As a defense in depth follow up to T247569: Investigate 3rd party assets loaded by techblog it would be ideal to configure techblog to serve a Content-Security-Policy header which allows direct asset loading only from *.wikimedia.org (covers blog, commons, piwik, etc).
This would need to be tweaked a bit to also function with the as still to be setup staging copy of the blog.