Hacking the STLToday Paywall v2025

  • August 5, 2025
Media

Welcome back to our continuing series of breaking new STLToday paywall versions.

Want to hear something crazy? We’ve been doing this for over 10 years now! Or to put it another way, STLToday.com, the website for the St. Louis Post Dispatch, has been using a paywall for over a decade, and they haven’t been able to make one that isn’t cracked in a matter of minutes.

That being said, the latest version that launched in 2022, was the strongest yet. It took me a little longer to figure out and it required a Google Chrome Extension to defeat it.

Will the 2025 version, that I just noticed earlier today, build on that success and finally prevent me from reading their content for free?

Nope.

I found a way to get around it, and remove their aggressive ads in…I don’t know…let’s round up and call it 5 minutes.

No Google Chrome extension this time either. No bookmarklet, no code at all actually. I just turned off Javascript.

Here’s the bullet points

  • They are using some new libraries that are loaded from an external site in addition to scripts loaded locally.
  • I started to parse through them, but noticed that they are still loading the whole article and then deleting the article and drawing the paywall banner after the fact.
  • Like the 2022 version, they are doing this quickly. Maybe even faster than before.
  • …but since the send the whole articles, including the page styles, I thought that maybe the easiest thing to do was just prevent javascript, the code that runs on webpages in your browser, from running at all was a short cut.

It was!

Normally killing all javascript would cripple it, but to their credit, and the detriment of their paywall, that’s not the case here. The site is nearly fully functional without javascript, at least in terms of functionality for the reader. Ads don’t work, their user tracking isn’t working, and their paywall doesn’t work. Also images don’t load on their section pages. Not a huge deal. The images load just fine on the articles though.

Here’s how you do this, in Google Chrome (these instructions will work for other browsers, too just in different settings windows):

  1. Go to the Privacy and Security settings and then the Javascript settings. Here’s a link directly to the Chrome settings page.
  2. Leave the default behavior as it is so that all pages can use javascript.
  3. Below that add a couple of domains to the list of pages that can’t use javascript:
https://stltoday.com
https://www.stltoday.com
https://bloximages.newyork1.vip.townnews.com

That’s it! Here’s a screenshot.

We did it again! Questions? High fives? Other various accolades? Get at me on Mastodon or via email

Go Cardinals (maybe next year)!

Related Posts

The Topsy Project for DEFCON 30

This year at DEFCON, the hacker convention, I joined the Hard Hat Brigade with Topsy, a hard hat that entertains while scanning the wifi environment. Here’s a video I made walking through the basics: I didn’t cover it specifically in the video, but you might be asking: “Um, why?” My answer is: “Why not?

Read more

Hacking the STLToday Paywall v2022

Here we are again. STLToday, the website for my hometown newspaper the St. Louis Post Dispatch, has updated their paywall and, as is tradition, it’s time to take a look, see what they did, and offer suggestions so they can make it better. In short, let’s hack the STLToday paywall.

Read more

What Is the New Flipper Zero Hacking Device?

The Flipper Zero is a latest hacker tool to hit the market. It’s still early in it’s development bit it already sports a variety of functions that can allow for unauthorized access and malicious code execution. I have one, I love it already, and I spent the weekend playing around and hanging out on the Discord channel.

Read more