Keep it segregated from your internal network, no password auth, or better yet, install a privatenet client (Tailscale, Zerotier…etc) and don’t open SSH ports at all, consider using a Cloudflare Tunnel or similar…that’s a basic start.

Honestly, if you’re serving a static site, just deploy it on Digitalocean Apps or R2 for free and skip all the worry and get all the Cloudflare protection built-in.