[r0s]

This is on point.

One other thing is to limit input frequency, only allow a certain amount of posts over some period of time. Enforce this on both the front and back-end.

A little more complex, you can set a lifetime limit per user by IP address, which won't stop a truly dedicated attacker but will definitely block most of the random web crawler scripts that find your site.

[IggleSniggle]

IP limiting is not so simple anymore if you want to anticipate much traffic, since services like iCloud Private Relay or Cloudflare WARP forward requests through single regional IPs. You can still do some limiting, you just might bounce some of your legitimate visitors. But for that reason alone lifetime limiting seems like a bad idea to me.