Since various rules are constantly updated and modified, the current version of all rules and recommendations for protecting the web server is available at this link.

First of all, you need to prohibit writing to the web server anywhere except tmp_dir (its separate one) and session_dir. Everything else is half measures.
> I would also like to keep logs, which would indicate the appearance of new php scripts in folders with sites.
Called git + git status by cron to mail (if different).

clamav
At this point it seems a little too late to do anything.

Read the CIS Apache HTTP Server Benchmark ( download from here , you only need to fill out a form). There are basic recommendations for setting access rights, minimizing functionality, setting up tls, logging, and so on. There are two versions of the document for apache 2.4 and 2.2.
To protect against some attacks - modsecurity + core rule set. It is not as harsh as naxsi, it works on the principle of a black list, not a white one. After finishing the rules to exclude false positives, you can live.

There is such a good module as nginx-naxsi, but it is very harsh, you need to test it so that it doesn’t cut off too much. That is, it takes a decent amount of time to set up (at least it requires viewing the logs), although it is not complicated in itself.
It really does not solve the problem of accounting for the appearance of new files, their changes, etc., but partially closes the holes in the requests.

I recently pulled out the database completely using sqlmap. All due to lack of experience, laziness and incorrect requests.
Changed requests to something like

$stmt = $dbLFSP->prepare("SELECT online, username FROM users WHERE online = :hostname");
$stmt->bindValue(':hostname',$hostname);
$stmt->execute();
$users = $stmt->fetchAll();