Yup install something like fail2ban & setup email alerts. You'll get a new notice every 5 minutes or so for the first month from all the china based bots trying to login via common ssh credentials.
Well, true, we did get spam attacks on the app, so I wound up banning huge swaths of the world. I moved SSH to a very high port, only ran apache, sshd, and an SMTP agent (the machine never received email, inbound was handled by GMail). Still, had someone wanted to exploit the PHP app, I'd be surprised if they couldn't find a weakness. It was custom written, but nearly a decade age.
Elite attackers can compromise almost any target, but even they won't bother finding one-off vulnerabilities when the goal is botnet host acquisition. For that only widely deployed vulnerabilities are worth exploiting.
In practice that means you can get away with something as crazy as opening up a password-free root shell on some random high port, but you can't get away with weak SSH logins or unpatched Wordpress sites.