[blakesterz]

>>"Oh, and DO change passwords every 90 days, at least." eh. That might help, but my thinking is if someone got in they've already done something so they no longer need that account or that password, so changing passwords is probably not going to help things. That being said, as long as you can keep passwords managed (like using LastPass) then it's fine, and could help.

Everything else miaumiua lists is great. I'd throw in a few random things I think of off the top of my head... mod_security, csf, mount tmp as noexec, LYNIS, phpsuexec, linux maldet.

[mschuster91]

Random addition: disable root SSH login, disallow password-based SSH login (switch to private key), maybe also add two-factor SSH authentication e.g. with a hardware key, or Google Authenticator or whatever.

[mnkypete]

Thanks to all, I guess I'll stick to these basics first!