Your trading VPS runs 24/7 with an open RDP port and direct access to your broker accounts. If someone gains access to your VPS, they have access to your trading capital. This is not a hypothetical risk — brute force attacks against RDP servers happen millions of times per day, and trading VPS instances are high-value targets because attackers know there are funded broker accounts on the other side.
Here is how to lock your VPS down properly, layer by layer.
The Threat Landscape for Trading VPS
Before diving into fixes, understand what you are defending against:
Brute force RDP attacks are by far the most common threat. Automated bots scan the entire internet for open port 3389 (the default RDP port) and try thousands of username/password combinations. If your VPS uses the default port with a weak password, it is a matter of when, not if.
✅ Best Practice: Use a unique, 16+ character password for your VPS and change it every 90 days. Never reuse your broker login password for VPS access — a compromised VPS password should never expose your trading accounts.
Malware and keyloggers capture your broker login credentials, two-factor authentication codes, and can even place unauthorized trades. They typically arrive through infected EA or indicator files downloaded from untrusted sources.
EA and indicator trojans are a specific category worth highlighting. “Cracked” or pirated versions of commercial EAs are the single largest malware vector in the forex trading community. The cracked EA works as advertised — while silently sending your credentials to the attacker.
Network-level attacks are less common on reputable VPS providers but include traffic sniffing and man-in-the-middle attacks on poorly configured networks.
Layer 1: RDP Security
RDP is your front door. Most attacks target it first.
Use a Non-Standard Port
FXVPS instances use port 41011 instead of the default 3389. This single change reduces automated brute force attempts by over 90%, because the vast majority of scanning bots only check port 3389. If your VPS provider uses the default port, changing it is the highest-impact security improvement you can make.
Use a Strong Password
This sounds basic because it is. Yet “Password123” and “Admin2024” still appear in breach logs constantly. Your VPS password should be:
- At least 12 characters
- Mixed uppercase and lowercase
- Include numbers and symbols
- Not based on dictionary words, your name, your broker, or your EA name
Use a password manager to generate and store it. If you cannot remember it without writing it on a sticky note, that is fine — use the password manager.
Change the Default Administrator Password
If your VPS was delivered with a default password in the welcome email, change it immediately. Right-click the Start button, select “Computer Management,” expand “Local Users and Groups,” click “Users,” right-click “Administrator,” and select “Set Password.”
Enable Network Level Authentication (NLA)
NLA requires authentication before the RDP session is fully established, which blocks several classes of pre-authentication attacks. Right-click “This PC,” select Properties, click “Remote settings” on the left. Under Remote Desktop, check “Allow connections only from computers running Remote Desktop with Network Level Authentication.”
This is enabled by default on modern Windows Server, but verify it.
For an additional layer of protection over your RDP connection, see our guide on enhancing your VPS security with VPNs.
Consider a Second User Account
Create a standard user account for daily use instead of logging in as Administrator. Open Computer Management, create a new user, add it to the “Remote Desktop Users” group. Use this account for trading. If malware executes under a standard user account, it has significantly less ability to damage the system than under Administrator.
Layer 2: Windows Firewall Configuration
Windows Firewall should always be enabled. It is your second line of defense after port security.
The default firewall rules are adequate for a trading VPS. RDP is allowed, outbound connections for MT4/MT5 are allowed, and everything else is blocked inbound. Do not disable the firewall “because it might block my EA” — if your EA needs outbound internet access, the default rules already permit it.
Optional: Restrict RDP to Your Home IP
For maximum security, you can restrict RDP access to only your home IP address:
- Open Windows Firewall with Advanced Security
- Find the inbound rule for Remote Desktop (TCP)
- Double-click it, go to the Scope tab
- Under “Remote IP address,” select “These IP addresses” and add your home IP
⚠️ Warning: Prop firm drawdown rules have zero tolerance. A VPS disconnection during volatile markets can breach daily loss limits and end your evaluation instantly.
Important caveat: If your home internet has a dynamic IP (most residential connections do), your IP will eventually change and you will be locked out. Only do this if you have a static IP from your ISP, or if your VPS provider offers console access as a fallback (FXVPS provides web-based console access for exactly this situation).
Block Known Bad Regions
If you only ever connect from one country, you can use firewall rules to block entire IP ranges. This is aggressive but effective. Tools like ip2location provide country-level IP block lists. This is an advanced measure — skip it if you travel frequently or use VPNs.
Layer 3: Software Security
What you install on your VPS is as important as how you configure the OS.
Only install software from official sources:
- MT4/MT5: Download exclusively from your broker’s website. Not from random download sites, not from links in Telegram groups, not from forum posts.
- EAs and indicators: Only from the MQL5 Market (built into MT4/MT5), or from developers you have verified and trust. Check reviews, check how long they have been active, check if they have a legitimate website.
- Never install cracked or pirated EAs. This cannot be stated strongly enough. A cracked EA is the easiest possible way for an attacker to get malware onto your VPS. The EA runs with full access to your MT4 terminal, including the ability to place trades, read account credentials, and exfiltrate data. Even if the cracked version “works,” it may be silently compromising your account.
Minimize your VPS footprint:
- Do not browse the web on your VPS. Use your local PC for research, chart analysis on TradingView, and reading forex forums. Your VPS is an execution machine, not a workstation.
- Do not check email on your VPS. Email is a primary phishing vector.
- Do not store sensitive personal files (tax documents, ID scans, bank statements) on your VPS. If it is compromised, those files are exposed. For a comprehensive backup strategy, see how to back up your forex trading data on a VPS.
Layer 4: Account Security
Even with a hardened VPS, practice good account hygiene.
Use different passwords for everything. Your VPS login password, your broker account password, and your MT4 master password should all be different. If one is compromised, the others remain secure.
Enable two-factor authentication on your broker account if your broker offers it. This means that even if someone captures your broker password, they cannot log in without the second factor.
Be cautious with MT4’s “Save Password” checkbox. When you log into MT4, it offers to save your password. If you check this, anyone with access to your VPS can open MT4 and trade on your account without knowing the password. On a well-secured VPS this is an acceptable convenience trade-off, but understand the risk.
Monitor your account history. Check your MT4 Account History tab regularly for trades you did not place. Set up email or push notifications from your broker for trade execution if available. Early detection of unauthorized access limits the damage.
Layer 5: Ongoing Maintenance
Security is not a one-time setup. It requires periodic attention.
Keep Windows updated. Install security patches during market-closed hours. Set Windows Update to download but not auto-install, and apply updates on weekends. See our Windows Server optimization guide for details on managing update schedules.
⚠️ Warning: Windows auto-restart is the #1 killer of unattended EAs. Disable it via Group Policy (gpedit.msc) immediately after setting up your VPS — before you attach a single EA.
Check for failed login attempts. Open Event Viewer, navigate to Windows Logs, then Security. Filter for Event ID 4625 (failed logon). A handful of failed attempts is normal — bots find every open port eventually. Hundreds or thousands of failed attempts from the same IP indicates a targeted brute force attack. If you see this, add the attacking IP range to your firewall block list.
Reboot monthly. Some security updates require a reboot to fully apply. Schedule this for Saturday or Sunday when markets are closed. And always disconnect from your RDP session properly rather than logging off, so your EAs keep running after maintenance.
Review installed software. Once a quarter, open Programs and Features and check for anything you did not install. If something unfamiliar is there, investigate it.
What FXVPS Handles for You
You do not need to worry about everything. Your VPS provider handles infrastructure-level security, and at FXVPS, that includes:
- DDoS protection at the datacenter level — Equinix facilities (LD4, NY4, TY3, HK1) have enterprise-grade DDoS mitigation
- Physical security — biometric access, 24/7 security staff, CCTV at all Equinix facilities
- Network encryption — all management traffic is encrypted
- Hardware redundancy — redundant power, networking, and storage
- Non-standard RDP port — all FXVPS instances use port 41011, not the default 3389
- Network-level monitoring — we detect and block large-scale attacks before they reach your VPS
💡 Tip: Datacenter-grade security includes DDoS mitigation, enterprise firewalls, and biometric physical access — layers of protection your home network simply cannot match. Your trading credentials are safer in a professional facility.
Your job is to secure what runs inside the VPS. Our job is to secure everything underneath it. Together, your trading environment is as protected as the institutional setups running in the same datacenters.
Start with the basics — strong password, NLA enabled, no cracked software — and you have already eliminated 95% of the attack surface. The rest is layered defense for the remaining 5%. Check our plans to get started on a secure, purpose-built trading VPS.