Plesk for Windows Plesk for Linux kb: auxiliary ABT: Group B
- Plesk for Linux
- Plesk for Windows
How to improve security of a Plesk server and protect it from being compromised?
- Keep Plesk up-to-date
- Set up the minimum password strength as Strong
- Filter all unused ports using a firewall. Ports that are required for Plesk functionality can be found here
- Secure Plesk and a mail server with SSL/TLS certificates
- Set up secure FTP connection
- Limit administrative access to Plesk
- Restrict Remote Access via XML API
- Install and configure Web Application Firewall (ModSecurity)
- Use WordPress Toolkit Security Check to implement security best practices for WordPress instances
- Enable automatic updates for WordPress and its modules as well as for other APS packages
- Avoid using outdated web application packages, as they might contain vulnerabilities. Upgrade these applications to the latest version if possible
- Install VirusTotal Website Check to scan websites using multiple anti-virus engines
- Use Google Authenticator extension to set up a multi-factor authentication
- In case of planning to set up PCI DSS Compliance, visit PCI DSS Compliance
Recommendations for Plesk on Linux
- Allow SSH access via a keyfile
- Use a non-standard port for SSH connections
- Forbid SSH authentication for root user
- Switch off Perl and Python if it is not required for a website and never use 'mod_perl' and 'mod_python'.
- Install a complete automated security solution Immunify360 to keep a server safe
- Install ImunifyAV to keep websites free of malware
- Install Fail2Ban to block hack attempts
- Do not use the PHP handler served as Apache module as it is not secure
- Enable automatic updates for system packages
- Use KernelCare extension to be sure that a server's kernel is up-to-date
- Configure the FTP passive port range on Linux
- Ensure that Apache does not allow the SSL 2.0/SSL 3.0 protocol
- Check the advanced documentation pages related to Plesk for Linux security: Enhancing Security
Recommendations for Plesk on Windows Server
- Use a non-standard port for RDP connections
- Switch off unused programming and scripting languages
- Always install latest Windows updates
- Prohibit customers from overriding handlers via web.config files
- Enable DDoS protection
- Configure the FTP passive port range on Windows Server
- Set up a file audit on Windows Server
How to Switch off Perl and Python?
@Semih Perl and Python support can be switched off either on a domain level via Home > Domains > "DOMAIN_NAME" > Hosting settings or via Home > Service Plans > "SERVICE_PLAN_NAME" > Hosting parameters
I notice a lot of hosting providers i work with tend to send out a notification if a user wordpress site is out of date. What would be a good rule of thumb to make sure all the of the version of wordpress users are running doesnt cause security risks?
In Plesk via WordPress Toolkit it is possible to configure auto-update of WordPress instances. It is also possible to conduct a security check to security issues. More information may be found in Documentation article.
To automatically update Themes and Plugins use this article.
WordPress update email notifications can be enabled/disabled through the option Tools & settings > Notifications.
Disable unused scripting languages
One of our sites has this function enabled within the WPtoolkit and I understand that it cannot be reverted by the click of a button. Should someone want to enable the use of python to communicate with the site is there a workaround for this?
Any suggestions are greatly appreciated.
Please sign in to leave a comment.