Add firewall (UFW) and fail2ban setup step to guide.md

New "Secure Your Server" step between connecting and installing:
- apt update/upgrade for security patches
- UFW firewall: allow SSH, HTTP, HTTPS only
- fail2ban: brute-force SSH protection
- Clear danger callout about SSH lockout risk
- Expected terminal output for verification
- Plain-English explanations of what each command does
- Updated "Going Further" to reference earlier security setup

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

guide.md

@@ -149,6 +149,125 @@ When typing a password in the terminal, **nothing appears on screen** — no dot
 If you get "Connection refused" or "Connection timed out," wait a minute — your server might still be starting up. Try again after 60 seconds. If it still doesn't work, double-check the IP address.
 [/callout]
 
+[step: Secure Your Server]
+
+Before installing anything else, let's lock down your server with a **firewall** and **brute-force protection**. This takes about 2 minutes and prevents the vast majority of automated attacks.
+
+Think of it this way: your server is now on the public internet, and automated bots are already scanning it looking for easy targets. These two tools stop them cold.
+
+**First, update your server's software:**
+
+This makes sure you have the latest security patches. It's the equivalent of running Windows Update or updating your phone.
+
+[code:bash]
+apt update && apt upgrade -y
+[/code]
+
+This may take a minute. If you see a pink/purple screen asking about restarting services, just press **Enter** to accept the defaults.
+
+**Install the firewall and fail2ban:**
+
+[code:bash]
+apt install -y ufw fail2ban
+[/code]
+
+This installs two tools:
+- [UFW](https://wiki.ubuntu.com/UncomplicatedFirewall) (Uncomplicated Firewall) — blocks all network traffic except what you explicitly allow
+- [Fail2ban](https://www.fail2ban.org/) — watches for repeated failed login attempts and automatically bans those IP addresses
+
+**Configure the firewall:**
+
+You need to tell the firewall which types of traffic to allow. Your server needs exactly three things open:
+
+[code:bash]
+ufw allow OpenSSH
+ufw allow 80/tcp
+ufw allow 443/tcp
+[/code]
+
+Here's what each line does:
+- `ufw allow OpenSSH` — allows SSH connections (port 22), so you can keep connecting to your server remotely. **This line is critical** — without it, you'd be locked out of your own server.
+- `ufw allow 80/tcp` — allows HTTP web traffic (needed for SSL certificate setup)
+- `ufw allow 443/tcp` — allows HTTPS web traffic (your actual website)
+
+Everything else (thousands of other ports) is blocked by default. That's exactly what you want.
+
+**Turn on the firewall:**
+
+[code:bash]
+ufw enable
+[/code]
+
+You'll see a warning that says "Command may disrupt existing SSH connections." Type `y` and press Enter. Your current connection will stay active — the warning is just being cautious.
+
+[callout:danger]
+**Make sure you ran `ufw allow OpenSSH` before this step.** If you enable the firewall without allowing SSH first, you will be locked out of your server and will need to use your VPS provider's emergency web console to fix it.
+[/callout]
+
+**Verify the firewall is working:**
+
+[code:bash]
+ufw status
+[/code]
+
+You should see output like this:
+
+[terminal]
+$ ufw status
+Status: active
+
+To                         Action      From
+--                         ------      ----
+OpenSSH                    ALLOW       Anywhere
+80/tcp                     ALLOW       Anywhere
+443/tcp                    ALLOW       Anywhere
+OpenSSH (v6)               ALLOW       Anywhere (v6)
+80/tcp (v6)                ALLOW       Anywhere (v6)
+443/tcp (v6)               ALLOW       Anywhere (v6)
+[/terminal]
+
+If you see `Status: active` with those three rules listed, your firewall is properly configured.
+
+**Configure fail2ban:**
+
+Fail2ban works out of the box for SSH protection with sensible defaults, but let's make sure it's running:
+
+[code:bash]
+systemctl enable fail2ban
+systemctl start fail2ban
+[/code]
+
+The first command tells fail2ban to start automatically whenever your server reboots. The second starts it right now.
+
+You can verify it's running with:
+
+[code:bash]
+fail2ban-client status sshd
+[/code]
+
+[terminal]
+$ fail2ban-client status sshd
+Status for the jail: sshd
+|- Filter
+|  |- Currently failed: 0
+|  |- Total failed:     0
+|  `- File list:        /var/log/auth.log
+`- Actions
+   |- Currently banned: 0
+   |- Total banned:     0
+   `- Banned IP list:
+[/terminal]
+
+This shows fail2ban is monitoring SSH login attempts. After a few hours online, you'll likely see banned IPs here — that's fail2ban doing its job, blocking automated bots that try to guess passwords.
+
+[callout:info]
+**What does fail2ban actually do?** By default, if someone (or a bot) fails to log in via SSH 5 times within 10 minutes, fail2ban bans their IP address for 10 minutes. This makes brute-force password guessing effectively impossible — a bot that can try thousands of passwords per second gets cut off after just 5 attempts.
+[/callout]
+
+[callout:tip]
+**That's it for server security.** You now have a firewall blocking all unnecessary ports and fail2ban stopping brute-force attacks. Combined with the security features WebsiteBox sets up later (Wordfence, rate-limited logins, encrypted HTTPS), your server will be well-protected. For further hardening down the road, see the "Going Further" step at the end of this guide.
+[/callout]
+
 [step: Run the Installer]
 
 Now for the easy part. Copy and paste this single command into your terminal and press Enter:
@@ -625,8 +744,8 @@ When you're ready for search engines to find your site, go to **Settings > Readi
 **Put a CDN in front of your site:**
 A CDN (Content Delivery Network) caches your images and pages on servers around the world, making your site load faster for visitors far from your server. [Cloudflare](https://www.cloudflare.com/) offers a free plan — you just change your domain's nameservers to Cloudflare's.
 
-**Keep your server secure:**
+**Harden your server further:**
-Your server's root password is the keys to your entire website. Use a strong, unique password and consider setting up [SSH key authentication](https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-22-04) for even better security (this lets you log in without a password, using a cryptographic key stored on your computer instead).
+You already set up a firewall and fail2ban earlier in this guide, which handles the vast majority of threats. For the next level of security, consider setting up [SSH key authentication](https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-22-04) — this lets you log in without a password, using a cryptographic key stored on your computer instead. Once SSH keys are working, you can [disable password login entirely](https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-22-04#step-4-disabling-password-authentication-on-your-server), making brute-force attacks completely impossible.
 
 **Learn more about WordPress:**
 [WordPress.org's documentation](https://wordpress.org/documentation/) and [WPBeginner](https://www.wpbeginner.com/) are excellent free resources for learning how to get the most out of your site. The [WordPress block editor guide](https://wordpress.org/documentation/article/wordpress-block-editor/) is particularly helpful for learning how to create beautiful page layouts.