Hi, sorry for the delay I’m not often in here any more. Locking down requires knowing how to deal with Apache access rules such as blocking (or allowing) the various url paths like /s/ and other ones. Ideally you would allow everything other than the login areas and for those only allow access to specific IPs to stop anyone getting in. Same can be said to other platforms such as Wordpress.
As far as emails and alerts, that is a whole other set of problems like scanning web logs for example. As far as I know there are no off the shelf solutions for this. I’ve done my own thing for this and its unlikely how mine works is how anyone else would want it to work so no chance it will be of use.
Its not a fool proof process, running servers that are exposed to the public Internet is a difficult thing at times. So many threats and that requires some expertise or finding someone with it who can help.