I’m not a cyber security expert, but I think about it this way:

First, consider your threat model. What could possibly go wrong? What do I do if the worst thing happens? What information do I need to protect? If everything is already public (like blog posts), maybe there isn’t much of a threat of information loss. If you keep your tax documents on there, maybe rethink that.

Second: think defense in depth. None of these measures will make you totally safe, but every barrier is another thing that can make a hacker’s life more difficult. You move the ssh port and it’s not as easily found by someone who’s just literally scanning the entire Internet for open ssh ports. It’s trivial to find, sure, but at least you dodged one bullet.

OK, they found your ssh port. Now they’re gonna start scanning for common username/password combinations. Fail2ban will stop this by blocking access after a few failures. If your credentials have leaked somewhere, the hackers may have a good guess at it though. But you’re OK because you’re using a key pair not your usual password (please don’t have a “usual password”).

Bad luck: they guessed your password. Or maybe they exploited a bug in your web server software (must have been a zero-day because you kept things up to date). Their exploit needs to open a server port for them to talk to, though. You blocked it on your firewall so that didn’t work. They try a reverse shell, but you blocked outgoing connections, too. Well done.

And on it goes.

If they keep trying, they will eventually succeed, but they have to try a lot harder when you lock things down, and the longer they are at it, the more opportunity you have to notice.

Windows XP wasn’t good until SP2 or 3, and then it was only better for gaming IMO.

Windows 2000 was super solid and what I used for work. But XP was better for games at the time.

XP was also “free” for a lot of people thanks to a certain volume license key.