How to Set Up a VPS (2026): Beginner Walkthrough

Updated 2026-06-14 · Written by a DevOps engineer who has done this hundreds of times · Independent affiliate site (disclosure)

The short version: To set up a VPS, create a server in your provider's console (we use Hetzner Cloud CX22 with Ubuntu 24.04), add your SSH public key, then log in with ssh root@YOUR_SERVER_IP. Update the system, create a sudo user, set up SSH key auth, disable password and root login, enable the UFW firewall on ports 22, 80, and 443, install fail2ban, and turn on automatic security upgrades. Total time: about 30 minutes.

This is the guide I wish I had when I built my first server. I run production WordPress and app workloads on Hetzner, Cloudways, and Hostinger, and I have spun up a new VPS more times than I can count. Below is the exact sequence I use on every fresh box, written so a first-timer can follow it line by line. We do it on a Hetzner Cloud CX22 running Ubuntu 24.04 LTS, the cheapest plan I trust for real work at EUR 4.50 per month, but the commands are identical on any Ubuntu 24.04 VPS from any provider.

What you need

If you would rather not run any of these commands yourself, jump to Skip the manual work for the managed and panel-driven alternatives. Otherwise, start at step 1.

1. Pick a plan and a provider

For a first VPS I recommend the Hetzner Cloud CX22: 4 GB RAM, 2 shared vCPU, 40 GB NVMe, and 20 TB of traffic for EUR 4.50 per month. That is enough headroom for a WordPress site, a small app, a Discord bot, or a handful of Docker containers, and the NVMe disk is genuinely fast (we measure around 38,000 random read IOPS on a fresh box). For the full ranked list with alternatives, see our best cheap VPS hosting guide.

Two honest alternatives if a raw Linux server is not your thing. Hostinger gives you a control panel that walks you through setup and a free domain in year one, which suits a first-timer who wants buttons instead of a terminal. Cloudways is fully managed, so you never touch SSH at all. Both are covered in the CTA further down. If you are going the Hetzner route, create your account, then move to step 2.

2. Generate an SSH key on your computer

An SSH key is a cryptographic pair: a private key that stays on your machine and a public key you hand to the server. It replaces passwords entirely, which is both more secure and more convenient. Generate one in your local terminal (skip this if you already have ~/.ssh/id_ed25519.pub). 

ssh-keygen -t ed25519 -C "your-email@example.com"
# Press Enter to accept the default path (~/.ssh/id_ed25519)
# Set a passphrase when prompted (recommended)

# Print the PUBLIC key so you can copy it into Hetzner:
cat ~/.ssh/id_ed25519.pub

Copy the full line that starts with ssh-ed25519. That is your public key. Never share or paste the private key (the file without .pub).

3. Create the server in the Hetzner console

Log in to the Hetzner Cloud console and follow these clicks:

  1. Create a new project (call it something like "personal" or your site name) and open it.
  2. Click Add Server.
  3. Location: pick the datacenter closest to your audience. Falkenstein or Nuremberg for EU, Ashburn or Hillsboro for the US.
  4. Image: choose Ubuntu 24.04.
  5. Type: select the Shared vCPU tab and pick CX22.
  6. SSH keys: click Add SSH key and paste the public key you copied in step 2. This is the part most beginners skip, and it is the part that makes the whole setup secure from the first boot.
  7. Name: give the server a hostname, then click Create & Buy now.

The server boots in under a minute. Copy its public IPv4 address from the console; you need it for the next step. (Hetzner now charges roughly EUR 0.50 per month for the dedicated IPv4, which is included by default.)

4. Log in over SSH as root (first time only)

Back in your local terminal, connect to the server. Replace YOUR_SERVER_IP with the IPv4 address from the console. Because you uploaded your SSH key during creation, you log in with no password. 

ssh root@YOUR_SERVER_IP
# The first time, accept the host fingerprint by typing: yes

If you set a passphrase on your key, your computer asks for it now (that is the key's passphrase, not a server password). You should land at a prompt like root@your-hostname:~#. You are in. This is the only time we log in as root.

5. Update the system

A fresh image is rarely fully patched. Pull the latest security updates before anything else. 

apt update && apt upgrade -y

If the output mentions a new kernel, reboot with reboot, wait about 30 seconds, then reconnect with the same ssh root@YOUR_SERVER_IP command.

6. Create a sudo user

Running as root all day is how accidents become disasters. Create a normal user with sudo rights and use it for everything from now on. I name mine deploy; pick any name you like. 

adduser deploy
# Set a strong password and press Enter through the contact fields

usermod -aG sudo deploy

The usermod line adds deploy to the sudo group, which lets it run admin commands by prefixing them with sudo.

7. Copy your SSH key to the new user

Right now only root can log in with your key. Copy the authorized key over to deploy so you can SSH in as the new user, then fix the ownership. 

rsync --archive --chown=deploy:deploy ~/.ssh /home/deploy

Now test it before you change anything else. Open a second terminal window (leave the root session open as a safety net) and confirm the new user works: 

ssh deploy@YOUR_SERVER_IP

If that drops you at deploy@your-hostname:~$, you are good. Do not close the root session until the next step is finished and verified, otherwise a typo could lock you out.

8. Disable password login and root SSH

Public IP addresses get scanned and brute-forced within minutes of booting. Key-only login plus no root over SSH closes that door. From your deploy session, drop a small override file (cleaner than editing the main config) and restart SSH. 

sudo tee /etc/ssh/sshd_config.d/99-hardening.conf > /dev/null <<'EOF'
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
EOF

sudo systemctl restart ssh

Test once more from a fresh terminal: ssh deploy@YOUR_SERVER_IP should still work, and ssh root@YOUR_SERVER_IP should now be refused. Only after confirming the deploy login works should you close the original root window.

9. Enable the UFW firewall

UFW (Uncomplicated Firewall) ships with Ubuntu. The plan is simple: block everything inbound by default, then open only SSH (22), HTTP (80), and HTTPS (443). 

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
# Type y to confirm

sudo ufw status verbose

Make sure port 22 is in the allow list before you run ufw enable, or you will firewall yourself out of your own server. If you change SSH to a non-standard port later, open that port first.

10. Install fail2ban

fail2ban reads the authentication log and temporarily bans any IP that racks up failed logins. With key-only auth your exposure is already small, but fail2ban cuts the log noise and stops password-spray bots cold. 

sudo apt install -y fail2ban
sudo systemctl enable --now fail2ban

# Confirm the ssh jail is active:
sudo fail2ban-client status sshd

Ubuntu's default jail already protects SSH. You can tune ban times later, but the defaults are sane for a first server.

11. Turn on automatic security upgrades

The last baseline step keeps the box patched without you logging in. unattended-upgrades installs security updates on a schedule. 

sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
# Choose "Yes" when asked to enable automatic updates

That is the secure floor. Your VPS now has key-only SSH, no root login, a firewall, brute-force protection, and automatic patching. From here you install whatever your project needs: Nginx, PHP, MariaDB, Redis, Node.js, Docker, or a one-line WordPress stack. The deeper how-tos are linked at the bottom.

Common mistakes (and how to avoid them)

Skip the manual work

Not everyone wants to run eleven steps in a terminal, and that is a legitimate choice. There are two good escape hatches.

If you want a control panel that does the setup for you but still on a real VPS, Hostinger's KVM VPS ships a guided panel, one-click app installs, and a free domain in year one. It is the gentlest on-ramp for a first-timer who would rather click than type.

If you never want to touch server administration at all, Cloudways is fully managed: it handles OS updates, server hardening, free SSL, daily backups, and a one-click WordPress and cache stack on top of providers like DigitalOcean and Vultr. You get a VPS without ever opening an SSH session. It costs more than raw Hetzner, and that premium buys back your time.

For the technically comfortable, doing it by hand on Hetzner is still the best value, and you now have the full recipe above.

FAQ

How do I set up a VPS for the first time?

Create a server in your provider's console (we use Hetzner Cloud CX22 with Ubuntu 24.04), add your SSH public key, then log in with ssh root@YOUR_SERVER_IP. From there: update the system, create a sudo user, copy your SSH key to that user, disable password and root SSH login, enable the UFW firewall for ports 22, 80, and 443, install fail2ban, and turn on unattended security upgrades. The whole process takes about 30 minutes.

Which VPS is best for beginners?

Hetzner Cloud CX22 at EUR 4.50 per month (4 GB RAM, 2 shared vCPU, 40 GB NVMe, 20 TB traffic) is the best value if you are comfortable in a terminal. If you want a control panel that holds your hand, Hostinger's KVM VPS is the panel-driven beginner pick. If you do not want to administer a server at all, Cloudways is fully managed and handles updates, backups, and SSL for you.

Should I log in to a VPS as root?

Only for the very first login. The root account has unlimited power, so you should create a regular user with sudo rights, copy your SSH key to it, and then disable root SSH login entirely. After that you run admin commands with sudo from your normal account, which gives you an audit trail and prevents an exposed root account from being brute-forced.

How do I secure a new VPS?

The baseline is five steps: use SSH key authentication and disable password login, disable root SSH login, enable a firewall (UFW) that allows only ports 22, 80, and 443, install fail2ban to block repeated failed logins, and turn on unattended-upgrades so security patches apply automatically. That stops the overwhelming majority of automated attacks. See our full guide on how to secure a VPS for the next layer.

What operating system should I use on a VPS?

Ubuntu 24.04 LTS is the safest default for a first VPS. It is a long-term support release with five years of security updates, the largest pool of tutorials, and packages for nearly every stack. Debian 12 is a leaner alternative if you want fewer moving parts, and AlmaLinux or Rocky Linux suit teams that need RHEL compatibility.

Do I need to know Linux to run a VPS?

For an unmanaged VPS like Hetzner you need to be comfortable running a handful of terminal commands, which this guide walks through line by line. If you would rather not touch a terminal at all, a managed host like Cloudways or a panel-driven host like Hostinger does the server administration for you, at a higher monthly price.

How long does it take to set up a VPS?

Creating the server in the Hetzner console takes under a minute. The secure baseline (sudo user, SSH key auth, disabling root and password login, firewall, fail2ban, automatic updates) takes about 30 minutes the first time, and roughly 10 minutes once you have done it before. Installing your actual stack (web server, database, app) is separate and depends on what you are hosting.