| Schutz | Wie |
|---|---|
| FastCGI-Cache | nginx WORDPRESS keys_zone, anonyme Seiten ohne PHP |
| Redis Object Cache | wp-redis-cache Plugin, ~80% Hit-Rate |
| HTTPS | nginx-proxy + acme-companion (Let’s Encrypt) |
| xmlrpc.php | nginx deny all → 403 |
| Brute-Force wp-login | fail2ban 5 Fails / 10 min → 1h Ban in DOCKER-USER |
| xmlrpc-Scans | fail2ban 2 Hits / 10 min → 24h Ban |
| Echte Client-IPs | nginx real_ip + trusted Docker-Ranges |
| SSH | fail2ban sshd Jail läuft bereits |