I'm a security-oriented linux admin, I've did jobs like this many times before. I can setup and secure the base OS, make sure no unnecessary services are running, iptables firewall even with RAW table on http(s) port if the performance is important, secure ssh login with public keys only, make sure the web server doesn't expose information it shouldn't, and set up (free) SSL certs too.