Tag: Star Whale

No Open Ports — Reaching My Server from Anywhere with Tailscale

Self-hosting build guide part 16. If part 9 was the road for visitors to enter the blog (Cloudflare Tunnel), this is the road for me alone to get inside my server.

The companion part: Part 9 — Invisible Bridge (Cloudflare Tunnel)

TL;DR

Problem: I want to reach my home server by remote desktop or SSH — from outside, or from a laptop in another room. But opening a port is dangerous.
Old method: Open a remote-desktop port on the router → bots brute-force the login 24/7.
New method: Tailscale — bundle my devices (server, laptop, phone) into one encrypted private network. Zero holes in the router.
Why it’s safe: Nothing is exposed to the internet + end-to-end encryption between devices + only my logged-in devices may enter.
Tool: Install the Tailscale app on each device and sign in with the same account. 5 minutes.
Cost: $0 (free for up to 100 devices on a personal plan).

1. The Problem — How Do I Get Into My Server?

Once you run a small server at home, this need shows up fast: you want to reach it by remote desktop (see the screen as-is) or SSH (a terminal) — from outside, or from another room in the same house.

The classic old way is to open a port on the router (port forwarding). And that’s where the trouble starts.

Trouble	Why
Brute-force attacks	Open a remote-desktop port to the internet and bots start guessing passwords the moment it’s up
One thin password	If a bot breaks it, the whole server is gone. The login is the only line of defense
Location exposure	The public IP alone hints at your rough neighborhood
Renewal hassle	When the ISP rotates your public IP, the connection address changes too

Exposing remote desktop directly to the internet is close to security suicide. (Part 9 handled visitor traffic; this is a channel only I, the admin, use, so it’s even more sensitive.)

2. A Different Idea — Don’t Open Ports, Network the Devices

Here’s the shift in thinking: Don’t open a door for the outside to come in. Instead, build a separate encrypted private network that only my own devices share.

Tailscale does exactly this. Its engine is WireGuard (a modern, fast encrypted-tunnel technology), and Tailscale lays down those WireGuard tunnels automatically, with no configuration.

Once installed, my devices join one private network (a “tailnet”), and each device gets a private address of the form 100.x.x.x. That address is invisible to the internet and reachable only by my own devices. Even far apart, they connect as if on the same LAN cable.

3. Why It’s Safe — A Matchmaker and a Phone Call

Tailscale’s cleverest design is separating coordination (control) from data. A matchmaker analogy makes it click.

Coordination server = the matchmaker: Tailscale’s servers authenticate devices and introduce them to each other. “These two belong to the same owner, so they may connect” — and they hand over public keys. But they never listen to the actual conversation.
Data = the actual call: Real traffic, like your remote-desktop screen, flows directly between devices (peer-to-peer), end-to-end encrypted by WireGuard. It does not pass through the company’s servers.

That yields three layers of security:

Safeguard	What it means
Zero exposed ports	The server’s remote-desktop port doesn’t even appear to the internet. There’s no target for scanners
End-to-end encryption	WireGuard encrypts every link between devices. Intercept it and you still can’t read it
Identity-based entry	Not a shared password — only devices signed into my account join the network. A lost device can be cut off instantly from the console

Each device’s private key never leaves that device. Only public keys go to the coordination server, so even if that server were breached, your traffic stays unreadable.

4. Traffic Flow — Old vs New

The old way punches a hole in the router that anyone can knock on. The new way wires an encrypted tunnel directly between my own devices and opens no door at all to outsiders.

5. How Is This Different from Cloudflare Tunnel?

It’s easy to confuse this with Cloudflare Tunnel from part 9. They aren’t competitors — they’re complementary tools with different jobs.

	Cloudflare Tunnel (part 9)	Tailscale (this part)
Goal	Publish the blog to visitors	Private access for me
Audience	Anyone, worldwide (https)	Only my signed-in devices
Used for	Exposing a blog/website	Remote desktop, SSH, admin
Analogy	Hotel front desk (guides guests)	A staff-only back hallway

Publish the blog to the world with Cloudflare Tunnel, and get into that same server to manage it with Tailscale. Running both on one server doesn’t conflict at all.

6. How to Use It — 5 Minutes

The idea is simple: install the app on every device you want to reach, sign in with the same account, done.

Install Tailscale on the server (e.g., a Linux mini-PC) → sign in
Install the Tailscale app on your laptop and phone → sign in with the same account
Now every device joins one private network and gets a 100.x.x.x address
For remote desktop or SSH, connect to the server’s Tailscale address

Turn on MagicDNS and you can connect by device name instead of the address (e.g., myserver → that device). The private address, once assigned, doesn’t change, so you can keep it like a bookmark.

7. Pitfalls — What We Actually Hit

Pitfall 1. Connecting via the LAN IP gets blocked

A device on the same home network has two addresses — the LAN IP the router gave it (192.168.x.x) and the private address Tailscale gave it (100.x.x.x). If you “safely” lock the server’s firewall to allow only the Tailscale path, then connecting over the LAN IP gets dropped by the firewall.

The symptom is nasty: ping works and SSH (22) works, but remote desktop alone fails — because the firewall blocks only that port. Even inside the same house, you must connect via the Tailscale address. Not knowing this, we burned a while wondering “why doesn’t it work even at home?” (The saved connection address was set to the LAN IP — that was the culprit.)

Pitfall 2. Both ends must be running

Tailscale must be up on both devices to connect. If Tailscale is logged out on the laptop, it isn’t on the network, so of course it can’t connect. It usually auto-starts at boot, but when something’s off, suspect this first.

Pitfall 3. Long-idle devices drop offline

A device you haven’t powered on for a while (a phone, say) shows as “offline” in the console. Turn it on and sign in to bring it back. Tidying the device list now and then helps.

8. Verification

The fastest way to confirm the connection (with Tailscale on at both ends):

① Is the server’s private address alive? — ping <server's Tailscale address> and watch for replies.

② Does the target port actually reach? — on Windows, in PowerShell:

Test-NetConnection -ComputerName <server Tailscale address> -Port <port>

If TcpTestSucceeded : True shows up, the private tunnel is healthy. Now point remote desktop or SSH at that address.

FAQ

Q. Can I use it together with Cloudflare Tunnel?
Yes. Different jobs. Publish the blog via Cloudflare Tunnel, and manage the server (remote desktop, SSH) via Tailscale. No conflict.

Q. What’s the free limit?
The personal plan is free for up to 100 devices and 3 users. For bundling a few home servers, that’s effectively free forever.

Q. Does Tailscale’s company see my traffic?
No. The company’s servers only introduce; the actual data flows directly between devices, encrypted. (On tricky networks where a direct link fails, it goes through an encrypted relay — but even then it’s decrypted only at the two ends, so the relay can’t read it.)

Q. What if power or internet drops?
If the server goes down, it leaves the network. When it comes back, it rejoins automatically. The network itself is tied to your account and stays intact.

Q. Is this used at companies too?
Yes. It’s widely used in companies as a “zero trust” (trust nothing by default) way to reach internal networks. A home lab just applies the same principle for free.

One-Line Summary

To reach a home server from anywhere, instead of the old way of opening a router port and inviting bot attacks, build an encrypted private network of just your own devices with Tailscale. WireGuard encrypts end to end, and not a single port is opened to the internet. Setup is installing the app on each device and signing in with the same account — 5 minutes.

References

2026-06-06

Invisible Bridge — Exposing Our Home Blog Externally with Cloudflare Tunnel

Self-hosting build guide, Part 9. After buying a domain, how do we pull traffic all the way to our home computer?

← Previous: Part 8 — Bots Arrive in 24 Hours (Security P0)
→ Next: Part 10 — What Not to Publish (Privacy Review)

TL;DR

Problem: WordPress runs on our home mini-PC, but how do we connect the purchased domain (sticknstone.org) to it from outside?
Old way: Open a router port → register public-IP DNS → renew SSL. Five headaches.
New way: Cloudflare Tunnel — the mini-PC pre-opens an outbound bridge to Cloudflare. No router hole, no IP exposure.
Tool: Run the cloudflared daemon with Docker. Five minutes.
Free bonus: WAF, DDoS protection, CDN, SSL, traffic stats — all free.
Cost: $0 (domain renewal ~$10/yr separate).

1. The Problem to Solve

The blog (WordPress) is hosted on our home mini-PC. The domain (sticknstone.org) is bought. So how do the two meet?

The ordinary path (port forwarding): five headaches

Headache	Why
Router hole	Opening port 443 invites bot attacks forever
Shared IP	The ISP keeps changing it; needs an auto-renew script
Location exposure	The IP alone hints at your rough neighborhood
SSL renewal	Let’s Encrypt by hand every 90 days
Traffic surge	A DDoS can paralyze your home internet

2. Another Path: Build a Bridge

A shift in thinking: don’t accept connections coming in from outside. Instead, pre-create an outgoing connection from home to somewhere external.

flowchart LR
    subgraph oldway["Old way — Port Forwarding"]
        A1[Visitor] --> A2[Open router port 443]
        A2 --> A3[Mini-PC public IP]
        A3 --> A4[WordPress]
        A5[Hacker] -.attack.-> A2
    end
    subgraph newway["New way — Cloudflare Tunnel"]
        B1[Visitor] --> B2[Cloudflare Seoul DC]
        B2 -. pre-opened outbound channel .-> B3[Mini-PC cloudflared]
        B3 --> B4[WordPress]
        B5[Hacker] -.blocked.-> B2
    end
    style A5 fill:#fdd,stroke:#a00
    style B5 fill:#dfd,stroke:#0a0
    style A3 fill:#fdd
    style B3 fill:#dfd

The key: the mini-PC reaches out first. Instead of outside → home, keep an always-open outbound channel home → Cloudflare. Visitor requests are forwarded by Cloudflare through that channel to the mini-PC.

Hotel analogy

A hotel guest (the mini-PC) wants to meet a friend.

Ordinary path: Post your room number at the entrance. The friend walks in by that number — and so does the thief.
Bridge path: Leave a note with the front desk (Cloudflare): connect anyone asking for my friend to my room. The friend just gives a name; the desk routes them. The room number is never exposed, and the desk screens suspicious visitors first.

3. Traffic Flow — When a Visitor Types the Domain

sequenceDiagram
    participant V as Visitor browser
    participant CF as Cloudflare Seoul DC
    participant CD as cloudflared (mini-PC)
    participant WP as WordPress container
    V->>CF: GET https://sticknstone.org
    Note over CF: WAF/DDoS first filter
    CF->>CD: Forward via pre-opened outbound channel
    CD->>WP: http://localhost:8090
    WP-->>CD: HTML response
    CD-->>CF: Reply via outbound channel
    CF-->>V: SSL termination + CDN cache + response

Four steps: Visitor → Cloudflare (filter) → bridge → mini-PC → reverse. The mini-PC IP never appears anywhere.

4. The Bridge Keeper: cloudflared

The small daemon that holds this outbound channel open from home is cloudflared — Cloudflare’s official open source.

Why run it with Docker

Docker is already running on the mini-PC. It’s natural for cloudflared to stay in the same hotel as the other containers.

flowchart TB
    subgraph minipc["Mini-PC (Ubuntu 24.04)"]
        subgraph docker["Docker host"]
            CD[cloudflared / network_mode host]
            WP[wordpress-wordpress-1 :8090]
            DB[(wordpress-db-1 MariaDB)]
            RD[(wordpress-redis-1 Object Cache)]
            UM[umami_umami-1 :3001]
            UDB[(umami_db-1 Postgres)]
        end
        WP --> DB
        WP --> RD
        UM --> UDB
    end
    CF[Cloudflare network] -. outbound .-> CD
    CD --> WP
    CD --> UM
    style CD fill:#ffe4b5,stroke:#d97706
    style CF fill:#dbeafe,stroke:#1d4ed8

Only cloudflared runs with network_mode: host so it can reach localhost:8090 (WP) and localhost:3001 (Umami) on the host.

5-minute install guide

Folder + config files:

/home/user/cloudflared/
├── .env                # TUNNEL_TOKEN=eyJh... (token from the Cloudflare dashboard)
└── docker-compose.yml

docker-compose.yml:

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    restart: unless-stopped
    network_mode: host
    command: tunnel --no-autoupdate run --token ${TUNNEL_TOKEN}
    env_file: .env

Start + verify logs:

cd /home/user/cloudflared
sudo docker compose up -d
sudo docker logs cloudflared --tail 20

A successful log shows four lines (simultaneous connections to four Cloudflare Seoul data centers):

Registered tunnel connection ... location=icn06 protocol=quic
Registered tunnel connection ... location=icn01 protocol=quic
Registered tunnel connection ... location=icn05 protocol=quic
Registered tunnel connection ... location=icn06 protocol=quic

The mini-PC connects to Cloudflare over four backup channels. If one dies, the other three stay alive.

5. Tokens Are Risky — Where to Keep Them

The token cloudflared uses to authenticate with Cloudflare is shown only once at issuance.

Principles for handling the token

Store it in plaintext in .env, with chmod 600 (owner read/write only).
Never paste it in plaintext into chats, notes, or git commits.
If you suspect exposure, revoke and reissue from the Cloudflare dashboard immediately.

The exact commands

sudo chown user:user /home/user/cloudflared/.env
sudo chmod 600 /home/user/cloudflared/.env

6. What Comes Along for Free

Just by laying this bridge on Cloudflare’s free plan, these bonuses come along:

Bonus	What it does	Typical price
WAF	Auto-blocks known attacks like SQL injection and XSS	$20/mo~
DDoS protection	Absorbs traffic surges automatically, unlimited	$200/mo~
CDN	Caches static files worldwide; fast for foreign visitors	$10/mo~
Auto SSL	Zero worry about Let’s Encrypt renewals	$5/mo~
Traffic stats	Graphs in the Cloudflare dashboard	(analytics tools)

Total cost: $0. Only ~$10/yr for domain renewal.

7. Pitfalls — What We Actually Hit

Pitfall 1: Confusing the Operating System choice

The Cloudflare dashboard’s cloudflared install screen asks you to pick an OS. At first I picked Windows, thinking of my own Windows PC. Wrong. cloudflared installs on the mini-PC (Ubuntu), not my Windows machine. The right choice was Docker.

Pitfall 2: Pasting the token straight into LLM chat

If you send the copied token into an LLM chat, that content is stored on an external server. The token is as sensitive as a card PIN. Revoke it from the Cloudflare dashboard as soon as you’re done.

Pitfall 3: How does cloudflared forward to other services?

Just starting the cloudflared container connects it to Cloudflare, but where incoming requests go is a separate setting — the Public Hostname config. Covered in the next part (Part 10).

8. Validation

Right after startup, check Connection Status at the bottom of the Tunnel page in the Cloudflare dashboard.

Before:  No connection detected yet
After:   Connected (check)

When that one line flips, the bridge is up.

FAQ

Q. How is this different from Tailscale Funnel?
Both bypass NAT and hide the mini-PC IP. Cloudflare Tunnel also bundles WAF, DDoS, CDN, and use of your own domain for free. Tailscale Funnel forces a dedicated domain and offers no shield. For a blog, Cloudflare wins.

Q. What if the mini-PC shuts down?
The bridge drops. Visitors see a 521 (Web server is down) from Cloudflare. When the mini-PC boots again, cloudflared reconnects automatically (Docker restart: unless-stopped).

Q. Does Cloudflare see the traffic? Privacy concern?
Cloudflare terminates SSL, so it can see plaintext traffic. The trust model assumes Cloudflare is on your side. If you don’t trust it, the Tunnel isn’t a fit (alternative: your own reverse proxy + Let’s Encrypt + dynamic DNS).

Q. Limits of the free plan?
Unlimited bandwidth, unlimited sites, unlimited tunnels. Extras like Workers and R2 have separate limits. For running one blog, the free plan is enough for life.

Q. Does the domain have to be .org?
No. .com / .net / .io / .dev all work the same. Using Cloudflare DNS for the domain is just the easiest (automatic DNS registration).

Next Part Preview

Part 10 sets the Public Hostname to map sticknstone.org → WordPress, and covers what you must not write in a post (privacy review).

One-Line Summary

To run a blog on a home computer, skip the old method of punching a router hole and exposing your IP. Instead, pre-open an outbound channel from the computer to Cloudflare — that’s Cloudflare Tunnel. The little daemon that keeps the channel open is cloudflared. Five minutes with Docker.

References

2026-05-30

Naming is Difficult — Choosing a Site Name

Self-hosting building record, Part 7. A site name is harder than a domain name.

← Previous: Part 6 — Domain Purchase: Cloudflare Registrar

TL;DR

The initial name “jamjam’s voyage diary” → changed to “Star Whale” within three days
It is okay for the domain (sticknstone.org) and brand name (Star Whale) to differ. This can be explained on the About page.
Including the English subtitle “Star Whale” → friendly for global search
Five criteria for naming a personal blog: differentiation, metaphor depth, memorability, domain conflict, English pronunciation

1. The Problems with “jamjam’s voyage diary”

The name chosen initially. A combination of my nickname (jamjam) and “voyage diary.” While positioning the articles over three days, five issues became apparent.

Issues	Reasons
Too Ordinary	Conflicts with objective content and tone like “study, trading, automation”
Nickname Exposure	The nickname jamjam prioritizes personal identity over site identity
Imitable	Many blogs follow the pattern “OO’s voyage diary.” Weak search exposure
Difficult English Conversion	“jamjam’s voyage diary” — awkward
Narrow Perspective	“diary” implies a personal log. Too private for outside readers

2. New Name Candidates

Comparison of five candidates.

Name	Meaning	Differentiation	Metaphor	Memorability	English
jamjam’s voyage diary	My diary	★	★★	★★★	★
firewhale	Fire + Whale (intensity + depth)	★★	★★★	★★★	★★★★
Star Whale	Star + Whale (exploration, depth)	★★★★★	★★★★★	★★★★	★★
One-Pyeong Library	One-person workspace	★★★	★★★	★★★	★
Sailor’s Resource Room	Collection of information	★★	★★	★★	★

Star Whale dominates in differentiation and metaphor. The English name has weaknesses but can be supplemented by the subtitle “Star Whale.”

3. The Depth of the Metaphor for Star Whale

“Star Whale is a deep voyage toward the star” — captures the tone, content direction, and blog identity in one sentence. The core of my learning notes is about going “calmly far away,” fitting perfectly.

4. Firewhale Disqualified — SEO Conflict

“Fire + Whale” = Motivation from the intensity of fire + the depth of a whale. It seems appealing, but searching reveals:

Owner	What
firewhale.io	iOS app development company (numerous music apps)
firewhale.org	Notable Publications
firewhalemusic.com	Music artist
Firewhale (FIREW)	Cryptocurrency token
GitHub FireWhale	Personal account

The search results show zero opportunities for Star Whale (ours) to enter the first page. A new site starting with firewhale would be forever buried.

Star Whale, upon searching, is nearly clean. We rank first. Overwhelming in SEO and GEO exposure.

5. The English Subtitle “Star Whale”

Korean main title + English subtitle. WordPress settings:

Site Title:    Star Whale
Tagline:       Star Whale — Self-hosted notes on learning, trading, automation

Advantages:
– Korean Search: “Star Whale” ranks cleanly at number one
– English Search: The “Star Whale” portion is English-exposed
– Business cards and SNS self-introduction: “Star Whale (Star Whale)” sounds natural
– No burden when expanding globally

There is a ML company using Starwhale as one word. However, if we separate it into two words as Star Whale, there’s no association (only slight brand proximity).

6. Domain and Site Name Mismatch — Is It Okay?

Domain	Site Name	Example
`google.com`	Google	Match
`meta.com`	Meta	Match
`medium.com`	Medium	Match
`stripe.com`	Stripe	Match
`sticknstone.org`	Star Whale	Mismatch

Generally, it is preferable for them to match. In our case, we intentionally separated them.

Why is the separation acceptable?:
– It can be explained naturally in one line on the About page
– “Stick & Stone = the stones and sticks a former sailor used to point to stars” → “Star Whale = A deep voyage toward that star” → a storytelling asset
– The aim is not to have the URL memorized but to have visitors arrive through search, making the domain-brand alignment secondary.

For corporate sites, matching makes sense. A personal learning note blog is different.

7. The Change Task — One Line with wp-cli

wp option update blogname "Star Whale" --allow-root
wp option update blogdescription "Star Whale — Self-hosted notes on learning, trading, automation" --allow-root

That’s it. Additional updates needed:
– One line in llms.txt (# Star Whale)
– About page (storytelling)
– OG tags (Rank Math automatic)
– Email sender name (UpdraftPlus notifications, etc., follows automatically)

FAQ

Q. Can I not change the name once I’ve set it?
You can change it. However, the earlier you change it, the cost is zero. Changing it after publishing 100 articles would require adjustments to external links, social, and search indexing.

Q. Is the English subtitle necessary?
Korean alone is feasible. However, the English subtitle = friendly for global searches + naturalness on business cards. The benefit far exceeds the 5-minute task.

Q. Isn’t a compound Korean name like “Star Whale” difficult for foreigners?
It is challenging. Hence the English subtitle. My main readers are Koreans, so priority is given to Korean.

Q. Should I register a trademark?
For a personal blog, it is unnecessary. The probability of an external user creating products/services under the name Star Whale is zero. This will be reevaluated at the point of accumulated content + monetization.

Q. I’m delaying publication because I can’t decide on a site name?
Start publishing under a provisional name. Content comes first. The name solidifies naturally after writing about five pieces of content.

Next Episode Preview

Part 8 — Bots arrive within 24 hours: Security P0 before domain exposure. Blocking xmlrpc + changing wp-login slug = 25 minutes of work will block 99% of brute force attempts.

One-Line Summary

Choosing a site name is harder than the domain. Star Whale overwhelmingly satisfies five criteria for differentiation, metaphor, and search exposure. The combination of a Korean main title + English subtitle (Star Whale) + storytelling on the About page complements the domain mismatch.
“`

2026-05-30

Bots Arrive Within 24 Hours — Security P0 Before Domain Disclosure

Self-hosting guide, part 8. Essential 25 minutes to complete before launching the domain.

TL;DR

Disclosing a WordPress domain = bots arrive within 24 hours for brute force attacks. A statistical fact.
A 25-minute task can block 99%: ① Avoid username admin ② Block xmlrpc ③ Change wp-login slug.
These three constitute security P0. Complete this before disclosing your domain.
Wordfence and 2FA are P1 (to be added after domain launch).

1. The Truth of the First 24 Hours

When a WordPress site is exposed to the internet, within the first 24 hours:

Attack	Frequency	Target
`/wp-login.php` brute force	Thousands per hour	Admin password
`/xmlrpc.php` pingback amp	Continuous	DDoS amplification
Scanning for known plugin vulnerabilities	Continuous	Outdated plugins
SQL injection attempts	Automatic bots	`?id=1 OR 1=1` URL
User enumeration (`?author=1`)	Automatic bots	Discovering usernames

The goal here is not just to block but to eliminate the surface itself, which is P0.

2. P0 — Three Security Setup

3. ① Avoiding Username Admin

When creating the first user with the WordPress installation wizard, do not enter admin. Bots primarily target this username for brute force attacks.

Good examples: jamjam, sailor904, personal nicknames
Bad examples: admin, administrator, root, wpadmin

If you’ve already created an admin user, create a new user via wp-cli, then revoke admin rights or delete the old user:

wp user create newname [email protected] --role=administrator --user_pass=$(openssl rand -base64 24) --allow-root
wp user delete admin --reassign=newname --allow-root

4. ② Blocking xmlrpc.php — mu-plugin

/xmlrpc.php is an old API for WordPress, rarely used (only by Jetpack users). Bots exploit it for brute force amplification (attempting thousands of passwords with a single request).

Create /var/www/html/wp-content/mu-plugins/disable-xmlrpc.php:

<?php
/**
 * Plugin Name: Disable XML-RPC
 * Description: Block xmlrpc.php to reduce attack surface.
 */
if (!defined('ABSPATH')) exit;

add_filter('xmlrpc_enabled', '__return_false');
add_filter('wp_headers', function ($headers) {
    unset($headers['X-Pingback']);
    return $headers;
});
add_filter('xmlrpc_methods', function ($methods) {
    unset($methods['pingback.ping']);
    unset($methods['pingback.extensions.getPingbacks']);
    return $methods;
});
add_action('init', function () {
    $uri = $_SERVER['REQUEST_URI'] ?? '';
    if (stripos($uri, '/xmlrpc.php') !== false) {
        status_header(403);
        exit('xmlrpc disabled');
    }
});

Verification:

curl -I http://localhost:8090/xmlrpc.php
# HTTP/1.1 403  ← Success

5. ③ Changing wp-login Slug

/wp-login.php is the login URL common to all WordPress sites. Bots start automatically hitting this URL. It should be obscured with a different slug.

Install the plugin wps-hide-login:

wp plugin install wps-hide-login --activate --allow-root
wp option update whl_page starport --allow-root

starport is a secret slug chosen by I, difficult to guess yet easy to remember. For example: byeolgorae-gate, secret-door-2026, starport.

Verification:

curl -I -L http://localhost:8090/wp-login.php
# 301 redirect → Fake URL (bot fails there)

curl -I -L http://localhost:8090/wp-admin/
# 404 (Admin page appears nonexistent when logged out)

curl -I -L http://localhost:8090/starport/
# 200 (Login page known only to I)

⚠ If I forget the slug, I won’t be able to access it either. Bookmarking and note-taking are essential.

6. Results — From the Bot’s Perspective

Attack	Response after Blocking
`GET /wp-login.php`	301 → Fake URL → Bot attempts there → Forever fails
`POST /xmlrpc.php`	Blocked immediately with 403. Amplification not possible
`GET /wp-admin/`	404. The admin page pretends to be nonexistent
Username brute force	Attempting `admin` → Our site has no admin
`?author=1` user enum	Rank Math automatically blocks it (`Disable Author Archives`)

Resources expended by bots = Gains from I’s site = 0.

7. P0 vs P1 vs P2 — Prioritization

Stage	Task	Timing
P0 (Mandatory, before domain disclosure)	Username, xmlrpc, wp-login slug	This 25 minutes
P1 (Immediately after domain launch)	Wordfence wizard + 2FA	GUI operations by I
P2 (Monthly)	Plugin security updates + WPA (vulnerability scan)	Operational phase

If I launch the domain without completing P0 — bots will arrive within 24 hours to start brute force attempts. Even without setup, it is impenetrable, yet logs will accumulate brute force attempts and consume mini-PC CPU. Preventing such occurrences is vital for mental well-being.

8. Traps

Trap 1. mu-plugin Auto Activation

mu-plugins run forced above regular plugins. Consequently, security policies, like blocking xmlrpc, that must never be disabled, are suitable for mu-plugins.

Trap 2. Forgetting WPS Hide Login Slug

Since the whl_page option is directly written into the DB, if I forget the slug, I won’t be able to access it either. Recovery method: wp option get whl_page --allow-root (via mini-PC SSH) or temporarily deactivate the mu-plugin.

Trap 3. Automatic Bypass After Authentication

WPS Hide Login only blocks those who do not know the slug. A logged-in session continues to use /wp-admin/. Once I log in, I have free access to the admin page for the next 30 minutes.

Trap 4. Entry with a New Slug Upon Logout

After I log out, the next login will be at /starport. Updating bookmarks is essential.

FAQ

Q. What if I already disclosed the domain but haven’t set up P0?
Immediately turn off cloudflared or disable the Tailscale Funnel → Set up P0 → Re-disclose. 5 minutes.

Q. Why is the Wordfence wizard (P1) not P0?
P0 removes the surface itself. Wordfence detects and blocks attacks while the surface is still present. It serves as a supplementary measure.

Q. Can I change the slug to /admin?
/admin is also a common slug targeted by bots. Not recommended. Choose a word that only I can think of, which is difficult to guess.

Q. Is P0 sufficient without 2FA?
Sufficient + entirely enough. 2FA acts as the final shield when passwords are compromised. P0 + 2FA = Effectively invulnerable.

Q. If I block xmlrpc, can I still use Jetpack?
Some Jetpack functionalities are disabled. It is irrelevant if Jetpack is not used at all. Our Star Whale does not utilize Jetpack.

Next Episode Preview

Part 9 — The Invisible Bridge: Cloudflare Tunnel. Finally connecting the domain to the mini-PC. No need to open router ports, without exposing the mini-PC IP, and employing a free WAF, DDoS protection, and CDN.

Summary

Disclosing a WordPress domain = Bots will arrive within 24 hours. A P0 setup (username, xmlrpc, wp-login slug) in 25 minutes can block 99%. Complete this before launching the domain.

2026-05-30

Why I Started a Blog on My Own Computer

Self-hosting build log part 1. An introductory piece for the series. Reasons for the decision and considerations made at that time.

TL;DR

Tistory and Naver blogs are good, but five issues were bothersome: ads, enforced tone, data lock-in, risk of service closure, restrictions on experimentation.
By opting for my own computer (mini-PC) + WordPress + domain, these five issues are resolved in one go.
Initial cost = annual domain renewal fee of $10. The mini-PC was already available.
Trap: “I take full responsibility” — backup, security, updates, and downtime are all my responsibility.

1. Initially Considered Tistory

The moment I decided to create a blog, the natural first candidates were Tistory and Naver blog. It takes 5 minutes to sign up, and you’re ready to write. It has good visibility in Korean searches and offers a mobile app.

However, after three days of creating, five issues became bothersome.

Issues	Explanation
Ads	Platform ads in between and around my posts. Mixed content that doesn’t align with my tone.
Enforced Tone	The platform’s design reflects a “friendly everyday” tone. Objective and technical writing feels awkward.
Data Lock-in	My written content resides in the platform’s database. Difficult to extract in Markdown format.
Risk of Service Closure	If the service shuts down like Yahoo Blog or Daum View, all posts would be lost.
Restrictions on Experimentation	Unable to attach new plugins, AI-friendly robots.txt, or custom analysis tools.

The content I wished to produce was “study, trading, automation” — technical, long, and steady in tone. These platforms didn’t align well with that.

2. Exploring Other Options

There are about four alternatives besides self-hosting.

Reasons for eliminating each:

Medium/Substack: Targets English speakers + subscription model + enforced tone. Weak exposure for Korean.
GitHub Pages + Hugo: Static site; the lightest option. However, comments, analytics, and plugins all depend on external services.
Notion Public Page: Weak exposure to search engines. Unable to set an AI-friendly robots.txt.

3. Self-hosting = Solving Five Issues at Once

Issues that Bothered Me	In Self-hosting
Ads	None. They won’t appear unless I place them.
Enforced Tone	Full control over themes and CSS. My tone remains intact.
Data Lock-in	Data resides on my computer. Automated daily backups.
Risk of Service Closure	As long as my computer doesn’t fail, it stays up.
Restrictions on Experimentation	Freedom to implement mu-plugin, robots.txt, llms.txt, and trackers.

Moreover, an added advantage: in the age of AI search (GEO), automatically generating English versions enables global visibility. Multi-language support is generally challenging on platform blogs.

4. Cost Comparison

Item	Tistory/Naver	Self-hosting (Star Whale)
Signup Fee	0 KRW	Annual domain renewal fee of $10 (≈ 14,000 KRW)
Hosting	Free (includes ads)	Mini-PC electricity costs (already powered on)
Ad Revenue	Platform takes half	100% to me (will not place ads, so irrelevant)
Backup	Managed by the platform (but difficult to extract)	My responsibility (automated with cron)
Maintenance Cost	0 KRW	0 KRW (aside from the domain)

For those without a mini-PC, a Raspberry Pi ($35) or a second-hand mini-PC ($100–200) + domain is sufficient. Still, the total cost for a year remains below $50.

5. Trap — “I Take Full Responsibility”

The true cost of self-hosting is not monetary but responsibility.

Responsibility	Frequency	Can be Automated?
DB Backup	Daily	✅ Cron + automatic to Obsidian Vault
Security Updates	Weekly	△ wp-cli + notifications
SSL Renewal	Every 90 days	✅ Handled automatically by Cloudflare Tunnel
Attack Response	24/7	✅ WAF + Wordfence
Downtime (Power/Internet)	Occasionally	❌ Handled by myself
Site Design/Plugin Conflicts	Occasionally	❌ I debug myself

All five responsibilities previously handled by platform blogs now fall on me. Automatable tasks will be automated, and non-automatable ones I will accept.

FAQ

Q. Can I opt for a cloud VPS if I don’t have a mini-PC?
Yes. A $5/month VPS such as AWS Lightsail, DigitalOcean, or Vultr will suffice. However, this incurs monthly costs and limits control freedom compared to a mini-PC.

Q. Will a traffic surge cripple my home internet?
With Cloudflare Tunnel + CDN in front, static content is absorbed by Cloudflare. Dynamic requests reaching my home mini-PC are the only ones processed. Typically, even a viral spike can be handled.

Q. Do I need to turn on the PC every time I write?
The WordPress admin interface = logging in at /starport. Accessible from anywhere. The PC used for writing and the mini-PC are separate. As long as the mini-PC is powered on 24/7, it’s sufficient.

Q. Can foreigners read my Korean posts?
This will be discussed in part 9 (Polylang). If only one Korean language post is written in Obsidian, the LLM will automatically generate an English version and handle hreflang with Polylang. My burden = one Korean version.

Q. Did I regret this choice?
I regretted for about a day — during the initial setup, I struggled with Apache settings, SSL renewals, and DB permission issues until 3 AM. Once it’s finished, I won’t do it the same way again.

Next Part Preview

Part 2 — One Square Meter Server: Running WordPress on Docker. The process of getting WordPress, MariaDB, and Redis operational on a single mini-PC using Docker Compose in 30 minutes.

Summary in One Line

Platform blogs are easy to start, but the five issues of ads, tone enforcement, and data lock-in are bothersome. Self-hosting resolves these five issues simultaneously—setup takes a day, automation daily, and accepting responsibilities = an annual cost of $10.

2026-05-30