HestiaCP - make it secure

Hi. I am not totally newbie (i have some linux experience and i know how to install hestia), but is there a particular guide to make hestia safe? After install I have to do addition changes, edits to make hestia secure? I would love to host some basic wordpress websites from my vps, but i am not sure if i have to install clamav at all (if i know how to secure wordpress)? I was searching for a guide which explain this steps, but i was unable to find anything, so that is why i am starting a new forum post. Thank you!

Hi @outwork

Basicly hestia is build as secure as possible, there is nothing additional you need to do (probaly enable let’s encrypt, http/https forward and hsts - also ssl for mail domain makes it more secure)

Thank you for your answer @ScIT! Do you recommend installing clamav for simple wordpress websites (a few portfolio websites)? I am on the smallest hetzner package (1 vCPU, 2gb memory) and clamav east a lots of memory. So it is recommanded in my case or i can live without it. Thank you once again :slight_smile:

clamav is much more related to checking mails and attachments to those, I’d say you probably can easily live without it in a lot of cases. for securing wordpress rather look into something like wordfence …

1 Like

This is my memory usage in the same hetzner package:

I’d say change your port admin port number is a good start

Not related to security, but to help keep clamav happy, I’d suggest setting up a swapfile.

Careful with swap file! Its purpose is to provide some slack when a program temporarily requests some more RAM, than what is available at that moment. If a program is constantly using lots of RAM (like clamav) you need to use a server with more RAM, otherwise the server is going to swap a lot and because of that it will become slow.

Also please note that VPS servers based on OpenVZ Virtualization, won’t let you create a swap file. If the provider does not offer swap, then you can’t add it yourself.

1 Like

Sorry to resurrect this post, but in my case, enabling lets encrypt, http/https forward and hsts doesn’t make the panel secure. It still says in the browser that it is an insecure connection, and if using chrome, it wont even allow me to access the panel. i have to go through firefox.
Any thoughts?

Please check https://docs.hestiacp.com/admin_docs/ssl_certificates.html to enable LetsEncrypt on hostname…

@eris - Thank you for your help. I see that step now in the documentation.
For others that may be new like me, checking “Enable SSL for this domain” and its subsequent checkboxes from within the hestia panel on your primary domain doesn’t secure the panel.
You need to follow the extra documented step that @eris has pointed out.

If you don’t mind me asking, is there a preferred order to this? Do you enable SSL/lets-encrypt/etc. from within Hestia first on your primary domain, and then run the bin command via ssh, or is the reverse of that the better way?

It seems to have worked for me via the first option - (due to my missing the bin command entirely at first).

Thank you again and have a great day.

Most Sincerely,

The “preferred” method is to do it during install but currently not possible.

I do normally 2 step after install via SSH (After reboot)