You just bought a VPS. You installed your website. Now what? Security often gets ignored until something breaks.
This guide covers 10 essential steps to secure your VPS. Each step takes 5-10 minutes. Do them now before you forget.
Step 1: Update Your System
Outdated software has known vulnerabilities. Update regularly.
sudo apt update && sudo apt upgrade -y
Set up automatic security updates:
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades
Step 2: Create a Non‑Root User
Running everything as root is dangerous. One mistake can break your system.
sudo adduser yourname
sudo usermod -aG sudo yourname
Log out and log back in as your new user.
Step 3: Set Up SSH Key Authentication
Passwords can be guessed. SSH keys are much more secure.
On your local computer:
ssh-keygen -t ed25519 -C "your_email@example.com"
ssh-copy-id yourname@your_server_ip
Test logging in. If it works, disable password authentication.
sudo nano /etc/ssh/sshd_config
Change these lines:
PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin no
Restart SSH: sudo systemctl restart sshd
Step 4: Change the Default SSH Port
Port 22 gets scanned constantly. Moving to a different port reduces automated attacks.
Edit /etc/ssh/sshd_config, change Port 22 to Port 2222 (or any number between 1024 and 65535).
Restart SSH and test the new port before closing your current session.
Step 5: Set Up a Firewall with UFW
A firewall blocks unwanted connections.
sudo apt install ufw -y
sudo ufw allow 2222/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Check status: sudo ufw status verbose
Step 6: Install Fail2ban
Fail2ban blocks IPs that repeatedly fail login attempts.
sudo apt install fail2ban -y
sudo nano /etc/fail2ban/jail.local
Add this configuration:
[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
Start and enable: sudo systemctl start fail2ban and sudo systemctl enable fail2ban
Step 7: Set Up Automatic Security Updates
Already covered in Step 1. Verify it's working:
sudo systemctl status unattended-upgrades
Step 8: Secure Your Web Application
If you run WordPress, follow these additional steps.
Keep WordPress, themes, and plugins updated. Use strong passwords for admin accounts. Install a security plugin like Wordfence or Solid Security. Disable file editing from the WordPress admin panel. Move wp-config.php one directory above webroot.
Step 9: Set Up Regular Backups
Backups won't prevent attacks, but they'll save you when something goes wrong.
See our complete backup guide for detailed instructions.
Step 10: Monitor Your Server
Set up basic monitoring to catch issues early.
sudo apt install htop -y
sudo apt install nethogs -y
For external monitoring, use uptimerobot.com (free for 50 monitors).
Security Checklist Summary
| Step | Task | Done |
|---|---|---|
| 1 | Update system + enable auto upgrades | ☐ |
| 2 | Create non‑root user | ☐ |
| 3 | Set up SSH key authentication | ☐ |
| 4 | Change SSH port | ☐ |
| 5 | Set up UFW firewall | ☐ |
| 6 | Install Fail2ban | ☐ |
| 7 | Verify auto security updates | ☐ |
| 8 | Secure web application | ☐ |
| 9 | Set up regular backups | ☐ |
| 10 | Set up monitoring | ☐ |
Need a VPS to practice on? Check our recommended VPS providers.