A VPS gives you root access to a Linux server and full control over the environment. That control comes with responsibility. If you're moving from shared hosting to an unmanaged VPS for the first time, this guide covers the core tasks you need to handle to keep the server running safely, and what happens if you don't.
A freshly provisioned VPS with a public IP address is scanned by automated bots within minutes of creation. The bots are looking for open ports, default credentials, and known vulnerabilities. Server hardening is the process of reducing your attack surface before the server is exposed to real traffic.
The minimum steps on a new VPS: create a non-root user with sudo privileges and use it for all administration. Disable password authentication for SSH and use SSH key pairs instead, this makes brute-force attacks against your SSH port practically impossible. Disable root SSH login entirely (PermitRootLogin no in /etc/ssh/sshd_config). Configure UFW (Uncomplicated Firewall) on Ubuntu or firewalld on AlmaLinux/CentOS to allow only the ports you need: 22 for SSH (or a non-standard port if you prefer), 80 for HTTP, and 443 for HTTPS. Block everything else by default. These steps take about 20 minutes and should happen before you install anything else on the server.
Keeping the operating system and installed packages updated is the highest-impact security practice available to you. The majority of successful attacks on VPS servers exploit known vulnerabilities that patches have been available for weeks or months, the attacker isn't finding zero-days, they're using public exploits against unpatched systems.
On Ubuntu/Debian, run apt update && apt upgrade regularly and enable unattended-upgrades for automatic security patch installation. On AlmaLinux/CentOS Stream, use dnf update and enable dnf-automatic for security updates. Kernel updates require a reboot, schedule these during low-traffic windows. A practical approach: enable automatic security updates for critical patches, and schedule a manual full system update and reboot once a month during a maintenance window.
Install Fail2ban to automatically block IP addresses that repeatedly fail SSH login attempts. This reduces log noise and protects against credential stuffing attacks. Default Fail2ban configuration is adequate for most deployments; you can tighten thresholds if your SSH logs show persistent attack patterns.
You need two categories of monitoring on a production VPS: external uptime monitoring (is the site reachable from outside the server?) and internal resource monitoring (what is the server doing internally?).
For external uptime monitoring, UptimeRobot's free tier checks your site every 5 minutes from multiple global locations and sends email and SMS alerts if the site goes down. Better Uptime and Freshping are alternatives with additional features. Set these up immediately, you want to know about downtime from a monitoring system before a client tells you.
For internal resource monitoring, the basics are: disk usage (a full disk silently breaks PHP, MySQL, and logging, set alerts at 80% capacity), memory usage (running out of RAM causes the OOM killer to terminate processes, which often manifests as unexplained site errors), and CPU load. At the command line, htop gives a real-time view of processes, CPU, and memory. For persistent monitoring and alerting, Netdata is a zero-configuration monitoring tool that installs in one command and provides detailed system metrics via a web dashboard. For production servers where granular observability matters, the Prometheus + Grafana stack is the standard, more setup overhead but significantly more powerful.
VPS providers do not typically include backups unless you've explicitly purchased them as an add-on. Automated backup configuration is your responsibility on an unmanaged VPS. The consequences of not having them are severe and irreversible: a corrupted database, a botched update, or a compromised server can mean permanent data loss.
Set up automated backups that cover both your web files (everything in /var/www/ or wherever your document roots are) and your databases (use mysqldump or mariabackup for consistent database dumps). Push backups to an offsite destination, Backblaze B2 is cheap and reliable (around $0.006/GB/month), AWS S3 works, or another server in a different data centre. Rclone is the standard tool for syncing backups to cloud storage.
Test your backups periodically by actually restoring from them to a staging environment. A backup you've never tested is a backup you can't rely on. Aim for daily backups with at least 14 days retention, and a weekly backup kept for 90 days. This retention policy lets you recover from data corruption that's discovered days or weeks after it happens.
If you're not using a server management panel, you'll need to install and configure your web server and PHP stack manually. The common choices: Nginx with PHP-FPM (efficient, widely used, good documentation), Apache with mod_php or PHP-FPM (more familiar to cPanel users), or OpenLiteSpeed (the open-source version of LiteSpeed, significantly faster than Apache for WordPress workloads, free to use).
Key PHP configuration to check for production web hosting: memory_limit (set to at least 256MB for WordPress, 512MB for WooCommerce), upload_max_filesize and post_max_size (32–64MB for most sites), max_execution_time (60–120 seconds), and opcache settings for PHP bytecode caching. OPcache dramatically reduces PHP execution time for repeated requests and should be enabled and configured on any production server running PHP.
If command-line server management is something you want to minimise, server management panels reduce the complexity significantly without eliminating your control over the environment. The main options worth knowing about:
These tools don't replace the need for Linux knowledge when something goes wrong at a level the panel doesn't surface. But they substantially reduce how often you need to reach for the command line for routine operations, which makes VPS management practical for developers who aren't full-time sysadmins.
If server management isn't your focus, HostBible managed VPS plans handle OS updates, security hardening, monitoring, and backups, giving you VPS performance without the administrative overhead.
View VPS Plans