The best way to avoid attacks

If we are to give some ideas, I suggest giving some details. Is the app only for people at the company or is it open to the world? How are they attacking?

Also if you are storing financial data I would assume that you need both an ISO certification as well as yearly pentests? I don't work in the sector but would assume

Best approach will be firewall related solution, there is a pay service provider https://www.imperva.com/, when you bypass the domain to imperva you can setup a bunch of features to prevent this from happening, and also like @sinnbeck mention, if the app if for a set of user you can only enable those ip to have access to your application. (you will have to change or modifiy the ip once the user is from another location or his ip has changed) , another option if is a set of users is enable the app for VPN access only.

@ehabafia Hire someone who does know how to do things like set up firewalls etc if you don’t and unwilling to learn.

If you’re dealing with financial data then most countries have laws governing what you do with that data, and how you store and protect that data. Ignorance or inexperience is not an excuse and may be an offence you could be criminally prosecuted for if it’s found you didn’t take care of people’s data and protect it sufficiently.

We noticed that we have more than 7,000 attempts of unsuccessful attacks on the application.

How did you find out about this number and what kind of "attack" are those? Is it a request to /wp-admin/ ? Is it an attempt to login via ssh. Is it a login attempt?

Simple things you can do already (some will require some basic firewall knowledge)

1. Prevent SSH root logins (laravel forge already disabled this for you), you can only login with an SSH key.
2. Only allow SSH logins from whitelisted IP's, make sure to include the IP's of laravel forge as well. If an ssh key is leaked it cannot be used from a different location. https://forge.laravel.com/docs/1.0/introduction.html#forge-ip-addresses
3. Add two factor auth (and maybe force it?) to your user authentication.
4. You could use something like Cloudflare to block funky requests and bots or requests from certain countries. This does not guarantee anything but it can prevent crawlers hitting your server or requests from countries where you do not do business. If your users are only located in Canada for example there is no need to accept requests from Brazil for instance. Cloudflare can also hide or make your real server IP harder to find.
5. If you have point 4 configured, you can now only allow cloudflare IP's to access your server via the web. This prevents someone being able to http requests via the IP of your website.

DigitalOcean also has a firewall feature allowing you to configure which droplet or which IP has access to certain actions / ports.

@ehabafia I agree with @martinbean When I programmed at a logistics company we hired and paid for dedicated servers and paid for the security and management. It was java and tomee, but security still has to be implemented no matter the language.

And I am referring to server security, not laravel authentication and authorization. And When I do certain apps, I meet with a combination of CPA's and if needed an attorney to make sure I am implementing lawful aspects into the app.

For financial, I suggest first find out who is needed, and hire such a consultant to go over all the legal items needed by a financial application.

The attacks were shown in the DO Ubuntu server logs.

Thank you very much for all the valuable information.