MainVPS Hosting Company Logo
Home
Hosting

Web Hosting

Fast and secure hosting

WordPress Hosting

Performance-tuned WP

Reseller Hosting

Business-ready plans
VPS

KVM VPS

Stable virtualization

Windows VPS

RDP ready solutions

OpenVZ VPS

Light & flexible Linux VPS
Server

Dedicated Server

Full control & power
Resource

Blog

Hosting tips & news

Support

Always-on help
Login Start Now

How to Secure Your PHP VPS: Essential Security Tips

Hosting July 29, 2025
PHP VPS secure

You’re in control of your server—now make it safe. A well-configured PHP VPS isn’t just faster; it’s tougher against hacks. Let’s walk through simple, sensible tweaks to help you sleep better at night.

1. Why Securing Your VPS Is Non-Negotiable

Think of your VPS like a car—powerful, flexible, but risky if left unlocked. PHP sits at the center of most websites. PHP misconfiguration can expose data, bypass login systems, or open up your server to intruders. Since you have full control, it’s your job to set up the locks properly.

2. Lock the Basics: Linux & SSH Hardening

  • Update first—run:
    bash
    sudo apt update && sudo apt upgrade -y
  • Create a non-root user for day-to-day tasks: bashCopyEditsudo adduser deployer sudo usermod -aG sudo deployer
  • Secure SSH access:
    • Use key-based login only (disable passwords).
    • Disable root SSH login in /etc/ssh/sshd_config.
    • Close or rename port 22 or install something like fail2ban to slow attackers.

3. Web Server Safety: Apache or Nginx Tweaks

  • Disable modules you aren’t using—less software equals fewer vulnerabilities.
  • Turn on HTTPS using Let’s Encrypt certificates.
  • Set security headers so browsers block risky behavior:
    apache
    Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" Header set Content-Security-Policy "default-src 'self';"
  • Never show raw PHP errors in production—log them instead.

4. Securing PHP itself (php.ini Configuration)

In your php.ini file, make changes like:

ini
expose_php = Off
display_errors = Off
log_errors = On
error_log = /var/log/php-errors.log
memory_limit = 128M
upload_max_filesize = 10M
session.cookie_secure = 1

These small changes limit what attackers can see or exploit—and help keep memory hogs in check.

5. File Permissions: Respect the Folders

Avoid opening up everything with 777. Instead:

bash

chown -R deployer:www-data /var/www/html
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;

Just one bad permission can expose config files or credentials—don’t leave that to chance.

6. Use Firewalls & Isolation

  • Set up a firewall like UFW:
    bash
    sudo ufw allow ssh sudo ufw allow 80,443/tcp sudo ufw enable
  • Run apps in contained environments—like Docker containers or chrooted folders—to isolate traffic.
  • Use Fail2Ban to block repeated login attempts or brute force attacks automatically.

7. Scan and Monitor: Proactive Protection

  • Install tools like rkhunter or chkrootkit.
  • Set up malware scanning using ClamAV or Maldet.
  • Schedule daily scans and check logs regularly to catch weird activity early.

8. Backups & Monitoring: Build Your Safety Net

  • Schedule daily backups of code and databases—just in case.
  • Monitor key logs:
    • PHP errors: /var/log/php-errors.log
    • Web traffic: Apache or Nginx logs
  • Use lightweight monitoring tools like Monit or Grafana + Prometheus for real-time alerts.

9. Keep Your Apps Fresh

  • Regularly update your CMS (WordPress, Drupal), plugins, and composer packages.
  • Remove unused plugins or libraries.
  • Lock down dependencies in composer.json to prevent unexpected updates.

Extra Pro Tip: Secure Your Deployment

  • Don’t keep environment files in the web root.
  • Use deployment keys or CI/CD tools with limited access.
  • Log deployment activities so you know what changed and when.

In Summary

Securing your PHP VPS doesn’t need to feel like rocket science. Each layer—SSH, web server, PHP, and file permissions—can be tightened with simple, sensible configurations. And the payoff? Peace of mind, faster performance, and fewer surprises.

Need help locking down your PHP stack, or want us to review your setup? MainVPS offers tips, audits, and support so your VPS remains both powerful and secure.

FAQs You Might Be Asking

Q: Should I use PHP-FPM or mod_php?
PHP-FPM is recommended. It isolates PHP processes, improving performance and reducing risks.

Q: What should log levels look like?
Use log_errors = On, but keep display_errors = Off—let PHP log, not expose.

Q: Is Docker overkill for simple sites?
Not at all. Containers help isolate apps and make updates cleaner—even for small deployments.

Q: How often should I rotate SSH keys?
Once every 3 months is a reasonable routine—especially if team members change often.

You may also like...