When runnning a crypto site, securing funds is obviously paramount. Now I know that most funds should be handled in a cold wallet away from any possible outside interactions. However, the funds on the hot wallet, I'm unsure about. I'd assume I'd run a wallet on a separate server with the bitcoind daemon to the web server of course, but are there any commonplace security protocols/techniques that should be employed in order to minimise risk of hot wallet funds being stolen if a breach of that second server is to occur or is there really not much I can do other than regularly move fnuds out of the hot wallet to the cold wallet?

I assume this is the right section, if not a mod can happily move it