Hi there,
ive seen many people who have had issues with hackers, scanners and ddos attacks here i will tell you the solution for them all, just happy to share the things I've leaned over the years
Setup CSF and add cloudflare ipv4 and ipv6 subnet there, so clients can only access the website from the domain and never even see the ip. Port 80 and 443 will be in the allow list for csf file name "csf.allow"
Now there will be no ddos as no one will be able to find your server ip, add your statuc ip or even your wifi proviuder subnet to the allow list making sure you have access at all times.
change ssh port to something random like 5734.
setup DOS rules on cloudflare and put them on strict and set the challenge as "interactive" this makes sure that the bots for ddos will never have access to your website.
Using cache properly
Now you need to setup cache properly on the server side and cloudflare side so you an have a much faster website and use less server resources which will make your server handle more traffic
setup a cloudflare cache rule for cache everything for your static directly such as /assets or /theme
where all images ,javascript, static text and css are/ set the browser TTl to 7 days and EDGE ttl for 7 days also
the EDGE TTTL will load all those files from the cloudflare servers!
this will boost your speed and make nit load easily in 1 sec or less
AA panenl->appstore-->select php version->settings->php extentions->
Important: Add PHP extensions like Memcached, Opcache these will speed up your ache and load it as tempo data in your memory/ram
now add caching rules to your Htaaccess file for whichever webserver or cache extension you are using
for nginx you would need nginx caching rules in hta access its the same for any other like litespeed or apache
No one will ever be able to ddos your server directly or find your server ip if you do this, im managing 6 of my own dedicated servers myself!
please let me know if you have any questions
happy to help