A compromised WordPress plugin can exfiltrate data without triggering a single inbound firewall rule. Force all PHP outbound traffic through a local Squid proxy and use a Python correlation script to trace every external connection back to the exact script and site that made it.
Every public server gets scanned constantly. A practical overview of config-file harvesters, vulnerability scanners, credential-stuffing bots, and directory brute-forcers — what they look for, why they hurt performance even when they fail, and how to keep them from reaching your application.
Issue and renew Let's Encrypt certificates with certonly and webroot authentication — full control of your Nginx configuration, no auto-generated edits, shared webroot directory, and a cron job that just works.
Configure Nginx to restore real visitor IPs behind Cloudflare — correct access logs, rate limiting, and IP-based access control with the ngx_http_realip_module.
A practical guide to locking down SSH access: Ed25519 keys, sshd_config hardening, fail2ban, port changing, and key management for single-admin servers.
A practical guide to hardening Nginx and PHP-FPM on a single-admin server: user separation, SSH key authentication, connection limits, rate limiting, and PHP configuration defaults that won't get you compromised.