Web hosting is not an easy task. Not at all.
Just perfectly knowing Apache/nginx configuration, MySQL tuning and whatsoever is not enough. Most of the people will develop their website using the most popular CMS, like Joomla or WordPress, and daily you will have to deal with cracking attempt against them. And while the core CMS are usually actively developed and updated, security issues are promptly fixed and distributed, you may often say the opposite for extensions.
The main violation vectors in CMSes are extensions. Some people may use rare and deprecated extensions which are still working, but may contain security holes which will never be known and corrected.
I often have to deal with broken or spamming Joomla websites. And while some times upgrading Joomla itself and its extension fixes the vulnerabilities, in some case it doesn’t.
So while you investigate, how to block access to spamming php scripts or other vulnerabilities?