Hi. I am the Software Engineer here at DO who maintains our one-click images.
Are One-Click Install App images "safe to use" by default?
Our one-clicks vary in their production readiness. One-clicks that provide a turn-key service (like WordPress) usually include a pre-configured firewall and WordPress also includes fail2ban with the WordPress plugin. Other images like Ruby on Rails or Docker provide the key components needed to get started with the language or platform they provide.
What are the default security settings for these images?
One-clicks are intended to provide a fairly standard installation, similar to what you would get if you followed one of our tutorials on setting up the stack. Where services are exposed publicly on launch firewalls or other addons may be included.
Anything in particular to be aware of when using them?
Yes. When you launch a one-click, most of them include a custom MOTD that is displayed when you log in via SSH or the console. This will include any specifics related to that particular one click that you should be aware of such as the location of generated passwords (such as for MySQL), file locations and additional software that has been installed. We will soon be updating these to a more standardized format.
Is there any official advice/best practices for provisioning/security, after creating a Droplet from an image?
Nothing that is specific to one-clicks but this guide covers recommended first steps on Ubuntu 16.04 which our one-clicks are currently all based on. A similar tutorial is available for 18.04 once our one-clicks migrate to the newer Ubuntu LTS release later this year.
What's the intended use for these images? Are they meant to be used for production use, without necessarily requiring user modification of the base distribution image, or should they be reserved for quick development/experimentation?
One-clicks are generally intended to be a short-cut, providing pre-installed versions of popular software stacks. Originally most of these images simply provided the installation of the packages provided by the upstream distribution but over time basic security precautions have been added. We recommend using one-clicks as a starting point. If you are creating a lot of droplets for production use I would recommend doing one of the following if you find that additional security measures or packages are wanted for the image you are using:
Provide commands do do additional setup in a user-data script passed when you create the droplet. These commands will be run on the first boot.
Alternately you could spin up a droplet from a one-click image, customize it as needed and create a snapshot image to use for additional droplets.
For good security it is usually recommended to go with providing absolute minimum access wherever possible. A "least privledges" philosophy. By blocking any access not needed and restricting access to the bare minimum you can help ensure a secure system.
One-clicks, while taking security in mind do not follow this philosophy in their creation. One-clicks are focused on standardization with common practice and ease of use and access is secured when it is considered a direct risk.
More generally I would say that on any system you plan to administer to ensure you verify the security in place and adjust as needed to meet your needs or further restrict access.