Just to circle back to this. We went one step further, and also secured the VPS against attack using Apache's mod_security and the relevant http headers.
These new headers have been added
Header set X-Content-Type-Options: nosniff
Header set X-XSS-Protection: "1; mode=block"
Header set X-Download-Options: "noopen"
Header set X-Permitted-Cross-Domain-Policies: "none"
Header set Referrer-Policy: "no-referrer"
Header set X-Frame-Options: DENY
Header set Content-Security-Policy: upgrade-insecure-requests
Header set Feature-Policy "vibrate 'none'; geolocation 'none';"
Header set X-Powered-By: "domain.com"
Header set Access-Control-Allow-Origin: *.domain.com
Header set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
A+ rating, which is how it should be