Serve a WordPress site from a home server through a lightweight VPS proxy — static assets mirrored to the VPS disk, dynamic requests proxied over Tailscale, and every database query running at local NVMe latency. A playground project that turned out well enough to document.
Every Cloudflare toggle you should turn off, and the origin hardening that must be in place first. Full (Strict) SSL, no content modification, no header injection — a configuration where your VPS owns every security decision and Cloudflare provides the network.
Convert images to WebP on disk with cwebp, let nginx serve the right format based on the browser's Accept header, and leave WordPress completely out of it. No plugins, no exec(), no database changes.
Set up fail2ban for SSH and Nginx with AbuseIPDB reporting, incremental bans, and daily blacklist imports from AbuseIPDB, Bitwire, and Spamhaus — a layered defense that catches bots before they reach your application.
Issue and renew Let's Encrypt certificates with certonly and webroot authentication — full control of your Nginx configuration, no auto-generated edits, shared webroot directory, and a cron job that just works.
Configure Nginx to restore real visitor IPs behind Cloudflare — correct access logs, rate limiting, and IP-based access control with the ngx_http_realip_module.