Background: 15 years of experience in software and apparently spoiled because it was already set up correctly.
Been practicing doing my own servers, published a test site and 24 hours later, root was compromised.
Rolled back to the backup before I made it public and now I have a security checklist.
Another one who misunderstands that phrase… Yes, obscurity shouldn’t be your only line of defense, but limiting discoverability of your systems should be an integral part of your security strategy.