If you have just purchased a VPS server, your first instinct is usually to install a website, a project backend or a game server and go live quickly. The problem is that a fresh VPS is rarely secure by default. Attackers constantly scan the internet for new servers with weak passwords, open ports and outdated software. If you leave your VPS as it is, it can be compromised long before your project gains its first real user. In this guide, I will walk you through practical, beginner‑friendly steps that I have repeatedly applied in real projects: from small WordPress sites to custom APIs and internal tools. You do not need to be a full‑time system administrator to follow these steps; you just need SSH access and 30–60 minutes of focused work. By the end, you will have a VPS that is significantly harder to attack and much easier to maintain safely.
Understand What You Are Securing
Before typing any commands, it helps to understand what a VPS actually is and where the risks come from. A VPS (Virtual Private Server) is a virtual machine running on a physical server in a data center. You get root (administrator) access, which gives you freedom but also responsibility. Unlike shared hosting, where the provider locks down most settings, you are now in charge of:
- Who can log in and how (SSH keys, passwords, users)
- Which ports and services are exposed to the internet
- How and when the system and software are updated
- Backups, monitoring and incident response
Most compromises I see on beginner VPS setups come from the same issues: weak or reused passwords, outdated software, open ports that are not needed, and missing backups. The steps below address each of these problems one by one in a practical order.
Step 1: Secure Your Login Access (SSH and Users)
Create a non‑root user with sudo
Logging in directly as root is risky. If someone guesses or steals your root password, they own the whole server. A better pattern is to create a normal user and give it sudo rights (temporary admin privileges).
After connecting via SSH for the first time (often as root):
adduser deploy
usermod -aG sudo deploy
Replace deploy with your preferred username. Next time you connect, use that user and type sudo before admin commands. This simple step already reduces automated attacks that target the root account.
Use SSH keys instead of passwords
Passwords can be guessed or leaked; SSH keys are much stronger. On your local machine, generate a key pair (if you do not already have one):
ssh-keygen -t ed25519 -C "your-email@example.com"
Then copy the public key to your VPS:
ssh-copy-id deploy@your-server-ip
If ssh-copy-id is not available, you can manually paste the content of ~/.ssh/id_ed25519.pub into ~/.ssh/authorized_keys on the server (for your user) and ensure file permissions are correct.
Disable password logins and root SSH access
Once the key is working, harden SSH by editing its configuration file:
sudo nano /etc/ssh/sshd_config
Locate and adjust these lines:
PermitRootLogin no
PasswordAuthentication no
Optionally, you can change the default SSH port (22) to a non‑standard port (for example 2222) to reduce noise from automated scanners:
Port 2222
After saving, restart SSH:
sudo systemctl restart ssh
From now on, you log in as your regular user with an SSH key, not as root and not with a password.
Limit login attempts with Fail2ban
To protect against brute‑force attempts, install Fail2ban, which monitors logs and temporarily blocks IPs that fail too many logins:
sudo apt update
sudo apt install fail2ban
On many systems, the default configuration is already a good start. You can customize it later, but for beginners, simply enabling Fail2ban drastically reduces abusive SSH attempts.
Step 2: Update and Harden the Operating System
Apply all available updates
New vulnerabilities are discovered constantly. A lot of exploited servers were simply running outdated software. Before deploying anything, fully update your system.
On Ubuntu/Debian:
sudo apt update
sudo apt upgrade -y
On CentOS/Rocky/Alma:
sudo dnf update -y
Make it a habit to run updates regularly. For critical production workloads, test updates on a staging VPS first, but never leave your public server months behind on patches.
Enable automatic security updates
For beginners or low‑maintenance projects, automatic security updates are worth enabling. On Ubuntu, for example:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
This will automatically apply security fixes while leaving bigger version jumps for manual review. For more general hosting security practices beyond the OS level, you can also review the tips in this web hosting security recommendations guide.
Remove unused software and services
The more software you run, the more potential vulnerabilities you have. After updates, quickly check what is listening on your network ports:
sudo ss -tulpn
If you see services you do not use (for example, an open mail server you never configured), disable or uninstall them. A lean server is not only faster; it is easier to secure and maintain.
Step 3: Set Up a Firewall and Network Protection
Use a simple firewall (UFW or firewalld)
Even on a small VPS, a firewall is non‑negotiable. On Ubuntu/Debian, UFW (Uncomplicated Firewall) is very beginner‑friendly:
sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
Then explicitly allow only the ports you need, for example:
sudo ufw allow 2222/tcp # your SSH port
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw enable
On many RPM‑based systems, firewalld plays a similar role. The principle is the same: deny by default, then allow only what is required.
Lock down database and admin ports
Databases like MySQL, PostgreSQL or Redis should not be accessible from the public internet unless you have a very specific reason. Bind them to 127.0.0.1 (localhost) in their configuration and make sure the firewall blocks their ports to the outside world.
Similarly, if you have control panels or admin interfaces, restrict them:
- Only allow specific IPs (for example, your office IP)
- Protect them with strong passwords and, where possible, two‑factor authentication
- Consider using a VPN for full remote admin access
Harden network services
Each exposed service should be configured with security in mind. For example:
- Disable old, insecure protocols (like obsolete TLS versions)
- Turn off directory listing on web servers when not needed
- Limit API rate where possible to reduce abuse
These details feel small when you start, but they add up to a much more robust VPS over time.
Step 4: Protect Websites, Databases and Files
Always use HTTPS with a proper SSL certificate
Even if you secure SSH and the OS, sending passwords or sensitive data over plain HTTP is a major risk. Set up HTTPS with a valid SSL certificate for every site on your VPS. Tools like Let’s Encrypt make this free and straightforward.
If you are unsure which type of certificate is right for you, this article explains the differences between DV, OV and EV certificates in detail: What Is an SSL Certificate? DV vs OV vs EV and How to Choose.
Harden your web applications (WordPress and others)
From experience, many VPS compromises come not from the OS but from insecure web apps, plugins or themes. If you run WordPress or similar CMSs, make sure you:
- Keep the core, themes and plugins updated
- Remove unused plugins and themes completely
- Use strong, unique admin passwords and avoid “admin” usernames
- Limit login attempts and consider two‑factor authentication
For a more detailed, WordPress‑specific approach, I recommend reading this guide on WordPress security tips against hackers and applying the suggestions on top of your VPS‑level hardening.
Secure your databases
For MySQL or PostgreSQL, follow these basic principles:
- Use strong, unique passwords for database users
- Grant only the minimum required permissions (no global
rootusage for apps) - Disable anonymous users and remove default test databases
- Back up databases regularly and store backups encrypted when possible
Also ensure your applications do not expose detailed error messages with SQL queries in production; such information can help attackers craft targeted attacks.
Set correct file permissions
On a VPS, it is tempting to make everything writable “just to make it work”. That often leads to world‑writable directories and files that any compromised script can abuse. A safer pattern is:
- Application files owned by a dedicated user (for example,
www-dataorappuser) - Configuration files readable only by that user and root
- Upload directories writable, but as restricted as possible
It can take a little time to get permissions right, but doing so significantly reduces the impact of a single vulnerable plugin or script.
Step 5: Monitoring, Backups and Ongoing Maintenance
Set up regular backups
No security guide is complete without backups. Even with perfect hardening, mistakes, hardware issues or zero‑day vulnerabilities can still cause data loss. You should have at least one automatic backup solution in place that covers:
- Critical configuration files (web server, database, application configs)
- Application code if not already version‑controlled
- Databases
Backups should be stored on a different server or storage location, not only on the same VPS. To design a solid backup strategy that matches your use case, you can follow the principles in this server backup strategies guide.
Monitor logs and resource usage
Many breaches leave traces in system logs long before serious damage is done. Even basic monitoring can help you spot suspicious behaviour:
- Check
/var/log/auth.log(or equivalent) for repeated failed logins - Monitor CPU, RAM and disk usage trends
- Set alerts for abnormal spikes in traffic or resource usage
There are many open‑source and hosted tools; for a first step, even simple log checks during your weekly maintenance window can surface issues early.
Apply a regular security routine
Think of VPS security as an ongoing routine rather than a one‑time task. A simple monthly or bi‑weekly checklist can include:
- Running system and application updates
- Reviewing newly installed plugins, themes or libraries
- Checking backups ran successfully and can be restored
- Reviewing firewall rules for any unnecessary openings
Over time, this routine becomes quick and almost automatic, but it dramatically reduces the risk of surprises.
Choosing a Secure VPS Provider and What to Do Next
Even if you configure your VPS perfectly, the underlying infrastructure still matters. When you choose a provider, pay attention to factors like data center quality, network reliability, backup and snapshot options, and clear security policies. Providers such as DCHost focus on stable infrastructure, well‑maintained virtualization platforms and additional protection options, which makes your hardening work on the VPS layer even more effective.
If you prefer reading about VPS security in Turkish, you can also check out this practical VPS security guide for beginners, which complements what we discussed here.
From here, your next steps are straightforward: secure SSH access, update and harden the OS, configure a firewall, protect your web applications and databases, and put backups plus basic monitoring in place. None of these steps require advanced expertise, but together they raise the bar significantly against common attacks. Treat your VPS like an important piece of infrastructure, not a disposable experiment. With a few hours of focused initial work and a small recurring maintenance habit, you can run your projects on a VPS with confidence, knowing you have taken the essential and practical steps to keep both your server and your data safe.
