Something worth adding to the list: Enable rate limiting.

I'm also running my business on a single server, works perfectly, except for one time when someone tried to find some content with hash IDs through bruteforce. No problem, a tiny VPS can handle one malicious user. Except the amount of errors logged by nginx filled up the disk.