Serve a WordPress site from a home server through a lightweight VPS proxy — static assets mirrored to the VPS disk, dynamic requests proxied over Tailscale, and every database query running at local NVMe latency. A playground project that turned out well enough to document.
Every Cloudflare toggle you should turn off, and the origin hardening that must be in place first. Full (Strict) SSL, no content modification, no header injection — a configuration where your VPS owns every security decision and Cloudflare provides the network.
Convert images to WebP on disk with cwebp, let nginx serve the right format based on the browser's Accept header, and leave WordPress completely out of it. No plugins, no exec(), no database changes.
On a VPS, the server layer already handles most of what optimization plugins do. The cost of letting one run on every request can outweigh anything it claims to save.
Set up fail2ban for SSH and Nginx with AbuseIPDB reporting, incremental bans, and daily blacklist imports from AbuseIPDB, Bitwire, and Spamhaus — a layered defense that catches bots before they reach your application.
Every public server gets scanned constantly. A practical overview of config-file harvesters, vulnerability scanners, credential-stuffing bots, and directory brute-forcers — what they look for, why they hurt performance even when they fail, and how to keep them from reaching your application.