It's a valid concern. Usually I don't mess with 'production'. I have a parallel 'dev' system to mess with and only if tests are passed, a bash script (important: automate, by-hand there's risk of missing something) updates the 'production' scripts. I use a configuration file in order to specify the db-name (e.g. productiondb and testdb) and also the root/base url - so these must not be hard-coded in scripts. It is possible with a webserver like nginx to have parallel sites on the same machine. So you need just 1 VPS which you burden a bit during development time on the expense of visitors. There's probably a good-practices guide somewhere on how to do all these properly.

2ndly, I have already mentioned that a lot of VPS offer a snapshot feature (the one I mentioned earlier does) which takes a few minutes to snap the current state of your machine and unroll it whenever you are in big trouble (warning: that includes *everything*, including the DB-state, accounts+passwords at time of last snap etc. it's like re-installing the OS but at the state you last snapped it.). Cron jobs can automate backing-up your DB at regular intervals.

One last caveat: my VPS gets visited regularly by hacker-bots which check for known vulnerabilities (I mostly see php or wordpress paths they try to access). And also whenever I ssh it tells me that there were 20 failed attempts in the space of a few days. In the system I use I am responsible to handle both problems. And there are solutions. I don't know whether shared-hosting handles these problems for you with a blanket firewall.

hippo said: With great power comes great responsibility!. Sure, invest some time to acquire some skills if you don't already have them.