Lock down SSH with Tailscale as your primary path — encrypted WireGuard mesh, accessible from anywhere without exposing a public port. Two direct fallbacks from known home IPs for when the mesh is down, enforced at the cloud firewall level. Three paths in. No port scanners allowed.
rclone to Proton Drive, a home server over Tailscale, or any provider that speaks SFTP — with cron scheduling, age-based pruning, and a reminder that cloud convenience is not a backup strategy. One dump per database, one target automatic, one independent. What to back up, what to skip, and why provider snapshots aren't the same thing.
Stop port scanners and direct-to-IP attacks before they reach your server. A stateless cloud firewall — free on most providers — drops all traffic on ports 80 and 443 that doesn't originate from Cloudflare's IP ranges. Includes the certificate renewal caveat: every domain on your Let's Encrypt certificate must be proxied, or renewal breaks.
Set up fail2ban for SSH and Nginx with AbuseIPDB reporting, incremental bans, and daily blacklist imports from AbuseIPDB, Bitwire, and Spamhaus — a layered defense that catches bots before they reach your application.
A compromised WordPress plugin can exfiltrate data without triggering a single inbound firewall rule. Force all PHP outbound traffic through a local Squid proxy and use a Python correlation script to trace every external connection back to the exact script and site that made it.
Every public server gets scanned constantly. A practical overview of config-file harvesters, vulnerability scanners, credential-stuffing bots, and directory brute-forcers — what they look for, why they hurt performance even when they fail, and how to keep them from reaching your application.