A fresh VPS is powerful, but it is also your responsibility. Before you host a site, application, or billing system on it, take time to reduce the obvious risks. This checklist is a practical starting point, not a complete security programme.
Update the Operating System
Start with package updates. On Debian or Ubuntu, use:
apt update
apt upgradeOn RHEL-family systems, use the distribution's package manager, usually dnf. Reboot if a kernel or core system package update requires it.
Create a Normal User
Avoid doing daily work as root. Create a user, give it sudo access, and use that account for administration.
adduser deploy
usermod -aG sudo deployUse SSH Keys
SSH keys are safer than reusable passwords when managed properly. Add your public key to the new user's ~/.ssh/authorized_keys, test login in a second terminal, then consider disabling password authentication.
Configure a Firewall
Allow only the services you actually need. A basic web server might allow SSH, HTTP, and HTTPS. Do not expose databases, admin panels, or development services to the public internet unless there is a clear reason.
Check SSH Settings
Common hardening steps include disabling root SSH login, using keys, and restricting who can log in. Make one change at a time and keep an active session open until you confirm the new login works.
Install Only What You Need
Every service you install is something you must update, configure, monitor, and secure. Keep the server small. If you do not need a mail server, database, FTP daemon, or control panel, do not install it.
Set Up Backups
VPS snapshots are useful, but they are not the same as application-aware backups. For a website, back up files and databases. For an app, back up uploaded data, config, secrets, and the database. Test restores before you need one.
Monitor Logs and Updates
Know where authentication logs, web server logs, application logs, and system logs live. Set a maintenance routine for updates and review failed login attempts or unusual service behaviour.
If you would rather not manage the operating system yourself, ask about managed options before putting production workloads on the VPS.
Managed Hosting or VPS?
A VPS is the right choice when you need root access, custom services, or full control of the operating system. That control also means you own patching, firewall policy, monitoring, backups, and incident response.
If you mainly want faster hosting for websites, compare application hosting or managed VPS hosting with Enhance. Those options keep control panel workflows, SSL, backups, PHP tooling, and support closer to a managed service.
Before You Put Customers on a VPS
- Document the build, firewall ports, and installed services.
- Confirm off-server backups and test a restore.
- Set up monitoring for disk, memory, CPU, SSL expiry, and HTTP status.
- Check logs after the first week, not only after an incident.
- Keep credentials in a password manager with controlled sharing.
For related reading, see backups explained and hosting resource usage explained.
