Updated: May 26, 2026 · 14 min read
Hostinger VPS Maintenance Checklist (2026 Guide)
A well-maintained VPS stays secure, fast, and cheap to run. Neglecting maintenance leads to security breaches, performance degradation, and costly emergency fixes. This checklist gives you concrete commands, realistic scheduling, and pitfalls to avoid—no fluff.
1 System Updates
Daily security checks
# Check available updates (non-interactive)
apt update -qq && apt list --upgradable 2>/dev/null | grep -i security
# Install important security patches ONLY (no full upgrade)
apt install -y --only-upgrade-secure
Pitfall: Running apt upgrade without testing can break services. For production VPS, use unattended-upgrades for security patches only, and schedule full upgrades during maintenance windows.
dpkg-reconfigure -plow unattended-upgrades. This keeps your system patched without manual intervention.
Weekly full upgrades
# List packages that will be upgraded first (review changes)
apt list --upgradable
# Perform upgrade with smart conflict resolution
apt upgrade -y
# Remove obsolete packages
apt autoremove -y
Pitfall: Upgrading PHP or major services without checking config compatibility. Always review changelogs: apt changelog <package>.
2 Security Hardening
SSH key-only auth & disable root
# Edit SSH config (/etc/ssh/sshd_config)
# Ensure these lines exist:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
# Test config before restart
sshd -t && systemctl restart sshd
Pitfall: Locking yourself out by testing SSH config after applying changes. Always run sshd -t first and keep a backup SSH session open until you confirm the new config works.
Firewall (UFW) essentials
# Default deny, allow SSH, HTTP, HTTPS, and any custom app ports
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp comment 'SSH'
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
ufw enable
Fail2Ban for brute force protection
apt install -y fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Restrict jail.local to SSH only with sensible values
# [sshd]
# enabled = true
# port = ssh
# filter = sshd
# logpath = /var/log/auth.log
# maxretry = 3
# bantime = 3600
systemctl restart fail2ban
fail2ban-client status sshd
3 Backups
Use the 3-2-1 rule: 3 copies, 2 media types, 1 offsite. Automate daily database dumps and weekly full backups.
Database backup example (MySQL/MariaDB)
# /etc/cron.daily/db-backup.sh
#!/bin/bash
BACKUP_DIR="/var/backups/db"
DATE=$(date +%Y%m%d_%H%M%S)
mysqldump --all-databases | gzip > "$BACKUP_DIR/all-$DATE.sql.gz"
# Keep only last 7 daily backups
find "$BACKUP_DIR" -type f -mtime +7 -delete
Filesystem backup to remote (rclone + S3-compatible)
# Install rclone and configure remote (e.g., backblaze b2)
rclone config # set up 'b2:bucket-name'
# Daily: sync /var/www and /etc to remote
rclone sync /var/www b2:your-bucket/www --progress --backup-dir /var/backups/deleted
rclone sync /etc b2:your-bucket/etc --progress
Pitfall: Not testing restores. Monthly, perform a test restore to a separate VPS to verify your backups are usable.
4 Monitoring & Logs
Essential metrics to track
| Metric | Alert threshold | Check command |
|---|---|---|
| Disk usage | >80% | df -h |
| Memory usage | >85% | free -h |
| Load average | > cores*2 | uptime |
| Failed SSH | >5/min | fail2ban-client status sshd |
Log rotation with logrotate
Create /etc/logrotate.d/custom-app:
/var/log/myapp/*.log {
daily
rotate 7
compress
delaycompress
missingok
notifempty
size 50M
postrotate
systemctl reload myapp.service >/dev/null 2>&1 || true
endscript
}
Systemd journal size limits
Edit /etc/systemd/journald.conf:
SystemMaxUse=200M
SystemKeepFree=500M
MaxRetentionSec=1week
ForwardToSyslog=no
Restart: systemctl restart systemd-journald
5 Performance Tuning
Kernel parameters for small VPS
# /etc/sysctl.d/99-vps.conf
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 1024 65000
vm.swappiness = 10
vm.vfs_cache_pressure = 50
Apply: sysctl -p /etc/sysctl.d/99-vps.conf
Nginx/Apache tuning for low memory
# For Nginx on ≤1GB RAM:
# /etc/nginx/nginx.conf
events {
worker_connections 512;
}
http {
client_max_body_size 10M;
keepalive_timeout 15;
}
6 Common Pitfalls to Avoid
- Running everything as root – create a dedicated user for each service.
- Skipping SSL renewal tests – test certbot renewal with
certbot renew --dry-runmonthly. - Hardcoding IPs in configs – use domain names; your IP may change.
- Forgetting to monitor cron failures – set
[email protected]in crontabs. - Letting snapshots pile up – old snapshots prevent space reclamation; prune weekly.
7 Scheduling Recommendations
| Frequency | Task |
|---|---|
| Daily | Check apt list --upgradable for security updates; monitor disk usage (df -h); verify backup job success |
| Weekly | Apply non-critical updates; review resource usage graphs; check fail2ban bans; rotate application logs |
| Monthly | Full system upgrade in a maintenance window; test backup restore; review cron logs; update monitoring dashboards |
| Quarterly | Audit firewall rules and open ports; rotate API keys/secrets; reassess resource sizing; prune Docker images/containers if used |
8 When to Upgrade or Change Plans
If you consistently see:
- Memory usage >85%
- Swap usage >0 (a sign of RAM pressure)
- Load average > number of CPU cores for extended periods
- Disk usage growing >5GB/month with no cleanup plan
It's time to upgrade your VPS plan or optimize further.
5 Quarterly Audit
Beyond daily and weekly tasks, schedule a deeper audit every quarter to keep your VPS secure and healthy.
Security audit
Review user accounts, sudo privileges, and SSH keys. Remove any unused users and keys.
# List users with UID >= 1000 (regular users)
cut -d: -f1,3,4 /etc/passwd | awk -F: '$3 >= 1000 && $3 < 65534 {print $1}'
# Check sudo privileges
visudo -c && cat /etc/sudoers | grep -v '^#' | grep -v '^$'
# List authorized SSH keys
find /home -name authorized_keys -exec grep -H . {} \; 2>/dev/null
# Check root's authorized_keys if any
cat /root/.ssh/authorized_keys 2>/dev/null | wc -l
Key rotation
Rotate API keys, database passwords, and SSH keys at least quarterly. Use a password manager to track expiration.
# Generate a new SSH key pair for admin
ssh-keygen -t ed25519 -C "admin@$(hostname)" -f ~/.ssh/admin_ed25519_$(date +%Y%m%d)
# Copy public key to server and remove old key from authorized_keys
ssh-copy-id -i ~/.ssh/admin_ed25519_$(date +%Y%m%d).pub user@host
# Then manually prune old keys from ~/.ssh/authorized_keys
Configuration review
Revisit systemd services, firewall rules, and cron jobs. Drop unused services and close unused ports.
# List enabled services
systemctl list-unit-files --state=enabled
# List listening sockets
ss -tulpn
# List cron jobs for all users
for u in $(cut -f1 -d: /etc/passwd); do echo "$u:"; crontab -u $u -l 2>/dev/null; done
Dependency updates
Check for end-of-life software and plan upgrades (e.g., PHP, MySQL, Node.js). Subscribe to security mailing lists for your stack.
# Check which packages are no longer supported (Ubuntu example)
ubuntu-distro-info --supported
# Or manually check versions
php -v
mysql --version
node --version
Get a Reliable Hostinger VPS →
Frequently asked questions
How often should I update my Hostinger VPS?
Check for security updates daily via apt list --upgradable. Apply important security patches immediately. Schedule full system upgrades weekly or bi-weekly depending on your risk tolerance.
What backup strategy is best for a small VPS?
Use a 3-2-1 approach: 3 copies of data, 2 different media (e.g., local snapshots + remote object storage), 1 offsite copy. Automate daily database dumps and weekly full backups to remote storage (e.g., S3-compatible or Backblaze B2).
How do I monitor VPS resource usage without paying for tools?
Use built-in tools: htop/top for live metrics, uptime-kuma or glances for dashboards, and cron + sar for historical data. Set up simple alerting with systemd email notifications or a free UptimeRobot monitor for HTTP services.
What are the most common VPS security mistakes?
Top mistakes: (1) Using password SSH authentication instead of keys, (2) running services as root, (3) leaving unused ports open, (4) not enabling automatic security updates, (5) skipping regular log reviews. Fix these first.
Should I containerize my apps on a small VPS?
Docker adds overhead (~200MB RAM) and complexity. On VPS with ≤2GB RAM, prefer native systemd services for critical apps. Use Docker only when you need isolation, reproducible builds, or multi-service stacks that benefit from docker-compose.
How do I automate log rotation without filling the disk?
Use logrotate with size-based rotation (e.g., rotate when log reaches 50MB) and keep ≤7 compressed archives. Also configure journald to limit size: SystemMaxUse=200M and MaxRetentionSec=1week. Never keep logs forever on the VPS; ship critical logs to remote storage.
Affiliate disclosure: If you buy through our links, we may earn a commission at no extra cost to you.
Ready to get started with a reliable VPS? Check out Hostinger's VPS plans for affordable, scalable hosting that grows with your projects.