Cory, good point. I think that applies to many of the points, but all the security items on the list should be considered and not dismissed quickly. I’m going to add notes to each item so I can point out the issue you raise. The hard part is to do that without getting TLDR;
I agree on the Cloud Flare, but you need to decide if you need to defend your site against a hard DOS attack. Some don’t and can simply ride it out. We definitely could not tolerate it for ourselves.
Regarding Terraform, I actually believe it saves time even for small sites and that you very quickly get into a mess using the Cloud console and can easily missed security flaws. So I would argue that “infrastructure as code” is one of the more important items and definitely results in improved security.
Similarly for the SSH. If you have SSH open, you have a possibly open door to your site. If you use a password, then it is a big door. I agree that it is not a must have to eliminate SSH, but if you do, you are inherently more secure.
Thank you for raising the points. Let me think more about how to best address the “universalism” of the checklist and provide better context for varying kinds of sites.
All the best, Michael