A practical checklist for setting up a new VPS safely before it hosts live websites, applications or client projects.
Deploying a new VPS gives you a clean server with root access, flexible resources and full control over the software stack. That freedom is useful, but it also means the first setup steps matter.
A VPS should not be treated as production-ready just because it has finished deploying. Before you point a domain at it, install a website or connect a database, take time to secure access, update the operating system, configure the firewall and plan backups.
This guide is written for website owners, developers, agencies and UK businesses using a self-managed VPS or VDS for websites, applications, staging servers, APIs or client projects.
Setup checklist
After deploying a new VPS, verify access, update packages, create a non-root sudo user, secure SSH, configure a firewall, set the hostname, install only the services you need, configure backups, enable monitoring, add SSL and test the website or application before sending live traffic to the server.
Check the IP address, operating system, server location, CPU, RAM, disk size and login method. This confirms the server was deployed with the right image and resources before you spend time configuring it.
Make a note of whether the server is running Ubuntu, Debian, Rocky Linux or AlmaLinux. Commands, firewall tools and package managers can vary between distributions.
Do not install a full stack until you know the server is the right one. Rebuilding early is easy; rebuilding after a live website or database has been added is much more disruptive.
A fresh server image can still have security updates waiting. Updating the operating system before installing web server software, databases or control panels gives you a cleaner starting point.
Typical update commands
# Ubuntu / Debian
sudo apt update && sudo apt upgrade -y
# Rocky Linux / AlmaLinux
sudo dnf update -y
Reboot if the update includes a kernel or major system component. It is better to reboot now than after the VPS is hosting live traffic.
Root access is useful during deployment, but using root for every task is not ideal. Create a separate user with sudo privileges and use that account for day-to-day administration.
Once the new user works correctly, you can reduce risk by limiting direct root password login. Always test the new user in a second SSH session before closing your existing root session.
Be careful when changing SSH settings. A small typo can lock you out of the server. Keep one working session open while testing the new login method.
SSH is the front door to your VPS. Good hardening usually includes strong passwords or SSH keys, a non-root sudo user, disabled root password login and sensible login restrictions.
You can also consider tools such as fail2ban if you want automatic blocking of repeated failed login attempts.
A firewall controls what can reach the VPS from the internet. Most website hosting setups only need SSH, HTTP and HTTPS open publicly.
Used for administration. Keep access restricted and secure.
Used for web traffic and redirects to HTTPS.
Used for secure website and application traffic.
Databases, cache services and admin-only tools should normally not be exposed to the public internet. If a service does not need to be reachable externally, keep it private.
Give the server a clear hostname that helps you identify its purpose. This is especially useful if you manage multiple servers, staging environments or client projects.
A messy VPS usually starts with installing too many things without a plan. Decide what the server is actually for before adding software.
For WordPress, plan your web server, PHP version, database, caching, SSL and file permissions. For applications, plan runtime versions, deployment process, process manager, logs and rollback route.
Every extra package is another thing to maintain. Install the services your website or application needs, then keep the setup lean.
Public websites should use HTTPS. Install an SSL certificate, test the site over HTTPS and make sure HTTP requests redirect properly.
After SSL is active, check that images, scripts, forms and admin areas load securely. Mixed-content issues can make a website look untrusted even when the certificate itself is valid.
Backups should not be an afterthought. Plan what needs backing up before the VPS becomes important.
Website files, uploads, application code and important assets.
WordPress, ecommerce, application and customer data.
Web server configs, cron jobs, environment files and deployment settings.
A backup is only useful if it can be restored. Test your restore process on a non-live environment where possible.
Monitoring helps you spot downtime, high resource usage and disk space issues before they become emergencies. Even simple uptime monitoring is better than finding out from customers.
Before pointing a domain to the VPS, test the website or application directly. Check the web server response, SSL, redirects, forms, login pages, file uploads and any scheduled tasks.
If you are still choosing a server image, compare the operating system options before deploying. The right choice depends on the software you want to run, your experience and how you prefer to maintain the server.
VPS setup help
Straight answers to the most common questions before taking a new VPS live.
A VPS is ready for serious work only after access, updates, firewall rules, backups, monitoring and SSL are in place. The setup does not need to be complicated, but it does need to be deliberate.
Start with a clean plan, install only what the server needs and test before pointing live traffic at it. If the project needs more predictable performance, compare VPS and VDS hosting before launching production websites or applications.
Related hosting options
Helpful next-step pages for VPS, VDS, Linux and WordPress server projects.
Install for quick access to hosting, tools, billing and support.