Scans for vulnerabilities, coming from Internet, cannot be stopped and we just have to live with them. It's not unusual for busy server to be scanned several hundred times a day.
In addition to the requirements, I would do the following:
1. Check the software for known vulnerabilities and update the software components (OS, WebServer, etc.) to the latest version available. Most of the hacks, that happen in reality, exploit known bugs in standard software (for example frameworks like Laravel or language interpreters like PHP). Udating will stop 99% of the attempts.
2. Automate (as much as possible) the process of updating and formulate a procedure that is appropriate for the site.
Updating the standard software (frameworks, OS, servers) is, in theory, the simple thing to do, but it tends to break the software running on top (the custom written web-site for example) quite frequently. So one must develop a procedure that automates the process as much as possible, preventing as much as possible potential breaks of the software.
The procedure deals with things when and what to backup, in what degree to use the standard system components, that may be updated automatically, writing a scripts to check functionality after update, etc.
3. Check the server's configuration for potential weaknesses (like using insecure authorization methods, weak encryption)
4. Install Intrusion Detection System.
Depending on the quantity of work necessary, I could do this in a week (tops).