Updated: May 26, 2026  ·  14 min read

Hostinger VPS Maintenance Checklist (2026 Guide)

Short answer: Daily: check security updates and disk usage. Weekly: apply non-critical updates and monitor resource trends. Monthly: review logs, test backups, update configurations. Quarterly: audit security, rotate keys, and revisit scaling plans.

A well-maintained VPS stays secure, fast, and cheap to run. Neglecting maintenance leads to security breaches, performance degradation, and costly emergency fixes. This checklist gives you concrete commands, realistic scheduling, and pitfalls to avoid—no fluff.

📌 Disclosure: This post contains affiliate links. If you purchase through them, I may earn a small commission at no extra cost to you. Full disclosure here.
“Automate everything that can be automated, monitor the rest, and never ignore warnings—logs are cheap teachers.”

1 System Updates

Daily security checks

# Check available updates (non-interactive)
apt update -qq && apt list --upgradable 2>/dev/null | grep -i security

# Install important security patches ONLY (no full upgrade)
apt install -y --only-upgrade-secure

Pitfall: Running apt upgrade without testing can break services. For production VPS, use unattended-upgrades for security patches only, and schedule full upgrades during maintenance windows.

Tip: Enable automatic security updates: dpkg-reconfigure -plow unattended-upgrades. This keeps your system patched without manual intervention.

Weekly full upgrades

# List packages that will be upgraded first (review changes)
apt list --upgradable

# Perform upgrade with smart conflict resolution
apt upgrade -y

# Remove obsolete packages
apt autoremove -y

Pitfall: Upgrading PHP or major services without checking config compatibility. Always review changelogs: apt changelog <package>.

2 Security Hardening

SSH key-only auth & disable root

# Edit SSH config (/etc/ssh/sshd_config)
# Ensure these lines exist:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

# Test config before restart
sshd -t && systemctl restart sshd

Pitfall: Locking yourself out by testing SSH config after applying changes. Always run sshd -t first and keep a backup SSH session open until you confirm the new config works.

Firewall (UFW) essentials

# Default deny, allow SSH, HTTP, HTTPS, and any custom app ports
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp comment 'SSH'
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
ufw enable

Fail2Ban for brute force protection

apt install -y fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Restrict jail.local to SSH only with sensible values
# [sshd]
# enabled = true
# port = ssh
# filter = sshd
# logpath = /var/log/auth.log
# maxretry = 3
# bantime = 3600

systemctl restart fail2ban
fail2ban-client status sshd

3 Backups

Use the 3-2-1 rule: 3 copies, 2 media types, 1 offsite. Automate daily database dumps and weekly full backups.

Database backup example (MySQL/MariaDB)

# /etc/cron.daily/db-backup.sh
#!/bin/bash
BACKUP_DIR="/var/backups/db"
DATE=$(date +%Y%m%d_%H%M%S)
mysqldump --all-databases | gzip > "$BACKUP_DIR/all-$DATE.sql.gz"

# Keep only last 7 daily backups
find "$BACKUP_DIR" -type f -mtime +7 -delete

Filesystem backup to remote (rclone + S3-compatible)

# Install rclone and configure remote (e.g., backblaze b2)
rclone config  # set up 'b2:bucket-name'

# Daily: sync /var/www and /etc to remote
rclone sync /var/www b2:your-bucket/www --progress --backup-dir /var/backups/deleted
rclone sync /etc b2:your-bucket/etc --progress

Pitfall: Not testing restores. Monthly, perform a test restore to a separate VPS to verify your backups are usable.

4 Monitoring & Logs

Essential metrics to track

MetricAlert thresholdCheck command
Disk usage>80%df -h
Memory usage>85%free -h
Load average> cores*2uptime
Failed SSH>5/minfail2ban-client status sshd

Log rotation with logrotate

Create /etc/logrotate.d/custom-app:

/var/log/myapp/*.log {
  daily
  rotate 7
  compress
  delaycompress
  missingok
  notifempty
  size 50M
  postrotate
    systemctl reload myapp.service >/dev/null 2>&1 || true
  endscript
}

Systemd journal size limits

Edit /etc/systemd/journald.conf:

SystemMaxUse=200M
SystemKeepFree=500M
MaxRetentionSec=1week
ForwardToSyslog=no

Restart: systemctl restart systemd-journald

5 Performance Tuning

Kernel parameters for small VPS

# /etc/sysctl.d/99-vps.conf
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 1024 65000
vm.swappiness = 10
vm.vfs_cache_pressure = 50

Apply: sysctl -p /etc/sysctl.d/99-vps.conf

Nginx/Apache tuning for low memory

# For Nginx on ≤1GB RAM:
# /etc/nginx/nginx.conf
events {
    worker_connections 512;
}
http {
    client_max_body_size 10M;
    keepalive_timeout 15;
}

6 Common Pitfalls to Avoid

7 Scheduling Recommendations

FrequencyTask
DailyCheck apt list --upgradable for security updates; monitor disk usage (df -h); verify backup job success
WeeklyApply non-critical updates; review resource usage graphs; check fail2ban bans; rotate application logs
MonthlyFull system upgrade in a maintenance window; test backup restore; review cron logs; update monitoring dashboards
QuarterlyAudit firewall rules and open ports; rotate API keys/secrets; reassess resource sizing; prune Docker images/containers if used

8 When to Upgrade or Change Plans

If you consistently see:

It's time to upgrade your VPS plan or optimize further.

5 Quarterly Audit

Beyond daily and weekly tasks, schedule a deeper audit every quarter to keep your VPS secure and healthy.

Security audit

Review user accounts, sudo privileges, and SSH keys. Remove any unused users and keys.

# List users with UID >= 1000 (regular users)
cut -d: -f1,3,4 /etc/passwd | awk -F: '$3 >= 1000 && $3 < 65534 {print $1}'

# Check sudo privileges
visudo -c && cat /etc/sudoers | grep -v '^#' | grep -v '^$'

# List authorized SSH keys
find /home -name authorized_keys -exec grep -H . {} \; 2>/dev/null
# Check root's authorized_keys if any
cat /root/.ssh/authorized_keys 2>/dev/null | wc -l
Pitfall: Never leave a user with passwordless sudo. Always require a password for privileged operations.

Key rotation

Rotate API keys, database passwords, and SSH keys at least quarterly. Use a password manager to track expiration.

# Generate a new SSH key pair for admin
ssh-keygen -t ed25519 -C "admin@$(hostname)" -f ~/.ssh/admin_ed25519_$(date +%Y%m%d)
# Copy public key to server and remove old key from authorized_keys
ssh-copy-id -i ~/.ssh/admin_ed25519_$(date +%Y%m%d).pub user@host
# Then manually prune old keys from ~/.ssh/authorized_keys

Configuration review

Revisit systemd services, firewall rules, and cron jobs. Drop unused services and close unused ports.

# List enabled services
systemctl list-unit-files --state=enabled
# List listening sockets
ss -tulpn
# List cron jobs for all users
for u in $(cut -f1 -d: /etc/passwd); do echo "$u:"; crontab -u $u -l 2>/dev/null; done

Dependency updates

Check for end-of-life software and plan upgrades (e.g., PHP, MySQL, Node.js). Subscribe to security mailing lists for your stack.

# Check which packages are no longer supported (Ubuntu example)
ubuntu-distro-info --supported
# Or manually check versions
php -v
mysql --version
node --version

Get a Reliable Hostinger VPS →

Frequently asked questions

How often should I update my Hostinger VPS?

Check for security updates daily via apt list --upgradable. Apply important security patches immediately. Schedule full system upgrades weekly or bi-weekly depending on your risk tolerance.

What backup strategy is best for a small VPS?

Use a 3-2-1 approach: 3 copies of data, 2 different media (e.g., local snapshots + remote object storage), 1 offsite copy. Automate daily database dumps and weekly full backups to remote storage (e.g., S3-compatible or Backblaze B2).

How do I monitor VPS resource usage without paying for tools?

Use built-in tools: htop/top for live metrics, uptime-kuma or glances for dashboards, and cron + sar for historical data. Set up simple alerting with systemd email notifications or a free UptimeRobot monitor for HTTP services.

What are the most common VPS security mistakes?

Top mistakes: (1) Using password SSH authentication instead of keys, (2) running services as root, (3) leaving unused ports open, (4) not enabling automatic security updates, (5) skipping regular log reviews. Fix these first.

Should I containerize my apps on a small VPS?

Docker adds overhead (~200MB RAM) and complexity. On VPS with ≤2GB RAM, prefer native systemd services for critical apps. Use Docker only when you need isolation, reproducible builds, or multi-service stacks that benefit from docker-compose.

How do I automate log rotation without filling the disk?

Use logrotate with size-based rotation (e.g., rotate when log reaches 50MB) and keep ≤7 compressed archives. Also configure journald to limit size: SystemMaxUse=200M and MaxRetentionSec=1week. Never keep logs forever on the VPS; ship critical logs to remote storage.

Affiliate disclosure: If you buy through our links, we may earn a commission at no extra cost to you.

Ready to get started with a reliable VPS? Check out Hostinger's VPS plans for affordable, scalable hosting that grows with your projects.

Related reads