Running your own web server is satisfying — until you look at the logs. Within hours of going live, bots are probing for /wp-login.php, /xmlrpc.php, .env files, and PHP endpoints that never existed. Here’s how I layered three tools to shut most of that down before it reaches the application.
The Stack
- Caddy as reverse proxy and TLS terminator
- Fail2ban on the host for behavioral IP banning
- Cloudflare as the edge layer (free tier)
The key insight is that each layer catches different things:
[Read More]