DDOS is done by people who already know of the site otherwise it is mostly bot based. Server performance has a lot to do with preventing DDOS attacks. The more secure your code is, the better. I'm not a fan of apache mainly for this reason because by default you have index browsing which means it must be disabled first before you can actually start protecting files themselves. Any script can search a site domain for an index vulnerability so things that often deal with database hacks often starts with if they can connect to whatever ports are open for those database servers to accept what appears to be in built server conections. That all leads back to if the files can be hacked, and to do anything like an injection, you have to connect. I tend to think security is broken if someone can easily bypass file server connections. SSl does nothing for this, you're right. I find it a waste of money but for privacy reasons at least something running on a browser client side connection can't hijack what ever the person is viewing. I'm greatful you're an IT professional specialist. PHP code is the most well known hack prone software known on the planet.