@mjw, thank you! You are right about the small droplet. I guess this is the issue. Today I had a CPU usage spike above 100%. It lasted for 2.5 hrs and all this time my website was down. Those spikes are pretty frequent, as you can see on the picture.
How can I mitigate those spikes?
Or at least how powerful do I need the droplet to be to be able to handle them?
There are a few options. You could increase the size of the Droplet, or migrate to Hetzner, for example, that performs better in my experience and costs less so you can go bigger.
However, I’d first check the logs to determine what’s going on. You may find that bots are scanning for vulnerabilities, and this is essentially bringing the server down. Mitigate this by using a cloud firewall, and installing fail2ban on the server.
Unattended updates will also keep the server up-to-date, and can be used for scheduling reboots.
Not as much as the other steps. I discovered a pattern, and it was clear that bots were attempting to access the server via SSH. Fail2ban, preventing password-based access, and using a non-standard port have eliminated this problem.
Next up, using Cloudflare helps significantly by reducing direct hits on the server; saving multiple GB of data transfer, and an extra layer of DDoS protection.
I still get occasional memory warnings when upgrading Ghost, but typically this occurs because a reboot is required following apt upgrade.
My PageSpeed score for desktop is around 95 on a membership site using 1 vCPU and 2 GB memory, i.e., €4.53 per month including back-ups and snapshots. Using Linode this cost $15 monthly. I can’t grumble.
Your issues are most likely related to having only 1 GB memory.
If the password-based access is turned off bots can’t really even try to access the server, right? Because they don’t have an SSH key to attempt to connect, thus the request is not sent at all.
If I have a connection by an SSH key and disabled password-based access there is no need for me to change the port, or there is?
Also, fail2ban helps to blacklist IPs that make too many password requests. There is no password field exposed in Ghost. Only email, which blocks any requests for 10 minutes (don’t remember exactly) after several invalid email inputs. Thus, I’m thinking if installing fail2ban is relevant.