Lock down SSH with Tailscale as your primary path — encrypted WireGuard mesh, accessible from anywhere without exposing a public port. Two direct fallbacks from known home IPs for when the mesh is down, enforced at the cloud firewall level. Three paths in. No port scanners allowed.
rclone to Proton Drive, a home server over Tailscale, or any provider that speaks SFTP — with cron scheduling, age-based pruning, and a reminder that cloud convenience is not a backup strategy. One dump per database, one target automatic, one independent. What to back up, what to skip, and why provider snapshots aren't the same thing.
Serve a WordPress site from a home server through a lightweight VPS proxy — static assets mirrored to the VPS disk, dynamic requests proxied over Tailscale, and every database query running at local NVMe latency. A playground project that turned out well enough to document.
Stop port scanners and direct-to-IP attacks before they reach your server. A stateless cloud firewall — free on most providers — drops all traffic on ports 80 and 443 that doesn't originate from Cloudflare's IP ranges. Includes the certificate renewal caveat: every domain on your Let's Encrypt certificate must be proxied, or renewal breaks.
Every Cloudflare toggle you should turn off, and the origin hardening that must be in place first. Full (Strict) SSL, no content modification, no header injection — a configuration where your VPS owns every security decision and Cloudflare provides the network.
Every hook, constant, helper, and boot rule in Bludit 3.22.0 — source-verified against the BrownBear kernel. Includes AI-optimized formats and separate theme/plugin architecture guides so you can load only what you need into a prompt.