Security

When you self-host anything, especially on the public internet, security stops being theoretical. It becomes your problem, full stop.

We leverage hardened wordpress configurations alongside database (and, therefore, website) specific grants, so that what happens to one database can’t happen to another. Our MYSQL is up to date and hardened, as are our NGINX and Apache configs. Cloudflare handles the rest including SSL/TLS, encryption, bot filtering, WAF and more.

What makes this setup secure?

Here’s how I’ve built multiple layers of defense into the stack, because no single tool or setting is enough on its own.

Cloudflare WAF & Rate Limiting
Cloudflare handles the first layer of protection: a web application firewall, bot filtering, IP reputation rules, and aggressive rate limiting on anything resembling a login page or admin panel. Most junk traffic never even hits the server.

HTTPS Everywhere
TLS is terminated at Cloudflare, but also enforced at the origin. Everything is encrypted, all the time. HSTS headers and strong cipher suites are in place to ensure modern, secure connections.

Nginx as a Secure Frontline
Nginx is configured with tight access controls, CSP rules, and request size limits to help prevent common injection attacks. Any spam, or anything suspicious gets dropped before it even touches the backend.

Backups & Rollbacks
Backups are taken automatically and stored offsite. If something does go wrong, I can restore quickly without data loss or a long downtime window.