Lock down SSH with Tailscale as your primary path — encrypted WireGuard mesh, accessible from anywhere without exposing a public port. Two direct fallbacks from known home IPs for when the mesh is down, enforced at the cloud firewall level. Three paths in. No port scanners allowed.
rclone to Proton Drive, a home server over Tailscale, or any provider that speaks SFTP — with cron scheduling, age-based pruning, and a reminder that cloud convenience is not a backup strategy. One dump per database, one target automatic, one independent. What to back up, what to skip, and why provider snapshots aren't the same thing.
Stop port scanners and direct-to-IP attacks before they reach your server. A stateless cloud firewall — free on most providers — drops all traffic on ports 80 and 443 that doesn't originate from Cloudflare's IP ranges. Includes the certificate renewal caveat: every domain on your Let's Encrypt certificate must be proxied, or renewal breaks.
Every Cloudflare toggle you should turn off, and the origin hardening that must be in place first. Full (Strict) SSL, no content modification, no header injection — a configuration where your VPS owns every security decision and Cloudflare provides the network.
Before deploying Bludit Pro to a live site, I read the source code. Nine findings later — including a predictable preview token that exposed draft content — here's what I patched in my own build and why it matters for anyone running the same CMS.
Set up fail2ban for SSH and Nginx with AbuseIPDB reporting, incremental bans, and daily blacklist imports from AbuseIPDB, Bitwire, and Spamhaus — a layered defense that catches bots before they reach your application.