persistent entry guards are extremely important for anonymity. The Tor devs are actually in the process of revamping the entry guard selection algorithm to pick less guards and use them longer, and possibly layering guards for hidden services. I personally strongly suggest configuring your hidden services with a client instance of Tor to be used as a socks proxy for the hidden service instance of Tor. It hurts hidden service load times, but it offers a much much higher degree of anonymity than a vanilla Tor hidden service configuration. Also if you don't have non-encrypted sensitive data on the hidden service, there is no real disadvantage to running the web server in a virtual machine with Tor running on the host and host only networking or similar, this can offer a much higher degree of protection from attackers who try to deanonymize your hidden service by hacking it. The disadvantage of using a virtual machine isolated hidden service is that the web servers operating environment is easier to compromise than it would be if the web server was running on non-virtualized hardware. The advantage to using virtual machines in this way is that an attacker can't get to the external IP address from inside the VM so you can make it much harder for hackers to gain unauthorized access to the external IP address. Short of implementing a hardware isolation solution to sandbox the web server from external IP address, the best bet for a highly anonymously configured hidden service is currently to take both of these steps (virtualization based isolation + Tor over Tor).