The biggest security hole of web server on VPS is probably default SSH setting, while hacker can use known user "root" (with all its permissions) for brute force attack on its password.

The main trouble is, that you need remote access to your server (what point would have a Web server on VPS without BASH access?). The safe workaround is to create another user account without root's permissions and access web system using it, while closing root's ssh access.

1. Create a new user

> sudo useradd -d /home/SOME_NICE_USERNAME -m SOME_NICE_USERNAME
> sudo passwd SOME_NICE_USERNAME

2. Disable root's SSH access

Edit file /etc/ssh/sshd_config and change 'yes' to 'no' on row 'PermitRootLogin'.

Restart SSH:

> sudo /etc/init.d/sshd restart

3. Disable FTP access for new user

No matter how unlikely is that hacker will figure out completely new username & password combination, things are happens. To prevent situation when somebody will freely download (without root permissions) your hidden settings & data, disable FTP access for your new user. You can do it by adding its username into file /etc/ftpd/ftpusers .

DONE

Now you can access your server using:

> ssh SERVER_IP -l SOME_NICE_USERNAME

And have root permission when needed using:

> su