Wow... just wow.
I thought you were better than that.
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
Hmm, do you mean that the outgoing transfers should always be done from separate server manually? So no automated transfers?
Not really. A hot wallet server can connect to the exchange, listen for transfers, validate transfers to any issues (like requests from wrong ips, large transactions, etc) and automatically process them.
The server doesn't need to be accessible from outside.