So far, the roots way has helped us create amazing websites:
sage->bedrock->trellis
But what about maintenance? I’d love to hear what’s your approach on this subject.
Nowadays we can have one VPS server per website with little to mantain: LXMP stack and Wordpress+plugins.
Do you do it yourself or handle it to some company?
I personally use Google Compute Engine and keep all my stuff in one project. It let’s you manage DNS, servers, snapshots, images, disks, IP addresses, logging, has git repos for every project, global firewalls, private networking.
So basically you can make images of your complete server setup plus have snapshots of the disks on demand, your IPs detach right off one server onto another with your disks so it’s more or less like having throwaway instances as long as you have a solid backup of your config and set your databases to back up seperatly to their cloud storage or google drive.
The global firewall rules are huge too because even if you mess up your firewall settings the global rules go over everything so you could technically have no firewall on the VPS and still be fine (I wouldn’t really recommend that haha)
Plus they have a command line management tool so you can do everything I just said from the command line easily plus secure copy files too and from your machines with one line of code.
If that wasn’t cool enough you can actually authenticate into your servers from the command line through your Google account so you don’t even worry about SSH keys, it does it for you with authentication through your browser, I just use Google Authenticator on my phone as 2 factor auth so even if someone had my PW or key it wouldn’t matter.
I know this turned into a rant but it’s the best platform I have ever seen in my life x10 and I used AWS for awhile.
Do you work primarily as a web developer or sysadmin?
I do both, I’m in a smaller sized company so I wear a lot of hats for lack of a better term. But it’s easy enough that if you don’t use Linux on the daily you can just use their web interface which is in my opinion a ton more user friendly than AWS. That platform gives me a headache sometimes.
After a couple of DDoS attacks, I’m wary of keeping live sites on services like Digital Ocean, but are more than happy to use them for dev. While having a cheap, fast VPS is a great thing to have, having to protect and maintain them (particularly if you have 1 VPS per client, and therefore lots of them) is another matter. Perhaps I’m very apprehensive given my experience, but I feel like a weight has been lifted from my shoulders after moving to a fully managed service, with DDoS protection included.
As we’re working with companies that take payments on their site (and loss or degradation of service will have a direct impact on their business), my cause for concern on these matters (aka extreme paranoia) is much more prevalent (again, given the attacks we suffered before).
I don’t have to worry about server patching (and subsequent downtime), DDoS attacks, backups (the DO backups didn’t cut it for me), disaster recovery, uptime/health monitoring etc etc - it’s all just handled as part of the service, and relatively speaking I’m paying a hell of a lot more than a $5/mo VPS, but the difference in cost (which probably equates to only $40-50/mo more per site) is more than worth it to avoid those ‘cold sweat’ moments, or all-nighters when the proverbial hits the fan 
Of course those costs are passed on to the client, and they understand the added value, and appreciate this level of service.
That’s not to say I won’t ever switch back to maintaining our own environments for live sites again in the future… @RiFi2k - I see some stuff about DDoS protection with GCS - any experiences with this?
I’ve used free cloudflare for DOS protection and simply “update all” on the server. But I feel that one day it may get ugly
Yeah they do DoS mitigation I believe automatically. Also I’m sure if you wanted to pay for it they have a service.
I have been running a lot of servers manually for a long time on a ton of different hosts from Godaddy shared, Linoid, Digital Ocean, AWS, Google Compute. I have only one time had to deal with the beginnings of a DoS attack, and I seriously just popped over to Cloudflare, paid the $20 to get the first non-free level account and put it on high alert mode where they filter every drop of your traffic for as long as you want, left it like that until I found the bug in the code that was allowing it to happen. (It was a site we were just hosting for someone and making updates to we didn’t code it)
See the thing about DoS is, they aren’t targeting you in particular (unless you are dealing with a HUGE company with rivals all going for the same web keywords/traffic, then it can get ugly think bot wars…) but if your in that position then your gonna have someone dealing with it 24/7 monitoring. So DoS works like, your site gets port scanned or vuln scanned along with 1000’s of other sites, then the ones with the known vulnerabilities get put on a list and attacked by bots until they either protect it, patch it, or move it. If you use an up to date Wordpress, non-shady up to date plugins, don’t make your username admin, and have a strong rated password. Install Wordfence and Scurii too if your really paranoid and want a failsafe, and force SSL admin 100% of the time. Your good 99.9% of the time.
Now that being said… I 100% agree with everything Doug said, if you don’t know the command line like a second language and you don’t know the linux distro you are working with, if you never provisioned and fully configured a VPS from scratch yourself and had it work and not get hacked, if you don’t know about IP tables rules, then you should not being running your own server without help.
Period the End, I don’t care if you have Trellis and it sets up everything for you, what’s gonna happen when the next heartbleed happens and you have no clue what people are talking about when people are explaining how to patch it, or if like Ialo said sudo apt-get update and everything breaks (I use debian normally so I actually feel like I could run apt-get update with my eyes closed and still be ok), it’s just not worth it, for a couple bucks more let someone else handle it for you, your site and the web will thank you for it because it’s one less VPS that has been turned into a DoS drone without you knowing because you left SSH on for root.
If you are gonna run your own VPS it’s really not that hard but if you aren’t interested in spending HOURS learning this stuff just pay the 20 extra a month for managed hosting.
Last thoughts for everyone, it’s not about making a server that will never get hacked or break, it will, trust me… It’s all about having a backup plan in place for your database and your website files, so that when your server does break or get hacked, you just hit a couple buttons and your back up.
Monitoring & Backups is what you need, if you don’t know within 5 minutes of your site going down and have a full backup somewhere else ready to restore/re-provision your not doing it right.
@lalo I’ve not used ServerPilot, but I did take a look at it a year ago.
IMHO, the $10/mo package doesn’t do quite enough to host client’s live sites on, and the $49/mo package doesn’t even come close to what I get for a fully managed, HA environment, with DR, with a 24*7 engineering team who specialise in WordPress and are pro-actively monitoring for health issues and optimising performance, managing server updates, and have my environment behind DDoS protection, load balancers, CDN and a heap of other stuff…
But the buzzwords and acronyms I’ve just listed above, were the reason I signed up. It’s the WFF (warm fuzzy feeling - couldn’t help but create another acronym) that means I stay with them - I simply am not looking over my shoulder, worrying about a late night call from a client asking WTF is going on. I just know that whatever I throw at the host, they just handle it.
I do have to state that the only reason I get that at a comparable price to that of ServerPilot’s is because although I am on a large capacity cluster, I now have enough clients on there to bring the price per site down - but even without that, it’s possible to get (IMO) a better offering than the $49/mo option for $20-30/mo, depending on requirements.
Objectively speaking, I think ServerPilot (or maybe even DO on it’s own w/ Trellis) would be sufficient for small businesses that perhaps didn’t accept payment online; if the server did go down for a few hours while Server Pilot fixed something, or you had to restore from backup or move the site because of a DDoS attack - it wouldn’t impact the client’s business enough for them to start wanting to recoup lost revenue from you…
@doug Are there any specific services you recommend for managed WordPress hosting around that $20-$30 range? Right now I’m on a shared host and am pretty disappointed with the service.
Hi @christianmagill - yep - https://pressidium.com/pricing/ 
These are our partners for hosting, and they’re outstanding.
Thanks for the viewpoints and the info, everyone. Good stuff to consider and think about!
@doug I’m personally not interested in maintaining my own VPS but I want the consistency of the dev/staging/prod environment through bedrock/trellis. Is this what pressidium.com supports?
Hi @lvl99
Actually, it’s strange how things can change - Although for a few months things were great, I had a very bad experience in the end with Pressidium - they really let me down. There were a number of issues with their caching solution that kept breaking checkouts so I had some seriously unhappy customers and I felt I was looking over my shoulder all of the time.
Also, they promised a bespoke solution for getting Trellis deploys to work if I were to upgrade to their ‘Enterprise’ package (I forget how much this was exactly, but it was something like $400 - 500/month), only for it to never materialise. It was just one of those situations where they just went quiet, and no evidence whatsoever of them doing anything - so I feel massively duped.
I don’t think I can edit my previous post, but I simply cannot recommend Pressidium anymore.
I’ve since moved to Kinsta, and they’ve not missed a beat. The sites are lightening quick, support is nearly instant, and I’m saving a lot of money compared to the Enterprise package (which actually I didn’t need, other than for the bespoke solution to be implemented).
I think I saw @JulienMelissas post something on Twitter a while back about how he’s either got Bedrock or even full Trellis deploys working on Kinsta - but I’ve not yet tried myself! I will certainly post back when I find the time to try it out… or perhaps me pinging him will get his attention!
For users like myself who want to run/manage max 2 sites from a single trellis, Kinsta could support this? I’ll have a look into it, thanks for your help @doug
Oh hai actually it’s @nathanielks who’s showed me how to do it, although I haven’t actually put it into practice quite yet… sorry.
@doug@lvl99 I don’t see why you couldn’t host 2 sites or so! Trellis is used for local development and then for deploying code. We don’t actually provision anything on Kinsta.
Hi @nathanielks If you have time would you be able to share your deployment configuration/workflow on Kinsta? Did they have to change their default setup to make it work or does it work on a standard account? I’m not that familiar with TreIlis and have traditionally used Capistrano for deployment. From what I can tell the deployment strategy is similar. Kinsta weren’t keen to change things when I enquired about the possibility of setting the web root to the current symlink. Cheers!
Indeed! I got around that by creating a bedrock folder in the account’s home dir, and then symlinking the current release to public on Kinsta. You’ll need to ask them to add the bedrock folder to their open_basedir php ini setting, but once that’s done you’re good to go!
I don’t have time at the moment, but I’ll put something up here when I get a chance 
Thanks, that’s great
Sorry for the wait, @superbiaweb @lvl99 @max! These are the files I shared with @JulienMelissas: https://drive.google.com/open?id=0B1zycLinPP-LRTduaTdEaHFJUms. You should be able to decompress that and drop it on your trellis directory to overwrite the necessary files. Or (cautious alternative) open the files to see what’s inside
Then you need to add these variables:
group_vars/all/main.yml:
project_root: "{{ kinsta_path }}"
group_vars/staging/main.yml:
kinsta_root: "/www/HOME_DIRECTORY"
kinsta_path: "{{ kinsta_root }}/bedrock"
group_vars/production/main.yml:
kinsta_root: "/www/HOME_DIRECTORY"
kinsta_path: "{{ kinsta_root }}/bedrock"
You’ll need to change HOME_DIRECTORY in the above references to the actual value. Same for files/wp-cli.yml. You can find it in the path under the “Basic Details” section in the Kinsta dashboard.
This assumes you create a folder on Kinsta called /bedrock. You’ll need to ask Kinsta to add that path to their open_basedir configuration for you. Other than that, this should work.