Don’t use CloudFlare or any CDN/AntiDDOS services because they decrypt all traffic that goes to and from your server[2]^. You don’t know what they do with it.
DNS queries sent by the server should be encrypted[3] so that the ISP/data center cannot see them.
If you want a VPS: try getting KVM instead of LXC one. It’s so easy to automate processes scanning on the fly[4]
My privacy hardening tips are: