
Quick answer: Before a public site launches, secure SSH access, apply system updates, restrict open ports, use HTTPS, protect admin accounts, and confirm backups. These basics remove the most common early risks.
Key Takeaways
- Security starts with access control and patching.
- Expose only the services that must be public.
- Use strong admin accounts and limit shared credentials.
- Backups are part of security because recovery is part of resilience.
Lock down access
SSH key login is the baseline for server access. Password login and shared root credentials create unnecessary risk once the server is on the public internet.
Keep a record of who has access and how to remove access. For small teams, this can be a private document. For larger teams, use formal identity and access management.
- Use SSH keys.
- Remove unused users.
- Avoid shared admin passwords.
- Keep emergency recovery access documented.
Reduce the exposed surface
A server should expose only the ports required for the site. Most public web servers need SSH, HTTP, and HTTPS. Databases, caches, and internal admin tools should stay private.
Use provider firewalls, server firewalls, or both. The goal is a simple rule set that you can understand under pressure.
- Open 80 and 443 for web traffic.
- Restrict SSH where practical.
- Do not expose database ports publicly.
- Check firewall rules after installing new services.
Protect the application layer
For WordPress and similar platforms, keep core, themes, and plugins updated. Remove unused plugins and themes because inactive code can still become a risk.
Admin accounts should use strong passwords and limited access. If multiple people work on the site, give each person their own account.
- Update CMS core and plugins.
- Delete unused themes and plugins.
- Use individual admin accounts.
- Monitor failed login patterns.
Implementation Checklist
- Confirm SSH keys and user access.
- Run system updates.
- Review firewall rules.
- Verify backups and SSL.
Frequently Asked Questions
What is the minimum security setup for a small VPS?
SSH keys, updates, firewall rules, HTTPS, strong admin accounts, and backups are the minimum practical baseline.
Do small sites need security monitoring?
Yes, but start simple: uptime, failed login visibility, update checks, and backup alerts.
