OpenClaw security hardening: 12-step checklist for self-hosters

By Linas Valiukas · April 13, 2026

OpenClaw's default configuration is insecure. That's not a bug - it's a design choice that prioritizes easy setup over security. The problem is that most self-hosters never move past the defaults. Researchers found over 30,000 instances running without authentication. Nine CVEs were disclosed in four days in March 2026. One scored a 9.9 out of 10.

If you self-host OpenClaw, this checklist is the minimum you should do before exposing it to the internet. It's not exhaustive. But it covers the gaps that actually get people hacked.

1. Enable authentication

This is step one. Nothing else matters if anyone on the internet can access your OpenClaw dashboard. Set a strong password in your OpenClaw config. Don't use the default. Don't use something guessable.

# In your .env or openclaw.json
AUTH_ENABLED=true
AUTH_PASSWORD=your-strong-password-here

Test it: try accessing your OpenClaw URL from a different browser or incognito window. If you see the dashboard without logging in, authentication isn't working.

2. Don't bind to 0.0.0.0 without a firewall

OpenClaw's default config binds to all network interfaces. That means any device on your network - or the internet - can connect. If you're running on a VPS with a public IP, your instance is exposed the moment you start it.

Either bind to 127.0.0.1 (localhost only) and use a reverse proxy, or configure your firewall to block external access to OpenClaw's ports (typically 3210 for web UI, 18789 for the gateway).

# UFW example: only allow SSH, HTTP, HTTPS
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

3. Use a reverse proxy with TLS

Never expose OpenClaw's port directly to the internet. Put it behind Nginx, Caddy, or Traefik with a proper TLS certificate. This encrypts traffic between your browser and the server, and gives you a place to add rate limiting and access controls.

Caddy is the easiest option - it handles TLS certificates automatically:

# Caddyfile
your-domain.com {
  reverse_proxy localhost:3210
}

4. Secure your API keys

OpenClaw stores API keys in plain text by default. If someone accesses your instance, they get your OpenAI/Anthropic/Google keys. That means unlimited spending on your account.

• Store keys in environment variables, not in openclaw.json
• Restrict .env file permissions: chmod 600 .env
• Set spending limits on your LLM provider dashboards (OpenAI, Anthropic, etc.)
• Rotate API keys every 90 days
• Never commit .env files to git

5. Vet ClawHub skills before installing

ClawHub has over 13,000 skills. Researchers found up to 1,184 malicious ones including crypto stealers, prompt injection payloads, and data exfiltration tools. Before installing any skill:

• Read the source code (not just the description)
• Check the author's other skills and GitHub profile
• Prefer skills with many stars, recent updates, and open issues that get resolved
• Be suspicious of skills that request shell access, network access, or file system permissions they shouldn't need
• Never install skills that promise financial returns or crypto functionality

6. Keep OpenClaw updated

OpenClaw ships weekly. Many releases include security patches. The March 2026 CVEs included a 9.9-severity scope escalation and an RCE. If you're running an outdated version, you're running with publicly documented exploits.

Check your version with openclaw --version. Compare it to the latest release notes. If you're more than two weeks behind, update immediately.

7. Limit who can send messages to your agent

By default, OpenClaw accepts messages from anyone who has access. On Telegram, that means anyone who finds your bot. Configure an allowlist of phone numbers or usernames that are permitted to interact with the agent. Reject everything else.

8. Set spending limits

Agent loops can drain hundreds of dollars overnight. One user reported a $3,600 monthly bill from uncontrolled activity. Set MAX_REQUESTS_PER_MINUTE in your OpenClaw config. Set hard spending caps on your LLM provider dashboards. Monitor usage daily for the first week.

9. Fix Docker permissions

The OpenClaw container runs as the node user (UID 1000). If your bind-mounted volumes are owned by root, you get EACCES permission denied errors. But running the container as root to "fix" this creates a security hole.

# Fix ownership, don't run as root
sudo chown -R 1000:1000 /path/to/openclaw-data

10. Monitor your logs

Check docker logs openclaw regularly. Look for repeated 401/403 errors (brute force attempts), unexpected outbound connections, and memory warnings. If your gateway keeps crashing, something is wrong - don't just restart it and move on.

11. Back up your data

Your OpenClaw data directory contains conversations, skills, config, and credentials. A corrupted config file can cause crash loops (377+ restarts with no backoff). A Docker update can wipe volumes if you configured storage wrong. Automate daily backups of your data directory to a separate location.

12. Have an incident response plan

If your instance gets compromised, do you know what to do? At minimum:

• Rotate all API keys immediately (LLM providers, messaging platforms)
• Check your LLM provider usage for unauthorized activity
• Review messaging platform sessions for unknown devices
• Check your server for unauthorized processes or cron jobs
• Update OpenClaw to the latest version
• Review installed skills for anything you didn't install

Or let someone else handle this

This checklist is 12 steps. Most self-hosters do 2-3 of them. That's how 30,000 instances end up running without authentication.

With TryOpenClaw.ai, all 12 of these are handled for you from day one. Authentication configured. Firewall locked down. TLS enabled. Skills vetted. Updates applied same-day. API key security managed. Spending limits monitored. That's the point of managed hosting - you don't have to become a security engineer to use an AI agent. $39/month.