- Plesk for Linux
- Plesk for Windows
How to protect a server from being compromised?
Here are general recommendations on how to improve server security:
- Set up the minimum password strength as Strong.
- Use Google Authenticator extension to set up a multi-factor authentication.
- Secure Plesk and the mail server with SSL/TLS certificates.
- Set up secure FTP connection.
- Limit the administrative access to Plesk.
- Restrict Remote Access via XML API.
- Use Web Application Firewall.
- Always use WordPress Toolkit Security Check to implement security best practices for WordPress.
- Enable automatic updates for WordPress and its modules as well as for other APS packages.
- Avoid using outdated web application packages, since they may contain vulnerabilities. Upgrade to the supported version if possible.
- Install VirusTotal Website Check to scan websites using multiple anti-virus engines
- Do not disable Plesk automatic updates.
- Filter all unused ports using a firewall. Ports that are used by Plesk can be found here.
- Allow SSH access via keyfile.
- Use the non-standard port for SSH connections.
- Forbid the SSH authentication for root.
- Switch off Perl and Python if it is not required for the website and never use mod_perl and mod_python.
- Install Opsani VCTR to scan for vulnerabilities.
- Install Fail2Ban to block hack attempts.
- Do not use PHP handler served as Apache module since it is not secure.
- Enable automatic updates for the system packages.
- Use the non-standard port for RDP connections.
- Switch off unused programming and scripting languages.
- Enable Windows updates.
- Prohibit customers from overriding the handlers via the web.config files.
Note: if the server was hacked, perform the actions described in the article What to do if the server was hacked?