Thanks for the advice.
I had considered sftp, but if I was going to go down that route, I'd prefer to use public key authentication over passwords. I don't really want keyless ssh access to my server. FTPS could work though...
I'm not fussed about the details for the server getting out, per se. I just don't want them to become available via a search engine. I could set up fail2ban to ban brute force attacks, which could be an idea.
Anyway, I'll have a think. My main priority at the moment is to get everything backed up (I made a post previously about being on btrfs RAID 5). Whe that is done, I'll probably nuke and start over with a less problematic raid/raid-like setup. Still undecided.