rclone to Proton Drive, a home server over Tailscale, or any provider that speaks SFTP — with cron scheduling, age-based pruning, and a reminder that cloud convenience is not a backup strategy. One dump per database, one target automatic, one independent. What to back up, what to skip, and why provider snapshots aren't the same thing.
Stop port scanners and direct-to-IP attacks before they reach your server. A stateless cloud firewall — free on most providers — drops all traffic on ports 80 and 443 that doesn't originate from Cloudflare's IP ranges. Includes the certificate renewal caveat: every domain on your Let's Encrypt certificate must be proxied, or renewal breaks.
Every Cloudflare toggle you should turn off, and the origin hardening that must be in place first. Full (Strict) SSL, no content modification, no header injection — a configuration where your VPS owns every security decision and Cloudflare provides the network.
Before deploying Bludit Pro to a live site, I read the source code. Nine findings later — including a predictable preview token that exposed draft content — here's what I patched in my own build and why it matters for anyone running the same CMS.
A compromised WordPress plugin can exfiltrate data without triggering a single inbound firewall rule. Force all PHP outbound traffic through a local Squid proxy and use a Python correlation script to trace every external connection back to the exact script and site that made it.
Every public server gets scanned constantly. A practical overview of config-file harvesters, vulnerability scanners, credential-stuffing bots, and directory brute-forcers — what they look for, why they hurt performance even when they fail, and how to keep them from reaching your application.