First, security is a process, not a state.
In order for the system to be more or less secure, you need to:
- be aware of existing vulnerabilities in the software you use (at least follow ubuntu security notices )
- install updates
- use fairly strong passwords and change them periodically
- disable unused services
- if possible, limit as much as possible network access (for example, do not put mysql on public display)
- disable unused modules, plugins, extensions, features, etc.
- make backups
- always strictly observe the principle of minimum privileges
- do not connect to the server from unreliable systems (connecting from a home desktop where kids play pirated games, and you watch "porn online free without sms" is not a good idea).
These rather simple KO-style tips actually give almost 100% protection against "automatic" hacks (meaning bots that scan everything in search of vulnerable systems and Trojans that pull out saved passwords). Everything else depends more on your code than on any settings.

Use vestap. Everything is configured from the package. The only hosting panel that does not induce quiet horror in the system (does not deliver a ton of garbage libraries and does not store configs following alien logic) - everything is laid out on the shelves.

Just recently I came across an article - stf-life.livejournal.com/88634.html

In general, to keep it simple, there is a puphpet.com generator that generates a server skeleton for Vagrant as well as for DigitalOcean .
There you can completely customize the server you want. With all php+mysql etc. etc.
Try )

What's the problem? Are you afraid that your passwords will be stolen? use fail2ban. Otherwise, without specific questions, go to Google with the request "vps security tips"

in fact, the question is important, but you won’t get a practical answer here, because. There are a lot of articles on this topic, for example, my server was hacked, through a vulnerability in elastisearch (badly configured), and digitalocean closed the server and said do another one. I will add, switch to DO for sure, and immediately after the server is fully configured, make an initial spanshot, but in general it will be cool if you also enable backups.

I am a pohape programmer and in setting up servers I think at the level of "Apache is e capatal o grit brit", but that's not the point. There are tons of manuals for setting up a bunch of Apache muscle and php in the internet. I used one of them and I have apache2+php5.5+muscle koito version+nodeJS and goodies like php may admin xdebugger for dev versions of things. It was difficult in subtleties such as how to make htaccess work, but I successfully coped with them. Leave the hoster and the skill will start sharpening;)

"I place sites in the home directory of the created user" and how did you do it? I raised something similar from the default options to DO, where the normal directory is set by itself. I had a couple of questions about how to fasten a secure enough ftp, it was not there by default, so there were several posts about this on the forum of the same DO, if you have a site in your home directory due to some dancing with a tambourine, then try to find there is a tutorial on how to do it in the right way.

Have you looked at their site? :)
https://www.digitalocean.com/community/tutorials/

Just use any more or less adequate panel.
I recommend ISPManager. Installed once and will continue to use your server as a familiar hosting.

In general, I recommend that you do not configure anything yourself, but turn to freelancing. You can’t even imagine how many people for $ 10 an hour, they know the whole kitchen by heart!
And it is better to spend your time on things more important than communication with iron.

If you have time, you can read the PCI DSS security standard. Much will probably be excessive for your conditions, but it will give a clear idea of ​​\u200b\u200bhow good security should be.
As for setting up a VPS for $ 10, I doubt that an intelligent person will undertake it. I recently undertook to do such work, I set up a website for 1 host with wordpress, I did it according to my already worked out templates on debian/ubuntu. The process took about 1.5 hours and the cost was $30. Everyone is happy.
Perhaps I sold it, on the other hand, $ 20 / hour - in my opinion, it's normal.

as written above, install vestacp , installed with one command, everything works out of the box, then google about setting up iptables, more than enough for the base

This is how I solved the hosting problem for myself. I bought a perpetual license for the ISP manager panel. From my friends https://ru-tld.ru/soft-ispsystem/
Put it on centos. The server itself is in the hetzner, but there is no difference, it's still on the same virtual machine as in DO.
I had to struggle a little with the installation, but they helped me. Now without problems I create a DB, Domains even ftp accounts. In general, there is everything you need. I'm not sure that everything is good there with security, but for me it's not critical at the moment.

Here is a simple and affordable instruction for setting up a web server on DigitalOcean - Web server on CentOS