Procedure Manual for Setting Up and Securing a VPS on Ubuntu 24.04 on DigitalOcean
This series is based on the tutorial "How to Install WordPress on Ubuntu 24.04 and Speed Up Your Sites (opens in a new tab)" from SpinupWP.
Prerequisites
To proceed with this setup, you need a domain or subdomain. For this guide, we’ll use hostname.example.com. Also, ensure you have access to your domain’s DNS settings. We highly recommend using Cloudflare for DNS management and domain purchases.
Step 1: Create a New Droplet on TechBase
Though this guide won’t cover the full process of creating a VPS, here are important details to keep in mind:
- Region & Datacenter: Choose one close to your audience for optimal speed.
- Operating System: Select Ubuntu 24.04 (LTS) x64.
- Server Size: Choose at least 2GB of memory.
- Authentication: Use the password method for now, as we'll disable root login shortly.
- Metrics & Monitoring: Enable improved metrics and monitoring.
- Hostname: Use your domain or subdomain, e.g.,
hostname.example.com.
Step 2: First SSH Login
Once your droplet is created, use SSH to connect. If this is your first time using SSH, refer to our Beginner’s SSH Guide.
ssh root@<your-server-ip>Enter the password you set up during droplet creation.
Step 3: Set the Hostname
Once logged in, set the hostname and fully qualified domain name (FQDN):
hostnamectl set-hostname hostname.example.comUpdate your DNS settings to associate the A record with the correct IP address. Once propagated, you can log in using the domain:
ssh root@hostname.example.comStep 4: Configure Timezone
Set the correct timezone to ensure your logs display the right time.
dpkg-reconfigure tzdataSelect your timezone via the simple GUI that appears.
Step 5: Install Updates
Ensure all software is up to date by running:
apt update
apt dist-upgrade
apt autoremove
reboot nowOnce the server reboots, reconnect using SSH.
Step 6: Configure Automatic Security Updates
Enable automatic security updates to keep your server patched:
apt install unattended-upgrades
dpkg-reconfigure unattended-upgradesEdit the configuration file to allow only security updates:
nano /etc/apt/apt.conf.d/50unattended-upgradesEnsure the following lines are active:
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
Optionally, configure auto-reboots at a specific time by editing:
Unattended-Upgrade::Automatic-Reboot-Time "04:00";Step 7: Create a Non-Root User
It’s important to avoid using the root account for day-to-day tasks. Create a new user and add them to the sudo group:
adduser user
usermod -aG sudo userTest the new user by logging out and back in:
logout
ssh user@hostname.example.comStep 8: Set Up SSH Key Authentication
Generate an SSH key pair locally on your machine:
ssh-keygen -t ed25519 -C "user@laptop"Next, copy your public key to the server:
mkdir ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keysPaste the contents of your public key into the authorized_keys file. Set proper permissions:
chmod 600 ~/.ssh/authorized_keysNow you can connect to the server without a password.
Step 9: Secure SSH Access
Disable root SSH access and password authentication. Edit the SSH config:
sudo nano /etc/ssh/sshd_configChange these lines:
PermitRootLogin no
PasswordAuthentication noRestart the SSH service:
sudo service ssh restartTest the new configuration by opening a new terminal window and attempting to reconnect.
Step 10: Set Up a Firewall
The firewall adds an extra layer of security. First, install ufw if it isn’t already installed:
sudo apt install ufwAllow necessary ports for SSH, HTTP, and HTTPS:
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow httpsEnable the firewall:
sudo ufw enable
sudo ufw status verboseStep 11: Install Fail2Ban
Install Fail2Ban to protect your server from brute-force attacks:
sudo apt install fail2ban
sudo service fail2ban start
sudo service fail2ban statusFail2Ban will automatically ban IPs that show malicious behavior.
Troubleshooting & Tips
- DNS Propagation Delays: DNS changes may take up to 24 hours to fully propagate. Use tools like
digor online DNS checkers to verify changes. - Permission Denied on SSH: If password authentication is still active, check for override files in
/etc/ssh/sshd_config.d/. - Locked Out of SSH: If you lose your SSH keys, many VPS providers (like TechBase) offer console access via their control panel.
- Firewall Issues: Ensure SSH (port 22) is open before enabling
ufwto avoid locking yourself out. - Fail2Ban Not Working: Check logs in
/var/log/fail2ban.logfor troubleshooting details.
We have now successfully set up a solid foundation for building your WordPress web server and implemented measures to help prevent unauthorized access. However, security is an ongoing process. Keep the following tips in mind:
-
Install server software only from trusted sources:
- Ensure that you're downloading and installing software like Nginx/Apache, PHP, and MySQL/MariaDB from official repositories or trusted providers. Unverified or unofficial sources may contain malicious code that could compromise your server’s security.
- Stick to well-known package managers such as APT or YUM to install software. These typically ensure that packages are properly maintained and come with security updates.
- Consider verifying downloaded files using checksums (SHA-256, MD5) to ensure the files haven't been tampered with.
-
Regularly apply software updates and security patches:
- Keep your server software up-to-date. New vulnerabilities are discovered all the time, and outdated software is a common target for attackers. Installing regular updates and patches ensures that known security flaws are fixed.
- Configure automated updates, especially for critical components like your web server, database, and operating system. You can set up unattended-upgrades to install security updates automatically.
- Regularly monitor for any vulnerabilities in plugins or themes if you're running WordPress. Outdated or unmaintained plugins are a frequent vector for attacks.
-
Enforce strong passwords using tools like 1Password:
- Weak passwords are a common entry point for attackers. Enforce the use of strong, unique passwords for all user accounts on your server.
- Use password managers like 1Password or LastPass to generate and store complex passwords. These tools can create passwords that are difficult to guess and reduce the risk of using the same password across multiple accounts.
- Implement multi-factor authentication (MFA) wherever possible, adding an extra layer of security beyond passwords.
-
Plan for backup access in case of lockout:
- Consider how you would regain access to your server if you were accidentally locked out. For example, keep an SSH key pair stored in a secure location for emergency access.
- Set up a secondary account with admin privileges that you can use if your main account gets compromised or inaccessible.
- Regularly back up important server configurations and files. This ensures that, in case of a server lockout or system failure, you can restore your setup and get back online quickly.
By following these best practices, you can significantly enhance your server’s security and safeguard your WordPress site from potential threats.