diff --git a/src/docs/markdown/api.md b/src/docs/markdown/api.md
index d383a5c..7a85fdf 100644
--- a/src/docs/markdown/api.md
+++ b/src/docs/markdown/api.md
@@ -8,6 +8,10 @@ Caddy is configured through an administration endpoint which can be accessed via
 
 **Default address: `localhost:2019`**
 
+<aside class="tip">
+	If you are running untrusted code on your server (yikes 😬), make sure you protect your admin endpoint by isolating processes, patching vulnerable programs, and configuring the endpoint to bind to a permissioned unix socket instead.
+</aside>
+
 The latest configuration will be saved to disk after any changes (unless [disabled](/docs/json/admin/config/)). You can resume the last working config after a restart with [`caddy run --resume`](/docs/command-line#caddy-run), which guarantees config durability in the event of a power cycle or similar.
 
 To get started with the API, try our [API tutorial](/docs/api-tutorial) or, if you only have a minute, our [API quick-start guide](/docs/quick-starts/api).
diff --git a/src/docs/markdown/caddyfile.md b/src/docs/markdown/caddyfile.md
index b7539a7..68d4f4c 100644
--- a/src/docs/markdown/caddyfile.md
+++ b/src/docs/markdown/caddyfile.md
@@ -11,13 +11,12 @@ It looks like this:
 ```
 example.com
 
-root * /path/to/public_html
-try_files {path} /index.php?{query}&p={path}
-php_fastcgi unix//run/php/php-fpm.sock
+root * /var/www/wordpress
+php_fastcgi unix//run/php/php-version-fpm.sock
 file_server
 ```
 
-(That's a real, production-ready Caddyfile that serves a Craft CMS site with fully-managed HTTPS.)
+(That's a real, production-ready Caddyfile that serves WordPress with fully-managed HTTPS.)
 
 The basic idea is that you first type the address of your site, then the features or functionality you need your site to have.
 
diff --git a/src/docs/markdown/caddyfile/directives/tls.md b/src/docs/markdown/caddyfile/directives/tls.md
index cdcd11b..9d020c8 100644
--- a/src/docs/markdown/caddyfile/directives/tls.md
+++ b/src/docs/markdown/caddyfile/directives/tls.md
@@ -60,7 +60,7 @@ tls [internal|<email>] | [<cert_file> <key_file>] {
 - **load** specifies a list of folders from which to load PEM files that are certificate+key bundles.
 - **ca** changes the ACME CA endpoint. This is most often used to use [Let's Encrypt's staging endpoint](https://letsencrypt.org/docs/staging-environment/) or an internal ACME server. (To change this value for the whole Caddyfile, use the `acme_ca` [global option](/docs/caddyfile/options) instead.)
 - **ca_root** specifies a PEM file that contains a trusted root certificate for the ACME CA endpoint, if not in the system trust store.
-- **dns** enables the [DNS challenge](/docs/automatic-https#dns-challenge) using the given provider plugin, which must be from one of the [caddy-dns](https://github.com/caddy-dns) repositories. Each provider plugin may have their own syntax following their name; refer to their docs for details.
+- **dns** enables the [DNS challenge](/docs/automatic-https#dns-challenge) using the specified provider plugin, which must be plugged in from one of the [caddy-dns](https://github.com/caddy-dns) repositories. Each provider plugin may have their own syntax following their name; refer to their docs for details.
 - **on_demand** enables [on-demand TLS](/docs/automatic-https#on-demand-tls) for the hostnames given in the site block's address(es).