[tikotus]

Something worth adding to the list: Enable rate limiting.

I'm also running my business on a single server, works perfectly, except for one time when someone tried to find some content with hash IDs through bruteforce. No problem, a tiny VPS can handle one malicious user. Except the amount of errors logged by nginx filled up the disk.

[jakubgarfield]

Good point. I have experience with Rack attack on application level. Would you recommend webserver instead (nginx)? Or even Cloudflare? (I bet they have a solution).