VPS: more control
Shared hosting has its limits. Even if the server isn't crowded, the restrictions and obvious security threats (co-hosted sites might be able to access your data; a system administrator mistake may expose your sites data to third parties etc) might force you to choose another type of hosting.
VPS (virtual private server), also called VDS (virtual dedicated server) is a virtual server, isolated from other virtual servers running on the same physical server. The prices of VPS are very reasonable and this hosting solution looks good if you can't stand the limitations of shared hosting any more.
Most VPS providers supply a control panel capable to monitor network and other activity of VPS, restart/stop/reinstall it and so on.
You're in control. However, more power means more responsibility. If you choose VPS, you should either take security precautions or hire people able to do that.
Defaults are dangerous
Apart from weak passwords for the root user, generated automatically, VPS is vulnerable in many other aspects.
First, it has a number of services instaleld and running, and the default settings of the services (such as mail — SMTP, POP3, IMAP4 — servers; HTTP server and so on) can expose some details of your setup to third parties. But, most important, the versions of software used to run these services may be out-of-date and insecure.
Default settings are just that: an average set o parameters, enough to work with a service. They aren't aimed at stronger security (since the ultimate security means the lowest possible convenience).
So, unless you wish to witness your brand new, yours-only VPS becoming a source of problems (such as becoming listed at SpamHaus or other public blacklists), losing your data and overall control over the VPS, you can't postpone hardening security. In fact, this should be done before you install and enable your Web servers or whatever network services you planned to run on your VPS.
The first things to do with your VPS
If anything below looks too complex or incomprehensible to you, I suppose you should consider hiring a system administrator or the related services, to take care of your VPS.
Shut down unnecessary services. Don't run whatever is run by default just because it's set up to run by default in your VPS. Refer to the installed OS manuals to determine what services are absolutely necessary; and what aren't. Disable the latter.
Install and tune firewall software. If using Un*x-like system, make sure you install iptables/whatever is popular properly. If using Windows, don't use its internal firewall, since it's very limited in capabilities. Use kind of a personal firewall to have full control of both inbound and outbound traffic. Use whatever can control traffic in all directions under the OS of your VPS.
Tune firewall according to approach: everything not allowed explicitly is forbidden. Don't forget to leave access to SSH (Un*x) or whatever is used to access the VPS console, otherwise you'll have to re-install your VPS.
Use non-standard ports for services granting access to console. It's the simplest means to ward off those trying to get into your system.
Install all the latest security updates for the software you are using. The default VPS installation is most probably containing the out-of-date versions of many software pieces.
The steps above do not provide you with absolute security; they are just basic steps one should take to make VPS protected better. Security is state of mind and a strategy; to maintain its high level you should follow a number of actions on a regular basis.
