I am not sure if any hacker nowadays is still trying to hack a server by trying to find a useful user/password combination with a bot (or something else)
I would guess there are four ways your website is harmful:
- by getting users credentials with fishing mails (which is nothing you can prevent in any way)
- by virus/Wurms etc. which you can reduce massivly by using Linux instead of windows.
- by trying to access it directly with ssh (which would be the worse case as then the attacker can control everything no matter what you try to do to save your credentials to the Auth server). This could be reduced by using two factor Auth on the servers.
- by using insecure code. This can be reduced by having as less dependencies on not self written code as possible (where the opposite is more popular atm).
In 99% of all cases I know of a successful hacking, the reason was the usage of an open source framework which was insecure (best example in the near past log4j). This is something you cannot prevent by having more complicate infrastructure but only by knowing the code you are using and of course be able to write secure code.