Convert images to WebP on disk with cwebp, let nginx serve the right format based on the browser's Accept header, and leave WordPress completely out of it. No plugins, no exec(), no database changes.
On a VPS, the server layer already handles most of what optimization plugins do. The cost of letting one run on every request can outweigh anything it claims to save.
Set up fail2ban for SSH and Nginx with AbuseIPDB reporting, incremental bans, and daily blacklist imports from AbuseIPDB, Bitwire, and Spamhaus — a layered defense that catches bots before they reach your application.
A compromised WordPress plugin can exfiltrate data without triggering a single inbound firewall rule. Force all PHP outbound traffic through a local Squid proxy and use a Python correlation script to trace every external connection back to the exact script and site that made it.
Every public server gets scanned constantly. A practical overview of config-file harvesters, vulnerability scanners, credential-stuffing bots, and directory brute-forcers — what they look for, why they hurt performance even when they fail, and how to keep them from reaching your application.
Issue and renew Let's Encrypt certificates with certonly and webroot authentication — full control of your Nginx configuration, no auto-generated edits, shared webroot directory, and a cron job that just works.