Open Thinkering

Why I care about running a private, resilient blog

Ghost / privacy / security / Tor / Njalla / DNS
A small plant with tiny flowers poking up through gaps between concrete
Photo by Lucas Chizzali / Unsplash

Earlier this month, I moved this 20 year-old blog from WordPress to Ghost. While doing so, I took the opportunity to think more holistically – i.e. beyond just the publishing platform I was migrating to. How could I make it more private, more resilient?

I may be daft, but I'm not stupid. I'm not trying to protect myself from interference by a state-level actor or determined adversary, but I do want to resist casual interference. I also want to show what “good practice” can look like for people who, like me, are not security professionals, but who still care about how their work reaches others.

So what follows is the stack I currently use, why I chose it, and some ideas for how you might borrow ideas for your own site. This, of course, is not the only way to do it, but it is a concrete plan and running in production on my blog.

What we talk about when we talk about threat models

I'm not a whistleblower, sharing sensitive information, or otherwise of interest to governments or hackers. However, I am concerned about:

  • Over‑zealous content moderation by platforms / infrastructure providers
  • Data brokers and casual network surveillance by ISPs
  • Low‑effort censorship (e.g. DNS tampering / pressure on hosting companies)

The chances are that you will be a bit like me, so Privacy Guides has some simple, straightforward questions that are helpful.

No domain, no gain

I used the same domain registrar for the last two decades, as previously I didn't think about too much other than price. But, this week, I moved dougbelshaw.com to Njalla. Why?

Njalla is a privacy‑oriented registrar that serves as a legal layer between my personal identity and public WHOIS records. Although you can pay for 'domain privacy' with most registrars, by default Njalla appears as the formal owner, while I retain day‑to‑day control through their panel.

Some might argue that this is dangerous, as I don't “own” my domain. But I'd point out that we're only renting our domains anyway, and in practice this move gives me:

  • WHOIS privacy by design rather than as an add‑on
  • A buffer against casual legal or corporate requests that rely on an easy, visible target
  • A registrar whose business model is explicitly built around privacy and free expression

Yes, Njalla could, in theory, refuse to cooperate or disappear. But they've been around a while and have priors. If you're looking for alternatives, I've seen people recommend infomaniak and Gandi but have no direct experience myself.

DNS: Do Not Spy

I'd been managing my DNS zone via Cloudflare. Over the years, it become bloated with records I was no longer using. So I took the opportunity of the move to reduce my attack surface and keep things trim.

DNS is by default insecure as it was designed solely as a scalable distributed system. That's where DNSSEC comes in, digitally signing records for DNS lookup using public-key cryptography. In other words, it lets resolvers verify that my DNS records have not been tampered with in transit. One advantage of having Njalla as both domain registrar and hosting provider is that turning on DNSSEC involves clicking a single button.

I've set relatively short TTLs on records making it easy to move the site quickly if Njalla became unreliable or hostile, shifting traffic to a new VPS with minimal caching lag.

I'm also avoiding third-party analytics, remote fonts and scripts, and (for now) CDNs. Every extra external lookup leaks more metadata and becomes another potential block point, and I'd quite like to keep my readers’ behaviour out of data‑brokers' hands. For (much) more on all of this read this guide by the Open Rights Group.

Hosting with the most‑ing

(security, not features)

This blog runs on a VPS I control, hosted by Njalla. It has:

  • A reverse proxy that terminates HTTPS with sensible HTTP security headers
  • A blog engine (Ghost) behind that proxy
  • A firewall that only exposes ports that need to be exposed

The self‑hosting guides I've read usually say similar things: keep your stack lean, avoid random extra services, and patch regularly.

Resilience matters as much as privacy, so I keep encrypted backups thanks to Duplicati. For now, because it was the quickest and easiest thing to do, they're going to a Google Drive folder. Longer-term, however, they'll go to my home media server.

Same blog, extra layers

I was surprised how easy it was to make this blog available over Tor as an onion service. It makes the site much more resilient, giving readers not just end-to-end encryption (separate to HTTPS), but a way to reach my content even if DNS or IP-level blocking is used on the clearnet site.

To help readers find the onion version and check that it is genuine, the onion address is published on my About page, and I serve an Onion-Location header to Tor Browser visitors, so the browser can point them to the onion mirror.

Ops, not oops

At the end of the day, tech choices only go so far, so I've also made some decisions such as:

  • Keeping the Ghost admin dashboard on a separate subdomain to the blog itself (I also only log into the dashboard on machines I control)
  • Ensuring the OS is up-to-date on the VPS which runs the Docker containers for Ghost, etc.
  • Reviewing my tokens and SSH keys now and again to remove anything I no longer use

Finally, you don't need to copy everything here to improve your own setup. Hopefully it's helpful to see other people's approach. It's worth saying that I've learned a lot just through reading other people's work and through conversations with LLMs. These days, if you have a clear idea of what you want to do, it's never been easier to get on and do it.