Before deploying Bludit Pro to a live site, I read the source code. Nine findings later — including a predictable preview token that exposed draft content — here's what I patched in my own build and why it matters for anyone running the same CMS.
I'm deaf, not blind. But resources like captions — or the lack of them — got me thinking about accessibility that shaped every heading, table, font choice, and link on this site. No WCAG checklists, just perspective and routine.
The WordPress admin dashboard works, but on a VPS you have a faster option. Plugin updates in under a second, search-replace across 50,000 rows without timing out, and everything scriptable — the wp-cli commands that actually matter for managing WordPress on your own server.
Convert images to WebP on disk with cwebp, let nginx serve the right format based on the browser's Accept header, and leave WordPress completely out of it. No plugins, no exec(), no database changes.
On a VPS, the server layer already handles most of what optimization plugins do. The cost of letting one run on every request can outweigh anything it claims to save.
Set up fail2ban for SSH and Nginx with AbuseIPDB reporting, incremental bans, and daily blacklist imports from AbuseIPDB, Bitwire, and Spamhaus — a layered defense that catches bots before they reach your application.