Thats cool. Why not? At least something.
as a guy from mmorpg/online games scene, where all my games targets of ddos/hacks/etc I wish to add few cents and recommendations, you can follow or ignore them.
Your best friend: goaccess & instant notificaiton & debug/profiler tools.
Usually this is more than enough to identify & prevent any hacks attempts. Most of them (i do talk about 99%) has the same scenario and idea in background.
Some big slice of hacks - auto-scans for plugins list with pre-defined URI paths.
If you have your own website, just a few websites that must long-run try to switch wp-content to something neutral. But make sure that all your plugins compatible with this switch.
Such stupid, very stupid method - totally breaks auto-scanners.
Because they getting 404/403 errors while scanning in auto-mode, and do not launch any other queries to your server.
The most dangerous queries that you can filter to your web-server related to sql commands.
SELECT, INSERT, UPDATE, INTO OUTFILE, etc.
But this is some kind of paranoia stuff.
Just an example.
Another problem is https://medium.com/purple-team/exploiting-remote-file-inclusion-vulnerabilities-f9503b1ebafa
Also check this:
Why all of that crap happening?
I can write very big wall of text, but usually and much easier to point to this link:
Also good starting point is: Security Controls | NGINX Documentation
In short almost all related to chroot & users:
And few php options restrictions per user. (like above)
Also very important thing is: PHP: Configuration - Manual
expose_php => off too
And also: PHP: Security - Manual
But there a cool topic to read, very interesting to be honest too: GitHub - guardrailsio/awesome-php-security: Awesome PHP Security Resources 🕶🐘🔐
php-fpm pools per website with correct user & chrooted folder of the PATH where website stored with proper user ACL.
Disable several most dangerous php functions
Use goaccess to analyze what is going on
sometimes obscurity works, especially for big things like WP.
notifications for what is going on (related to logs) can solve & prevent tons of attemts to hack your website. Time to time just compress logs, remove duplicates, and try to analyze methods how your app tried to be hacked.
But all of that works only on a single website. For single website. This is my personal experience. My own, i do not advice to do like me. Just try to build your own strategy. It’s hard, but once you done - you done it for a long time.
I dunno how organize/scale all of that for all types of apps… Really. Each app individual.