FIrst, you are probably aware of that but if you have dynamic IP, you'll need a dynamic DNS like DynDNS or DNSexit.
On the securing part, I think using iptables (or a firewall GUI like firestarter if you prefer) opening only port 80 for inbound connection is sufficient for a home server if you don't need to open ssh port (port 22) or ftp (21) and you will not install a mail server.
If your site have a login page or if you need to open ssh, ftp or smtp, I would recomment to at least install something like fail2ban to ban IP who try connections without success so they don't try forever.
One important thing to note is that you must have a look at your logs, to keep an eye on them easily install logwatch (should be in your default repositories on Debian & Ubuntu) to alert you by mail daily or weekly. You'll rapidly learn to find what's wrong by reading them frequently.
If you need to connect from outside to administer the server, use a VPN and anyways, keep the OS always updated!
Update:
For SSH and sftp, I think fail2ban + only ssh keys (or keys + password but not only password) is the minimum you need (and do not allow root access).
If the machines you use to connect have fixed IP, open the firewall only for these incoming IP.
An encrypted VPN (I use openvpn) helps a lot to secure your access too.
Have a look here for the 'quick' official tutorial, in 15-30 minutes you'll have a working VPN server for one client - one server.
For a better setup with client certificate authentication and a CA (your free own CA) you'll have to take a few more minutes :D
If your sites require MySQL or for any other reason you need to administer MySQL (or another database) from internet, if you don't use a VPN, use a ssh tunnel so you connect to a local port on your machine and the tunnel encrypts the connection to the server so you don't need to open the database port, have a look at the -L and -D arguments in man ssh.
I would not install phpmyadmin to listen on a public IP as that opens your database to the world. If you need I can put an example script for a tunnel here.
Well, I did not arrive at a satisfactory answer.
I reinstalled Windows from the service partition, updated the bios and Lenovo drivers. Then I updated Windows, separating the updates between restarts for extra margin of safety.
During my 2nd reinstall, one of the updates broke my Comcast-provided Norton antivirus program, so I had to remove and reinstall.
I don't think that updating the bios and drivers immediately made any difference (the bios was last updated in 2017). but who knows! I do think that isolating the Win updates contributed to solving my problem -- although I have no way of knowing for sure. I'm guessing that the Spectre vulnerabilities is probably what caused the most recent Win updates to be so complicated and brittle. But I could be totally wrong!
Best Answer
Set up Windows 7 with a normal user account beside the Administrator account, just as you'd do on Linux. It's virtually impossible to really screw up the entire PC with just a normal user account.
This way, any suspicious activity will require an Administrator password at the elevation prompt (sudo equivalent)