Plesk for Windows
Plesk for Linux
kb: auxiliary
ABT: Group B
Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to improve security of a Plesk server and protect it from being compromised?
Answer
General recommendations
- Keep Plesk up-to-date
- Set up the minimum password strength as Strong
- Filter all unused ports using a firewall. Ports that are required for Plesk functionality can be found here
- Secure Plesk and a mail server with SSL/TLS certificates
- Set up secure FTP connection
- Limit administrative access to Plesk
- Restrict Remote Access via XML API
- Install and configure Web Application Firewall (ModSecurity)
- Use WordPress Toolkit Security Check to implement security best practices for WordPress instances
- Enable automatic updates for WordPress and its modules as well as for other APS packages
- Avoid using outdated web application packages, as they might contain vulnerabilities. Upgrade these applications to the latest version if possible
- Install VirusTotal Website Check to scan websites using multiple anti-virus engines
- Use Google Authenticator extension to set up a multi-factor authentication
- In case of planning to set up PCI DSS Compliance, visit PCI DSS Compliance
Recommendations for Plesk on Linux
- Allow SSH access via a keyfile
- Use a non-standard port for SSH connections
- Forbid SSH authentication for root user
- Switch off Perl and Python if it is not required for a website and never use 'mod_perl' and 'mod_python'.
- Install a complete automated security solution Immunify360 to keep a server safe
- Install ImunifyAV to keep websites free of malware
- Install Fail2Ban to block hack attempts
- Do not use the PHP handler served as Apache module as it is not secure
- Enable automatic updates for system packages
- Use KernelCare extension to be sure that a server's kernel is up-to-date
- Configure the FTP passive port range on Linux
- Ensure that Apache does not allow the SSL 2.0/SSL 3.0 protocol
- Check the advanced documentation pages related to Plesk for Linux security: Enhancing Security
Recommendations for Plesk on Windows Server
- Use a non-standard port for RDP connections
- Switch off unused programming and scripting languages
- Always install latest Windows updates
- Prohibit customers from overriding handlers via web.config files
- Enable DDoS protection
- Configure the FTP passive port range on Windows Server
- Set up a file audit on Windows Server
Comments
4 comments
How to Switch off Perl and Python?
@Semih Perl and Python support can be switched off either on a domain level via Home > Domains > "DOMAIN_NAME" > Hosting settings or via Home > Service Plans > "SERVICE_PLAN_NAME" > Hosting parameters
I notice a lot of hosting providers i work with tend to send out a notification if a user wordpress site is out of date. What would be a good rule of thumb to make sure all the of the version of wordpress users are running doesnt cause security risks?
@Prime Concepts
Hello!
In Plesk via WordPress Toolkit it is possible to configure auto-update of WordPress instances. It is also possible to conduct a security check to security issues. More information may be found in Documentation article.
To automatically update Themes and Plugins use this article.
WordPress update email notifications can be enabled/disabled through the option Tools & settings > Notifications.
Please sign in to leave a comment.