Plesk for Windows
Plesk for Linux
ABT: Group B
kb: auxiliary
Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to improve security of a Plesk server and protect it from being compromised?
Answer
General recommendations
- Keep Plesk up-to-date
- Set up the minimum password strength as Strong
- Filter all unused ports using a firewall. Ports that are required for Plesk functionality can be found here
- Secure Plesk and a mail server with SSL/TLS certificates
- Set up secure FTP connection
- Limit administrative access to Plesk
- Restrict Remote Access via XML API
- Install and configure Web Application Firewall (ModSecurity)
- Use WP Toolkit Security Check to implement security best practices for WordPress instances
- Enable automatic updates for WordPress and its modules as well as for other APS packages
- Avoid using outdated web application packages, as they might contain vulnerabilities. Upgrade these applications to the latest version if possible
- Install VirusTotal Website Check to scan websites using multiple anti-virus engines
- Use Multi-Factor Authentication (MFA) extension to set up a multi-factor authentication
- In case of planning to set up PCI DSS Compliance, visit PCI DSS Compliance
Recommendations for Plesk on Linux
- Allow SSH access via a keyfile
- Use a non-standard port for SSH connections
- Forbid SSH authentication for root user
- Switch off Perl and Python if it is not required for a website and never use 'mod_perl' and 'mod_python'.
- Install a complete automated security solution Imunify to keep a server safe and keep websites free of malware
- Install Fail2Ban to block hack attempts
- Do not use the PHP handler served as Apache module as it is not secure
- Enable automatic updates for system packages
- Use KernelCare extension to be sure that a server's kernel is up-to-date
- Configure the FTP passive port range on Linux
- Ensure that Apache does not allow the SSL 2.0/SSL 3.0 protocol
- Check the advanced documentation pages related to Plesk for Linux security: Enhancing Security
Recommendations for Plesk on Windows Server
- Use a non-standard port for RDP connections
- Switch off unused programming and scripting languages
- Always install latest Windows updates
- Prohibit customers from overriding handlers via web.config files
- Enable DDoS protection
- Configure the FTP passive port range on Windows Server
- Set up a file audit on Windows Server
Comments
I can still log in via http and get a non secure error
Hy,
On one of the domains, the WP Toolkit security is constantly modified without my intervention several times a day. Concerns: Restricting access to files and directories.
Regards.
Details : This is for all instances which CRON management is manual
Olá estou tendo problemas, nao consigo fazer login após instalção do plask
Fica mostrando que usuario e senha nao correpondem, sendo que estou colocando tudo da forma correta.
To improve the security of a Plesk server, keep the system, PHP, and extensions always updated and remove any unused services or accounts. Strengthen access control by using strong passwords, enabling two-factor authentication, and securing SSH with keys instead of passwords. Configure a firewall properly ezcardinfo and enable tools like Fail2Ban and ModSecurity to block suspicious activity. Regular malware scans, log monitoring, and automated offsite backups help ensure quick detection and recovery from any compromise.
Please sign in to leave a comment.