The Reasonable Adjustment runs a multi layer security and observability stack built on Cloudflare and WordPress. Custom edge logic, telemetry, and evidential logging create resilience with low noise. The site stays fast for real readers while hostile traffic is slowed, challenged, or blocked. All significant events are logged in real time for audit and legal use.

• Botnet noise, credential stuffing, and XML RPC spam
• Scrapers and headless clients that hunt for weak endpoints or leaked files
• Corporate VPN and cloud exit nodes that perform recon on public and admin paths
• Occasional volumetric spikes that resemble DDoS tests
• A need to document suspicious access for regulators and the courts

• SSL or TLS and network layer DDoS protection active by default
• HTTP DDoS override enabled globally, tuned to challenge or execute on abusive patterns

Exploit surface reduction

• Blocks or challenges for hot paths and leaks. Examples include /.env, /.git, config or vendor folders, Adminer or phpMyAdmin probes, xmlrpc.php, backup, shell, and id_rsa patterns.
• Static assets and well known paths are excluded to avoid false positives.

Tooling and automation filters

• Matches on signatures for curl, wget, Python requests, Java tooling, okhttp, node fetch, httpclient, and headless engines.
• ASN and country lists cover high risk infrastructure and anonymizers. Good crawlers are allowed through with Cloudflare bot signals and a small allow list.

Contextual WordPress guards

• /wp-login and /wp-admin challenged when the referer is not the site
• Selective checks on /wp-json and admin-ajax.php patterns
• Rate limiting for credential abuse and leaked password checks

VPN and proxy handling

• Grey zone providers like Mullvad or common cloud exits are not blanket blocked.
• They receive managed or JavaScript challenges, short tarpits, and detailed logging. Escalation is based on behavior.

Reputation and exceptions

• Good bots are allowed, Discord unfurlers are allowed, owner networks are whitelisted.
• A small set of flagged IPs see a one time warning interstitial before normal service.

• Aggressive caching of static assets
• No cache for searches, query pages, and sensitive query strings
• No cache on 4xx or 5xx to avoid poisoning
• Content Security Policy set at the edge to keep scripts and embeds on a short list

Routing by behavior

• Good crawlers receive a fast lane for indexing health
• Bad ASNs receive an interstitial that explains logging and then proceeds
• Tor or obviously scripted traffic receives a drip feed tarpit that wastes time, then closes
• Specific ASNs can receive a timed redirect to a policy hub that frames expectations

Discord evidence feeds

• Embeds include fingerprint id, ASN and org, country and colo, path, protocol, CF Ray, and UA
• Logs are sampled and de duplicated to avoid alert fatigue, with separate channels for normal, tarpit, and bad actor events

UX aware interstitials

• Pages are accessible and keyboard friendly, with clear copy and auto redirect timers

Response hardening

• Referrer Policy strict origin when cross origin
• X Content Type Options nosniff and X Frame Options sameorigin
• Permissions Policy limited to what the site needs
• Optional HSTS via environment toggle
• Default CSP that allows the site and analytics only, plus safe embeds

What is gathered

• Browser, platform, language, time zone, screen details, hardware concurrency, device memory hints
• WebGL vendor and renderer, session view count, dwell time, document visibility

How it behaves

• Stable visitor id and short lived session id set with secure cookies
• Compact JSON payload sent to a public REST route, then a second beacon later to capture dwell
• The site works if analytics are blocked

No special category data. No form contents. No keystrokes. No cross site tracking.

What lives inside WordPress

• Registers a public REST route /wp-json/tra/v1/ping via rest_api_init.
• Normalises and de-noises the JSON payload, then formats a compact Discord embed.
• Sets and refreshes two IDs: tra_vid (long lived visitor) and tra_sid (short session).
• Deduplicates bursts with set_transient() so one visitor cannot flood logs for the same page.
• Sends the embed with wp_remote_post() on a short timeout, then returns 204 No Content.

Why this belongs in WordPress and not only at the edge

• Access to WP cookies and context for per visitor correlation and session rotation.
• Feature flags and updates through the WP plugin stack without redeploying edge code.
• Privacy policy alignment and consent messaging live with the application layer.
• Fine grained de-dupe keyed to WP concepts like page and user context.

Security and privacy choices made in WP

• Filters known crawlers and challenge hops before logging. Oversized or malformed payloads are dropped.
• Clamps long strings to Discord limits and strips risky characters before relay.
• No special category or form data captured. No keystrokes. No cross site tracking.
• Cookies set with Secure, HttpOnly, and SameSite=Lax.
• Returns 204 on success to avoid leaking info to scanners.

Minimal shape of the WP code (illustrative)

<?php
add_action('rest_api_init', function () {
  register_rest_route('tra/v1', '/ping', [
    'methods'  => 'POST',
    'permission_callback' => '__return_true',  // public endpoint
    'callback' => function (WP_REST_Request $r) {
      $data = $r->get_json_params() ?: [];

      // cookies: tra_vid (long) and tra_sid (short)
      // de-noise: filter bots, drop CF challenge hops
      // dedupe: set_transient('tra_ping_' . md5($vid.'|'.$page), time(), 120);

      // build Discord embed and relay with wp_remote_post() on a 2s timeout

      return new WP_REST_Response(null, 204);
    }
  ]);
});
?>

The production version adds input clamping, whitelists, and payload size caps.

Operational safeguards

• Webhook URL and switches stored in constants or environment, not hard coded into templates.
• Non blocking logging: failures do not affect page delivery.
• Ninety second per page de-dupe keeps Discord noise low during spikes.

• Lightweight 18 plus overlay that clears on one click, stored in localStorage with an optional cookie fallback.
• Real users breeze through; headless or non interactive clients often stop at the overlay.
• Telemetry and main content load after confirmation, which keeps analytics clean.

• Typical 24 hour windows show TLS 1.3 above eighty percent; TLS 1.2 covers most of the rest.
• Remaining traffic is usually non browser noise or unknown tooling.
• HSTS can be enabled at the edge after staged checks.
• No mixed content. Embeds are restricted to known platforms.

• Repeated probes from VPN or cloud exits are slowed, logged, and correlated across sessions.
• Opportunistic scans for admin panels and leaked files are blocked at the edge.
• DDoS style surges are handled outside the origin with minimal impact on readers.
• Evidence packs for specific incidents can be assembled from Discord feeds within minutes.

• No web stack can stop a nation state or an insider alone. The goal is to make recon expensive and risky, then prove it happened.
• Some strict corporate networks may trigger a short challenge. The flow is accessible, and logging shows when it occurs.
• Blocking every VPN would reduce intelligence value. The current approach balances deterrence, visibility, and fairness.

• Enable HSTS preload after staged checks across subdomains.
• Add a one click incident pack exporter that bundles Discord lines for a time window.
• Rotate a small set of honey pages for early warning and signature collection.
• Optional signed webhooks to a SIEM for long term storage.