OpenClaw Docker Deployment on Hostinger: Production-Ready Setup With Security Hardening

Running OpenClaw in Docker on a VPS is the standard production deployment — and Hostinger's KVM2 plan is the best value option for it. But there is a difference between "it runs" and "it runs reliably and securely." This guide covers the production-ready approach: proper Docker Compose configuration, security hardening, monitoring, safe updates, and backup strategies.

This guide assumes you already know the basics. If you need the beginner walkthrough first, start with our Hostinger OpenClaw VPS Setup Guide.

Why Docker on Hostinger for OpenClaw

Docker containerization solves the three biggest problems with running OpenClaw on a VPS: dependency management, reproducibility, and isolation.

Hostinger's KVM2 plan is particularly well-suited because:

• Dedicated resources: KVM virtualization means your 2 vCPU and 8GB RAM are guaranteed — not shared with noisy neighbors like on some cloud providers.
• NVMe storage (100GB): Docker image pulls, container logs, and OpenClaw's conversation history all benefit from fast disk I/O. NVMe is 3-5x faster than standard SSD.
• 8TB bandwidth: More than enough for OpenClaw's API calls, webhook traffic, and dashboard access. You will never hit this limit with a single instance.
• 1-click Docker template: Skip the Docker installation step entirely. Your VPS comes ready for docker compose up.
• hPanel Docker Manager: Visual container monitoring without SSH — useful for quick health checks from your phone.

Docker Manager vs Manual Docker Compose

Hostinger offers two ways to manage Docker containers: their hPanel Docker Manager and traditional Docker Compose via SSH.

Use hPanel Docker Manager when:

• You want a quick visual overview of running containers
• You need to check container status from your phone
• You are managing simple, single-container setups

Use Docker Compose (recommended for production) when:

• You need precise control over environment variables
• You want custom volume mounts and networking
• You need restart policies (unless-stopped or always)
• You plan to add additional services (reverse proxy, monitoring)
• You want reproducible deployments via version-controlled compose files

For production OpenClaw deployments, always use Docker Compose. The hPanel Docker Manager is fine for monitoring, but configuration should be done through compose files.

Step-by-Step Production Deployment

Step 1: Provision the VPS

Purchase a Hostinger KVM2 plan and select the Docker OS template during setup. Set an SSH key (not a password) for root access.

Step 2: Initial server hardening

Before installing anything, lock down the server:

# SSH into the VPS
ssh root@your-vps-ip

# Update system packages
apt update && apt upgrade -y

# Create a non-root user for OpenClaw
adduser openclaw
usermod -aG docker openclaw
usermod -aG sudo openclaw

# Switch to the new user
su - openclaw

Step 3: Install OpenClaw via Docker Compose

# Run the official setup script
curl -fsSL https://raw.githubusercontent.com/openclaw/openclaw/main/docker-setup.sh | bash

# Verify the installation
docker ps
# Should show the openclaw container running on port 18789

Step 4: Customize the Docker Compose file

The setup script creates a compose file at ~/.clawdbot/docker-compose.yml. For production, you want to verify these settings:

cat ~/.clawdbot/docker-compose.yml

Ensure the compose file includes:

services:
  openclaw:
    image: openclaw/openclaw:latest
    container_name: openclaw
    restart: unless-stopped
    ports:
      - "18789:18789"
    env_file:
      - .env
    volumes:
      - openclaw_data:/app/data
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"

volumes:
  openclaw_data:

Key production settings:

• restart: unless-stopped — Container restarts after crashes or VPS reboots, but stays stopped if you manually stop it.
• logging with max-size and max-file — Prevents container logs from filling your disk. Without this, logs can grow to gigabytes over weeks.
• Named volume (openclaw_data) — Persists data across container recreations.

Step 5: Configure environment variables

nano ~/.clawdbot/.env

Production environment file:

# Gateway authentication (auto-generated, verify it exists)
OPENCLAW_GATEWAY_TOKEN=your-long-random-token-here

# LLM API keys (add at least one)
ANTHROPIC_API_KEY=sk-ant-api03-your-key-here
OPENAI_API_KEY=sk-your-key-here
GOOGLE_API_KEY=AIzaSy-your-key-here

# Optional: Telegram bot token
TELEGRAM_BOT_TOKEN=7123456789:AAH-your-token-here

Step 6: Start the production container

cd ~/.clawdbot
docker compose up -d

# Verify it's running
docker ps
docker logs openclaw --tail 20

Security Hardening

A production OpenClaw instance handles your messages, calendar, documents, and API keys. Security is not optional.

Layer 1: Gateway token authentication

The gateway token prevents unauthorized access to the OpenClaw API and dashboard.

# Verify your gateway token is set and strong
grep OPENCLAW_GATEWAY_TOKEN ~/.clawdbot/.env

# If empty or weak, generate a new one
NEW_TOKEN=$(openssl rand -hex 32)
echo "Generated token: $NEW_TOKEN"

# Update the .env file
sed -i "s/OPENCLAW_GATEWAY_TOKEN=.*/OPENCLAW_GATEWAY_TOKEN=$NEW_TOKEN/" ~/.clawdbot/.env

# Restart to apply
cd ~/.clawdbot && docker compose restart

Save this token somewhere secure — you need it to access the dashboard.

Layer 2: UFW firewall

# Install and configure UFW
sudo apt install ufw -y

# Default: deny all incoming, allow all outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (critical — do this first)
sudo ufw allow 22/tcp

# Allow OpenClaw dashboard (remove this rule after setting up Tailscale)
sudo ufw allow 18789/tcp

# Enable the firewall
sudo ufw enable

# Verify
sudo ufw status verbose

Layer 3: Tailscale private networking

Tailscale creates an encrypted mesh VPN between your devices. Once configured, you access OpenClaw through your private Tailscale IP — no public port exposure needed.

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# Authenticate (opens a browser link)
sudo tailscale up

# Get your Tailscale IP
tailscale ip -4
# Example output: 100.64.0.5

# Now remove the public port rule
sudo ufw delete allow 18789/tcp

# Access OpenClaw only via Tailscale
# http://100.64.0.5:18789

Install Tailscale on your laptop and phone too. Now your OpenClaw dashboard is only accessible from your own devices — completely invisible to the public internet.

Layer 4: SSH key-only authentication

# Disable password authentication
sudo nano /etc/ssh/sshd_config

# Set these values:
# PasswordAuthentication no
# PubkeyAuthentication yes
# PermitRootLogin prohibit-password

# Restart SSH
sudo systemctl restart sshd

Environment Variable Management

Your .env file at ~/.clawdbot/.env contains sensitive credentials. Handle it carefully.

Permissions

# Restrict file permissions — only the owner can read/write
chmod 600 ~/.clawdbot/.env

# Verify
ls -la ~/.clawdbot/.env
# Should show: -rw------- 1 openclaw openclaw ...

Rotating API keys

If you suspect a key is compromised:

# 1. Generate a new key from the provider's dashboard
# 2. Update the .env file
nano ~/.clawdbot/.env

# 3. Restart the container
cd ~/.clawdbot && docker compose restart

# 4. Revoke the old key from the provider's dashboard
# 5. Verify the new key works
docker logs openclaw --tail 20

Gateway token rotation

# Generate and apply a new gateway token
NEW_TOKEN=$(openssl rand -hex 32)
sed -i "s/OPENCLAW_GATEWAY_TOKEN=.*/OPENCLAW_GATEWAY_TOKEN=$NEW_TOKEN/" ~/.clawdbot/.env
cd ~/.clawdbot && docker compose restart

echo "New gateway token: $NEW_TOKEN"
# Save this — you'll need it to access the dashboard

Monitoring With Docker Stats

Monitor your OpenClaw container's resource usage to catch issues before they cause downtime.

Real-time stats

# Watch CPU, memory, network, and disk I/O
docker stats openclaw

# Example output:
# CONTAINER  CPU %  MEM USAGE / LIMIT   MEM %  NET I/O          BLOCK I/O
# openclaw   2.3%   245MiB / 7.77GiB    3.08%  15.2MB / 8.3MB   52MB / 12MB

On a Hostinger KVM2 (8GB RAM), OpenClaw typically uses 200-400MB of memory. If you see memory usage climbing above 2GB, something is wrong — check the logs.

Container health checks

# Quick status check
docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"

# Check logs for errors
docker logs openclaw --since 1h | grep -i error

# Check if the dashboard is responding
curl -s -o /dev/null -w "%{http_code}" http://localhost:18789
# Should return 200

Setting up log alerts (optional)

For a simple monitoring setup, add a cron job that checks container health:

# Create a health check script
cat > ~/check-openclaw.sh << 'SCRIPT'
#!/bin/bash
if ! docker ps | grep -q openclaw; then
  echo "OpenClaw is down! Restarting..."
  cd ~/.clawdbot && docker compose up -d
fi
SCRIPT

chmod +x ~/check-openclaw.sh

# Run every 5 minutes via cron
(crontab -l 2>/dev/null; echo "*/5 * * * * /home/openclaw/check-openclaw.sh") | crontab -

Updating OpenClaw Safely

OpenClaw is actively developed. Here is the safe update procedure:

# Step 1: Back up current configuration
cp ~/.clawdbot/.env ~/.clawdbot/.env.backup.$(date +%Y%m%d)

# Step 2: Pull the latest image
cd ~/.clawdbot
docker compose pull

# Step 3: Recreate the container with the new image
docker compose down
docker compose up -d

# Step 4: Verify the update
docker logs openclaw --tail 20
docker ps

# Step 5: Test the dashboard
curl -s -o /dev/null -w "%{http_code}" http://localhost:18789

If the update breaks something:

# Roll back to the previous image
docker compose down

# Restore the backup env if needed
cp ~/.clawdbot/.env.backup.20260324 ~/.clawdbot/.env

# Pull the specific previous version (if tagged)
# Or: docker compose up -d will use the cached previous image if you haven't pruned
docker compose up -d

Backup Strategies

You need to back up two things: your configuration and your data.

Configuration backup

# Back up the entire .clawdbot directory
tar czf ~/openclaw-config-$(date +%Y%m%d).tar.gz -C ~ .clawdbot/

# Copy to a safe location (your local machine)
# From your LOCAL machine:
scp openclaw@your-vps-ip:~/openclaw-config-*.tar.gz ~/backups/

Docker volume backup

# Back up the data volume
docker run --rm \
  -v openclaw_data:/data \
  -v $(pwd):/backup \
  alpine tar czf /backup/openclaw-data-$(date +%Y%m%d).tar.gz /data

Hostinger VPS snapshots

Hostinger offers VPS snapshots on their higher plans. This captures the entire disk state — the most comprehensive backup option. Check your hPanel dashboard under VPS > Snapshots.

Automated daily backups

# Create a backup script
cat > ~/backup-openclaw.sh << 'SCRIPT'
#!/bin/bash
BACKUP_DIR=~/backups
mkdir -p $BACKUP_DIR

# Config backup
tar czf $BACKUP_DIR/openclaw-config-$(date +%Y%m%d).tar.gz -C ~ .clawdbot/

# Volume backup
docker run --rm -v openclaw_data:/data -v $BACKUP_DIR:/backup alpine \
  tar czf /backup/openclaw-data-$(date +%Y%m%d).tar.gz /data

# Keep only last 7 days of backups
find $BACKUP_DIR -name "openclaw-*" -mtime +7 -delete
SCRIPT

chmod +x ~/backup-openclaw.sh

# Run daily at 3 AM
(crontab -l 2>/dev/null; echo "0 3 * * * /home/openclaw/backup-openclaw.sh") | crontab -

Cost Breakdown

Here is what running OpenClaw on Hostinger actually costs per month:

Light use: Morning briefings, occasional calendar queries, weekly document drafting. About 50-100 API calls per day.

Moderate use: Daily WhatsApp conversations, regular document work, scheduled automations. About 200-500 API calls per day.

Heavy use: Multiple agents, frequent automations, large document processing, multi-channel messaging. 500+ API calls per day.

Compared to managed OpenClaw hosting services ($30-60/month before API costs), self-hosting on Hostinger saves you $20-50/month — and gives you full control.

FAQ

Should I use Hostinger's Docker Manager or manual Docker Compose for OpenClaw?

For production deployments, use manual Docker Compose. Hostinger's Docker Manager is convenient for basic container management, but Docker Compose gives you full control over environment variables, volume mounts, restart policies, and networking — all of which matter for a production OpenClaw instance.

How do I secure the OpenClaw dashboard on Hostinger VPS?

Three layers: First, set a strong OPENCLAW_GATEWAY_TOKEN in your .env file. Second, configure UFW to only allow ports 22 (SSH) and 18789 (dashboard). Third, install Tailscale for private networking and remove the public port 18789 rule entirely — this means the dashboard is only accessible through your Tailscale network.

How do I update OpenClaw without losing my configuration?

Your configuration lives in ~/.clawdbot/.env and your data in Docker volumes. To update safely: first backup your .env file and volumes, then run docker compose pull to get the latest image, then docker compose down && docker compose up -d to restart. Your configuration and data persist across updates.

What is the total monthly cost of running OpenClaw on Hostinger?

Hostinger KVM2 costs $8.99/month. LLM API costs depend on usage: light use runs $15-25/month, moderate use runs $25-40/month, heavy use can reach $40-80/month. Total: $25-90/month depending on usage patterns.

How do I back up my OpenClaw instance on Hostinger?

Back up two things: your environment file (~/.clawdbot/.env) and your Docker volumes. For the env file, copy it to a secure offsite location. For volumes, use docker run --rm -v openclaw_data:/data -v $(pwd):/backup alpine tar czf /backup/openclaw-backup.tar.gz /data. Hostinger also offers weekly VPS snapshots on higher plans.