First time self hosting a website the amount of bots is unbelievable!

I thought it would be fun to create self hosted WP site for a piece of software I made.

30 minutes after making it publicly accessible I had thousands of login attempts from IPs all over the world! I knew this type of thing happened on the internet - but I had no idea it happened to this extent... anyways I spent the evening locking down the website.

I have NGINX, cloudflare, fail2ban, blocked access to the default word press login pages and made my one unique ones, restricted edit/upload functions to root users, ssh by certificate only, force HTTPS, installed clamav, and installed wordfence in WordPress.

I hope this is decently secure - atleast enough to prevent bots from being able to find a hole in the security and to make any actual people looking to gain access leave to find an easier target.

It was a great learning experience on the technical side, but also learning just how prevelant bad actors are out on the internet.

Anyways does anyone have some more advice on how to secure my network and website even further?