Then install fail2ban and logwatch (to monitor effectiveness of other security)

- the root shouldn’t be allowed to login via SSH. There’s an option within the SSH server configuration file (usually /etc/ssh/sshd_config): PermitRootLogin no (by default yes). Instead use an intermediate account that can execute the su command.

- sudo shouldn’t be installed onto production servers. While it provides a mode comfortable way of running root commands, it actually is a security risk as it can provide privilege escalation.

- go beyond the package management system if the software provided by the repositories is too old. RHEL & friends have PHP 5.1.6 for example. The main services (such as web server, dynamic language interpreter, database server) have priority if that’s the usage intention. The rest of the system can be upgraded via standard package management tools.

I’d go against auto-updating an OS, except running stuff like apt-get update from Debian & friends which updates just the package list. I would go with a cron notification when the updates are available, but not with an auto-update since the custom configuration files may break during an auto update, or the newer version of the software may break with the old configuration files. It’s not a common situation, but it can happen.

My mind was focused on hacking a VPS to gain root access.

Obviously most of the sites get hacked by exploiting scripts vulnerabilities.