DevOps / System Administrator for migrating and securing a WordPress site

We are looking for an experienced DevOps engineer or system administrator for a one-time project with the possibility of further technical support.

We have a main commercial website on WordPress. It is currently hosted on shared hosting, and recently we have been facing an increased number of bot requests and potential DDoS attacks. We need to move the site to a dedicated server and build a fundamentally reliable and secure infrastructure.

Main tasks:

1. Conduct a brief audit of the current site infrastructure and suggest an optimal server configuration.
2. Select and configure a separate VPS/VDS or dedicated server from a reliable provider with adequate network-level protection.
3. Securely transfer the WordPress site, database, files, SSL certificates, email, and necessary integrations without data loss and with minimal downtime.
4. Configure Cloudflare:
   • DNS and traffic proxying;
   • SSL/TLS;
   • WAF / protection rules;
   • rate limiting for critical pages;
   • protection against bots, brute-force, and HTTP/DDoS attacks;
   • separate rapid protection enhancement mode during an attack.
5. Restrict direct access to the origin server:
   • the server should not be directly accessible from the internet to bypass Cloudflare;
   • allow HTTP/HTTPS traffic only from Cloudflare or implement another reasonable secure solution;
   • limit SSH access, configure access keys, firewall, and brute-force protection.
6. Set up the server side:
   • Nginx or another reasonable web stack;
   • PHP, MySQL/MariaDB, caching;
   • basic performance optimization for WordPress;
   • correct file access permissions;
   • protection and error logging.
7. Set up automatic backups:
   • separate database and files;
   • store backups off the main server;
   • clear recovery procedure in case of failure.
8. Set up monitoring:
   • site availability;
   • server load;
   • disk, memory, and CPU usage;
   • notifications in Telegram or another agreed channel for critical issues.
9. Transfer access, documentation, and a brief guide for our IT specialist:
   • infrastructure diagram;
   • where the site is hosted;
   • access credentials and principles of their storage;
   • update, backup, and recovery procedures;
   • list of configured Cloudflare and firewall rules.

Important:

• We do not need a formal "file transfer." We need to build a secure, understandable, and maintainable infrastructure.
• Experience with Linux servers, Nginx, WordPress, MySQL/MariaDB, Cloudflare, WAF, firewall, backups, and bot/DDoS protection is required.
• Experience in securing commercial WordPress sites with significant traffic will be an advantage.
• Please do not propose unnecessarily expensive solutions without explaining their relevance to our scale.

Expected results of the work:

• the site operates stably on a dedicated server;
• all external traffic goes through Cloudflare;
• direct access to the origin server is closed;
• WAF, rate limiting, basic anti-bot protection, and admin zone protection are configured;
• there are independent backups and a verified recovery script;
• monitoring and notifications are in place;
• all access and documentation have been transferred;
• before starting work, the migration plan and rollback plan in case of problems are agreed upon.

In your response, please indicate:

1. Your experience with similar WordPress projects.
2. Examples of configured infrastructure or a brief description of a similar case.
3. What architecture you would propose for a single main WordPress site and why.
4. Do you think a load balancer is needed at the first stage.
5. Estimated cost of work, completion time, and conditions for further support.
6. What risks you see during migration and how you plan to minimize them.