I lump all my stuff on a Digital Ocean VM (the smallest one), with nginx the webserver, going to PHP/node/static (depending on the site).
For me security the main things are:
Lock down SSH
- Don't allow direct access to root account
- Don't use "daniel" as you username or your twitter handle (use something less obvious e.g. initials)
- Run Fail2ban
- Use a strong password, that's unique to that server (big sites regularly get hacked)
- If you can, only use keys to login, which in which case the previous three points, probably somewhat irrelevant.
- Allow only just the ports you need (e.g. 22, 80, 443 on TCP)
To me this is massive hole in security, I'm sure there are guides out there in order to lock it down. Alternatively, use a static site generator and avoid the whole issue (which is what I do).
Of course run the vendor provided patches regularly. Also, remember that packages not part of the distro (npm, composer, compiled, wordpress etc.) need updating too.
Have multiple ways of bringing the server back online, if anything does get hacked. Most VM providers have some sort of snapshotting backup. Also, if you use some config management (e.g. ansible) and source pulled from git repo, hosted elsewhere you should have pretty quick way to rebuild the server in hurry.
If you have any problems with config, you can always send me an email.