A curated guide through every security article on this site — arranged in the order you should tackle them, not by publication date.
1. Understand What You're Up Against
Common Web Attack Bots and Scanners
Config-file harvesters, vulnerability scanners, credential-stuffing bots, and directory brute-forcers — what they look for, why they hurt performance even when they fail, and how to spot them in your logs.
2. Lock the Doors
Hardening SSH on Linux
Ed25519 keys, sshd_config hardening, fail2ban, port changing, and key management — secure the primary door into your server before worrying about anything else.
SSH Access Through Tailscale Behind a Cloud Firewall
Lock SSH down to a WireGuard mesh — accessible from anywhere without exposing a public port, with direct IP fallbacks for when the mesh is down. Three paths in, enforced at the cloud firewall level.
Securing Nginx and PHP
User separation, PHP-FPM hardening, connection limits, rate limiting, and PHP configuration defaults that won't leave you exposed.
Restoring Real Visitor IPs with Cloudflare
Configure Nginx to restore real visitor IPs behind Cloudflare — correct access logs, rate limiting, and IP-based access control.
Cloudflare as a Transparent Proxy: Zero-Interference Edge Configuration
Turn off every Cloudflare feature that modifies content or injects headers, and configure the origin to own every security decision. Includes custom WAF rules, origin hardening checklist, and troubleshooting.
Blocking Direct-to-Origin Access with a Cloud Firewall
Stop port scanners and direct-to-IP attacks before they reach your server. A stateless cloud firewall — free on most providers — drops all traffic on ports 80 and 443 that doesn't originate from Cloudflare's IP ranges.
3. Monitor and Respond
Fail2ban with nftables and Crowd-Sourced Blacklists
SSH and Nginx forbidden-request jails, AbuseIPDB reporting, incremental banning, and daily blacklist imports from AbuseIPDB, Bitwire, and Spamhaus. Includes the 404 crawl-bot rate-limiting addendum.
Detecting Compromised PHP Sites with a Squid Proxy
Force all PHP outbound traffic through a monitored proxy and trace every external connection back to the exact script and site that made it — catch C2 callbacks and data exfiltration that inbound firewalls miss.
4. Layer Additional Protections
Rate Limiting with Nginx's limit_req
Throttle incoming requests at the server level — static pages, PHP handlers, and login endpoints — before they exhaust your application.
Preventing WordPress Search Overload
WordPress search queries hit the database with no caching layer. Three lines of Nginx config caps them before they become a problem.
Protecting Folders with Nginx Basic Auth
Gate staging sites, admin panels, and internal tools behind a password with SHA-512 hashes, IP allowlists, and fail2ban integration.
Let's Encrypt Without Certbot Touching Your Nginx Config
Issue and renew certificates with certonly — full control of your configuration, no auto-generated edits.
Automated Off-Site Backups with rclone
Backups are the last line of defense. One dump file per database, one target automatic, one independent — rclone to Proton Drive, a home server over Tailscale, or any provider that speaks SFTP, with age-based pruning and cron scheduling.