Unpatched software is the number one attack vector for VPS compromises. Yet many server owners skip updates out of fear of breaking something. Here's how to stay secure without breaking your applications.
The Cost of Not Patching
| Vulnerability | Time to Exploit |
|---|---|
| Published CVE (critical) | Hours to days |
| Known WordPress exploit | Days |
| Outdated PHP version | Weeks (ongoing risk) |
| Outdated kernel | Weeks to months |
Attackers scan for unpatched servers automatically. Your VPS will be found.
Automatic Security Updates
Ubuntu/Debian Unattended Upgrades
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
Configure what gets auto-updated:
# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
};
Unattended-Upgrade::Mail "you@email.com";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
| Setting | Recommendation |
|---|---|
| Security updates | Auto-install (safe) |
| Regular updates | Manual review |
| Auto-reboot | Off (reboot manually during maintenance) |
| Email notifications | On |
| Remove unused packages | On |
Manual Update Strategy
Weekly Update Routine
# Check for updates
sudo apt update
# List upgradable packages
apt list --upgradable
# Read changelogs for important packages
apt changelog nginx
# Apply updates
sudo apt upgrade -y
# Check if reboot is needed
[ -f /var/run/reboot-required ] && echo "Reboot needed"
Application-Level Updates
| Software | Update Method | Frequency |
|---|---|---|
| WordPress core | wp-cli or admin panel | Check weekly |
| WordPress plugins | wp-cli or admin panel | Check weekly |
| Node.js packages | npm audit, npm update | Check weekly |
| Python packages | pip list --outdated | Check monthly |
| Docker images | docker pull, rebuild | Check weekly |
Kernel Updates
Kernel updates require a reboot. Plan them:
# Check current kernel
uname -r
# Check if newer kernel is available
apt list --installed 2>/dev/null | grep linux-image
# Reboot during maintenance window
sudo reboot
Live Kernel Patching
For servers that can't afford reboots:
# Ubuntu Livepatch
sudo snap install canonical-livepatch
sudo canonical-livepatch enable TOKEN
Live patching applies critical kernel fixes without rebooting. Not all patches work this way, but critical security fixes usually do.
Before Updating
| Step | Why |
|---|---|
| Check backup is recent | Recovery if update breaks something |
| Review changelog | Understand what's changing |
| Test on staging (if available) | Catch issues before production |
| Schedule maintenance window | Minimize impact |
| Notify users (if applicable) | Set expectations |
After Updating
# Verify services are running
sudo systemctl status nginx
sudo systemctl status mysql
sudo systemctl status php8.1-fpm
# Check for errors in logs
journalctl -p err --since "1 hour ago"
# Test your application
curl -s -o /dev/null -w "%{http_code}" https://yoursite.com
Update Schedule Recommendation
| Update Type | Frequency | Auto/Manual |
|---|---|---|
| Security patches (OS) | ASAP (auto) | Automatic |
| Regular OS updates | Weekly | Manual |
| Application updates | Weekly | Manual |
| Kernel updates | Monthly | Manual (requires reboot) |
| Major version upgrades | Yearly | Planned manual |
Monitoring for Vulnerabilities
# Check for known vulnerabilities in installed packages
sudo apt install debsecan
debsecan --suite $(lsb_release -cs)
Set up email alerts for critical CVEs affecting your software stack.
Keeping your Space-Node VPS patched is your responsibility, but the KVM virtualization and modern hardware make updates and reboots fast. No shared-kernel limitations that delay patches.
