We recently worked with a small but growing marketing firm based in Putney, South-West London, that reached out with a concern many businesses overlook—cloud security.

They weren’t experiencing a full-blown breach, but they’d received reports that phishing emails were being spoofed using their company’s domain, and that was more than enough of a wake-up call. They host client files, live websites, and manage emails through a self-managed VPS (Virtual Private Server), but it had never been professionally secured. That’s where we came in.

What They Were Dealing With

From the outside, everything seemed to be running fine—but under the hood, there were cracks. The firm had set up their VPS quickly through a popular hosting provider. Over time, as their team and client list grew, they simply added more services to it—new websites, marketing files, branded email aliases—without revisiting the server’s setup or security.

Some of the red flags we identified early on included:

• Remote access open to everyone (RDP and SSH were exposed with no IP whitelisting)

• Admin panel using default usernames and no two-factor authentication

• No SPF, DKIM, or DMARC DNS records, leaving their email wide open to spoofing

• Backups? None.

• Antivirus or real-time server monitoring? Not a thing.

It wasn’t malicious intent that led them here—it’s just how small teams often operate when IT isn’t their core business.

Our Approach: One Layer at a Time

We approached this project the way we’d treat securing a home that had never had a lock installed. Everything needed to be layered—from the front door, to the windows, to the valuables inside.

Here’s what we helped them do:

1. Locked Down Remote Access: We configured the firewall (UFW) to allow remote logins only from office IPs. We also disabled root login and set up new secure users.

2. Closed Unused Ports: FTP, Telnet, and a few other services were running by default. We shut them down.

3. Secured the Admin Panel: We moved the login URL to a custom, hard-to-guess path and enforced strong password policies.

4. Set Up SSL Properly: Not just for the main site, but for all subdomains. We used Let’s Encrypt with auto-renewals.

5. Email Authentication: We added SPF, DKIM, and DMARC records. This immediately helped with spoofing issues and improved deliverability to Gmail and Outlook inboxes.

6. Backups & Monitoring: Installed a scheduled backup solution that pushes encrypted backups offsite nightly. Also configured server health alerts (disk space, login attempts, uptime) to notify their team via email and Slack.

7. Installed Intrusion Protection: Tools like Fail2Ban were set up to block any suspicious or repeated failed login attempts

The Outcome: Stronger Security, Peace of Mind

By the time we wrapped up, their VPS had gone from “bare minimum” to robust and hardened. Their email reputation improved within a week, and they now have daily backups they can restore with a click if something goes wrong.

More importantly, the business owners felt in control again. No more wondering if their server was vulnerable, or if a client might lose trust due to spoofed emails. They knew exactly how their infrastructure worked—and how to maintain it.

What This Teaches Us

Too often, businesses treat cloud hosting like it’s “set and forget.” You spin up a server, install a few things, and move on. But unmanaged servers are your responsibility, and if you’re not patching, locking down ports, and monitoring access, it’s just a matter of time before something happens.

Here’s the reality:

• Email spoofing is often due to simple DNS misconfigurations

• Open ports can be an open invitation for automated attacks

• No backups = huge risk

• Most issues are preventable if you have the right processes in place

Easy Wrap

If you’re running a self-managed VPS, it’s worth taking a hard look at how secure it actually is. At PcMacgicians, we help businesses of all sizes build reliable, protected hosting setups—from new deployments to hardening existing ones. If you’re not sure whether your setup is secure, we’ll help you find out—and fix it before the worst happens.