- Plesk for Linux
- Plesk for Windows
How to improve security of a Plesk server and protect it from being compromised?
Plesk Onyx 17.8 has enhanced security and pre-installed Advisor extension. This extension helps to maintain security of a Plesk server. Upgrade Plesk to the latest available release.
- Keep Plesk up-to-date.
- Set up the minimum password strength as Strong.
- Use Google Authenticator extension to set up a multi-factor authentication.
- Secure Plesk and a mail server with SSL/TLS certificates.
- Set up secure FTP connection.
- Limit administrative access to Plesk.
- Restrict Remote Access via XML API.
- Use Web Application Firewall.
- Use WordPress Toolkit Security Check to implement security best practices for WordPress.
- Enable automatic updates for WordPress and its modules as well as for other APS packages.
- Avoid using outdated web application packages, since they might contain vulnerabilities. Upgrade these applications to the latest version if possible.
- Install VirusTotal Website Check to scan websites using multiple anti-virus engines.
- Filter all unused ports using a firewall. Ports that are used by Plesk can be found here.
Recommendations for Linux
- Allow SSH access via a keyfile.
- Use a non-standard port for SSH connections.
- Forbid the SSH authentication for root.
- Switch off Perl and Python if it is not required for the website and never use mod_perl and mod_python.
- Install Opsani VCTR to scan for vulnerabilities.
- Install Fail2Ban to block hack attempts.
- Do not use the PHP handler served as Apache module since it is not secure.
- Enable automatic updates for system packages.
Recommendations for Windows Server
- Use a non-standard port for RDP connections.
- Switch off unused programming and scripting languages.
- Install latest Windows updates.
- Prohibit customers from overriding handlers via the web.config files.
- Enable DDoS protection.