I use separate non-root users for each site with limited permissions, set up UFW to only allow needed ports, and always disable password SSH logins in favor of key-based auth.
I ditched control panels a while back and just manage my sites with Nginx, PHP-FPM, and MariaDB manually. UFW with specific IP whitelisting for SSH helped a lot. For self-hosted stuff, I use Nextcloud. If you're curious about Nextcloud pricing, it depends on whether you go with their hosted solution or self-host. Self-hosting is free unless you want the enterprise features.
