There's some free mitigations you can perform based on what I can observe directly.

Cloudflare offers a free tier; they're okay for DDOS protection - though you have to protect the server's actual IP address like a national secret. DDOS protection can't help if attackers can still DDOS the origin server.

Your admin panel's login, at least for MotA, is still not HTTPS. You can get free SSL certs through Let's Encrypt. Moreover, Google is making a big HTTPS push by de-ranking sites that don't offer SSL and adjusting their browser to display big scary warnings. It's a good bet that other browser vendors will follow.