VPS security basics

Your VPS is your server — security is entirely in your hands. Most breaches don't come from provider-level vulnerabilities; they happen because of outdated software, weak passwords, exposed services, or malicious code sneaking in through FTP, plugins, or compromised local machines.

How servers typically get compromised

1. Outdated CMS/plugins
   Automated scanners crawl the web looking for WordPress, Joomla, OpenCart, etc., running old versions or vulnerable plugins. Once found → malicious code (iframes, redirects, miners) gets injected.

2. Compromised FTP credentials
   Malware on your local computer steals FTP logins/passwords → attacker logs in and drops code directly into files.

3. .htaccess manipulation
   Attackers rewrite .htaccess to redirect visitors to phishing/malware sites or run hidden scripts.

4. Uploaded malicious files
   PHP files disguised as images get uploaded to /uploads, /images, etc. → executed when accessed.

Core security measures (implement these immediately)

1. Strong passwords & SSH keys only

   • Root/admin password: 16+ random characters
   • Disable password login in SSH — use keys exclusively:

     sudo nano /etc/ssh/sshd_config
     # Change or add:
     PasswordAuthentication no
     PermitRootLogin prohibit-password   # or no
     sudo systemctl restart ssh
     

2. Keep everything updated Run daily::

   sudo apt update && sudo apt upgrade -y && sudo apt autoremove -y
   

3. Correct file permissions

   • Files: 644
   • Folders: 755
   • wp-config.php / configuration.php: 600

     find /var/www/ -type f -exec chmod 644 {} \;
     find /var/www/ -type d -exec chmod 755 {} \;
     

4. Firewall — allow only what you need UFW example (22/SSH, 80/HTTP, 443/HTTPS):

   sudo ufw allow OpenSSH
   sudo ufw allow 80/tcp
   sudo ufw allow 443/tcp
   sudo ufw enable
   sudo ufw status
   

5. Fail2Ban — stop brute-force attacks Install:

   sudo apt install fail2ban -y
   

   It auto-bans IPs after repeated failed login attempts (works out-of-the-box for SSH).

6. Malware scanners & rootkit hunters

   • ClamAV — file scanner::

   sudo apt install clamav clamav-daemon -y
   sudo freshclam
   sudo clamscan -r /var/www
   

   • Rkhunter — rootkit/malware detector:

   sudo apt install rkhunter -y
   sudo rkhunter --update
   sudo rkhunter --check
   

   • Lynis — security audit:

   sudo apt install lynis -y
   sudo lynis audit system
   

7. Backups — your safety net

• Daily automated backups (not just on the server — copy to local/cloud)
• Test restores regularly
• If infected → clean restore is faster than manual cleanup

If your site/server is already compromised

1. Isolate disable the site temporarily (rename index.php or block via .htaccess)
2. Change all passwords (FTP, CMS admin, SSH, database, control panel)
3. Scan (ClamAV + Rkhunter + manual check)
4. Manual inspection::
   • Recently modified files:

   find /var/www/ваш_сайт/ -type f -mtime -7 -ls
   

   • PHP files in uploads/images:

   find /var/www/ваш_сайт/uploads/ -type f -iname "*.php"
   

   • Suspicious code patterns:

   grep -ril "base64_decode\|eval\|gzinflate\|fromCharCode" /var/www/ваш_сайт/
   

5. Restore from clean backup
6. Update CMS/plugins/themes
7. Check .htaccess for redirects/iframes