The domain is the most common place anonymity quietly leaks.

• WHOIS — register through a path that doesn't put your name in the public record. NoKycVPS sells domain names across 26 TLDs on the same no-KYC, crypto-paid account, so the domain and the server share zero personal data. The full method is in register a domain anonymously.
• DNS history — if a domain ever pointed at your home IP or a previously-identified server, passive-DNS databases remember. Use a fresh domain, or audit its history before reuse.
• Payment correlation — pay for the domain from the same crypto balance or a different one, but never with a card or a payment rail tied to your name.
• Registrar nameservers — keep DNS at the registrar or on the same anonymous infrastructure; don't route it through a personal account at a third party.

When the domain, the DNS, the server, and the payment all trace back to nobody, you have actually hosted a website anonymously — not just felt like it. For deeper venue selection, read offshore hosting, and to harden the box further see harden a VPS.