What security steps do you take on a fresh install of Forge?

Just an update, and is probably common knowledge, but couldn't find it in a central spot. Forge performs the following:

• all the updates - forge appears to do this during its initial setup (and according to site, continues to perform this)
• firewall set up - firewall is set up by forge, and can be configured through the forge ui
• disable root access - forge disables root access, and grants sudo rights to the forge user
• disable password access - forge disables password access, and access only be via keys added to the forge ui
• fail2ban is installed

Forge doesn't:

• Forge doesn't create seperate users for each site - all sites are owned by the forge user
• Forge sites aren't isolated - a site can interact with immunity on another site (worth noting if you allow users install plugins for example - lets say you are running two sites, for two clients on the same server with wordpress)

Have you found a easy way to create separate users for each site after installation? I will have to look into this.

I would love to know this as well. I am using a single droplet for several WordPress sites, and it seems like a security issue. Obviously if one site gets hacked, the intruders have access to all other sites on the server. I am using Digital Ocean and they have a tutorial for separating users here: https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04 , but as forge has a single "forge" user to connect to the server, I am worried I will lose access to all the other sites that I move under a different user

Yeah, it doesn't look like its an option (I confirmed it with Forge support). How much a risk that is to you is unknown (you have to make that call).

For apps or clients where they are the sole user on a particular server, then I tend to use Forge, but everything else I have been using Serverpilot.