Why not Virtualization?

No Linux Distro like OpenBSD? I know Qubes-OS is secure but it is not OK for server.
Anyone used "ALT Linux" ?

Since you are asking for recommendations, I'd highly recommend either Devuan or else Ubuntu Server Edition, as they are quite bare bones. You can get help with either of them here and Ubuntu Server even has the additional option for paid support for 10 years. They will provide a minimum number of packages at first and then you'll have to add the rest yourself.

As for OpenBSD, it's not a usual operating system. Unlike GNU/Linux or even FreeBSD, it's target audience is itself, its own team of developers. Also, unlike GNU/Linux and, to a limited extent, FreeBSD, they treat the documentation seriously and a bug in the documentation is treated with the same vigor as a potential security problem. However, everyone who uses it is expected to be able to read the documentation and figure things out on their own. That's part of the deal. Based on your questions so far, FreeBSD instead might be more appropriate.

A Linux distro specifically aimed at the server would be your best starting point, note I say starting point, as you need to make it secure for your specific usage.

OpenBSD is only as secure as the admin makes it, yes, all the base programs have been security checked by the team, but that is all they guarantee, any additional programs added are down to you to ensure they are securely deployed.

You do realize that it is up to you to harden your web server (or any type of server).
And, just because it is secure today, it will have to be maintained over time to keep it secured.

The server is one part of it.
Your web developers will also have to do their part to keep the server secured.

2 members found this post helpful.

Going a little further on the OpenBSD tangent, Dante Catalfamo recently made a a rather good introductory video providing an overview of OpenBSD:

https://blog.lambda.cx/posts/openbsd-introduction-talk/

The first part of the video has a good survey over some developments where that OS has lead the way in certain improvements. Closer to the middle he has nice overview of various projects derived from OpenBSD development. Then he walks through an installation step by step, which takes only a few minutes even with running commentary. After that, there are some basic system administration tasks and a general system orientation.

Is Devuan OK for server? Why you recommended it? Any extra hardening features?

FreeBSD and OpenBSD are better that GNU/Linux in security area?

what do you mean by that?
As it was already discussed, security depends on the admin, the configuration, the software used (like webserver) and not on the OS itself.
From the other hand as an admin you can make secure all/any of them and you can make them vulnerable too.
The best advice I can give you is: choose your preferred one or the one which you can use/know [better].

It's about the layers.

OpenBSD, yes, but only in the base system, and even then (as mentioned) depending on what you do to the default configuration. It is important to note that much of the security there (confidentiality, integrity, availability) there depends on concise clear clean code, an emphasis on proper design, careful documentation, and sane defaults.

FreeBSD, maybe, but and depending on which distro you start with and what you do to the default configuration and so on.

Adding a CMS like WordPress, for example, will pull down OpenBSD, FreeBSD and any GNU/Linux distro down to the same level.

The most pure answer is "none of them are secure", but some are more security focused than others.

The most useful and correct answer is "the only distribution that is secure is the one an intelligent and informed administrator has secured for the purposes he/she requires and against the specific range of threats they face in their specific use and environment at the current time". Time does not stand still. Security is only what you have if you practice it every single day.

Without knowing you, your training and experience, your specific use, your threat environment, your hardware, and your purpose there is no way to give a complete and comprehensive correct answer. (Anyway, that would require a couple of books worth of text for you to communicate, and a couple more books of test for us to craft an answer, and it might well all be obsolete before we finished.)

We might be able to suggest some places to start, and in fact a couple of smart people already did.
If I might add: no matter what distribution you use, only open what services you absolutely need, secure those as much as possible. Linux rarely gets hacked directly, the attack leverages the open service to give access. Deny access and you prevent the hack.

Also, look at both your services and your networking at the gateway/router level. If you can restrict network access to a service to only the subnets that you want to have access, you block the entire rest of the world from using that access to compromise the system.

If you must open access to the world, ASSUME you could be hacked and not only protect against it but add detection and reaction to your site so that once you are hacked you will KNOW and can react to the threat. (Intrusion Detection is the term to look up.)

2 members found this post helpful.

For what it's worth, I know of two major hosting providers who opt for CentOS for Linux hosting. My website runs on CentOS on one of them.