Plesk for Windows
Plesk for Linux
ABT: Group B
kb: auxiliary
Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to improve security of a Plesk server and protect it from being compromised?
Answer
General recommendations
- Keep Plesk up-to-date
- Set up the minimum password strength as Strong
- Filter all unused ports using a firewall. Ports that are required for Plesk functionality can be found here
- Secure Plesk and a mail server with SSL/TLS certificates
- Set up secure FTP connection
- Limit administrative access to Plesk
- Restrict Remote Access via XML API
- Install and configure Web Application Firewall (ModSecurity)
- Use WP Toolkit Security Check to implement security best practices for WordPress instances
- Enable automatic updates for WordPress and its modules as well as for other APS packages
- Avoid using outdated web application packages, as they might contain vulnerabilities. Upgrade these applications to the latest version if possible
- Install VirusTotal Website Check to scan websites using multiple anti-virus engines
- Use Multi-Factor Authentication (MFA) extension to set up a multi-factor authentication
- In case of planning to set up PCI DSS Compliance, visit PCI DSS Compliance
Recommendations for Plesk on Linux
- Allow SSH access via a keyfile
- Use a non-standard port for SSH connections
- Forbid SSH authentication for root user
- Switch off Perl and Python if it is not required for a website and never use 'mod_perl' and 'mod_python'.
- Install a complete automated security solution Imunify to keep a server safe and keep websites free of malware
- Install Fail2Ban to block hack attempts
- Do not use the PHP handler served as Apache module as it is not secure
- Enable automatic updates for system packages
- Use KernelCare extension to be sure that a server's kernel is up-to-date
- Configure the FTP passive port range on Linux
- Ensure that Apache does not allow the SSL 2.0/SSL 3.0 protocol
- Check the advanced documentation pages related to Plesk for Linux security: Enhancing Security
Recommendations for Plesk on Windows Server
- Use a non-standard port for RDP connections
- Switch off unused programming and scripting languages
- Always install latest Windows updates
- Prohibit customers from overriding handlers via web.config files
- Enable DDoS protection
- Configure the FTP passive port range on Windows Server
- Set up a file audit on Windows Server
Comments
4 comments
I can still log in via http and get a non secure error
Hy,
On one of the domains, the WP Toolkit security is constantly modified without my intervention several times a day. Concerns: Restricting access to files and directories.
Regards.
Details : This is for all instances which CRON management is manual
Olá estou tendo problemas, nao consigo fazer login após instalção do plask
Fica mostrando que usuario e senha nao correpondem, sendo que estou colocando tudo da forma correta.
Please sign in to leave a comment.