Server hardening

General tips

Check all open/listening ports on each server and make sure everything looks ok there (no unexpected connections, etc.)
Get local user accounts on all servers
If SSH is enabled for remote management, I would disable password auth and switch to private key - if already in place, generate a new key
Check sudoers on all servers and make sure the proper users/groups are in there
Check all groups (local/directory server) to make sure no accounts are hanging around from the old admin
Along with users/groups, disable/remove any test/dummy accounts in case someone is using it as a back way in
On Linode, check out the access settings to make sure there aren't any rules in there to allow management from anywhere (or non company locations)
On Linode, make sure only appropriate users have access to the account

Comb through the list of users with access and be sure to remove any former employees/admins
Check permissions carefully to make sure users have the appropriate access rights
Disable file editing in the admin using wp-config.php
Isolate user account for site from others
Make .htaccess inaccessible to site user (but accessible to www-data)
Make wp-config.php read-only
Remove any unused plugins
Check security reports on existing ones for outstanding or frequent issues
Check when plugins were last updated by author in repository - old / un-maintained plugins candidates for replacement or removal
Reduce permissions on DB account for site to SELECT / UPDATE / INSERT / DELETE (you will need to unlock when adding or updating plugins that use custom tables)
Setup wp-cli to automatically update plugins nightly (wp-cli plugin update —all)
Setup wp-fail2ban plugin, use wordpress-hard profile.
Globally disable access to xml-rpc.php in Apache config (403, helps prevent brute force and other quiet attacks) - unless actually used.
Globally disable access to any .log or .git files in Apache config
Consider WordFence or Sucuri plug-in for file integrity checks / monitoring
Setup daily backups of site