- Plesk 12.5 for Linux
- Plesk Onyx for Linux
Some errors occur during PCI compliance scan. How to pass it successfully?
Here is the list of some fails that can be met in the report:
PHP Unsupported Version Detection
The outdated PHP version is in use. To pass PCI compliance it is recommended to use PHP 5.5.x or higher. To set the needed version open Domains > example.com > PHP Settings:
WordPress Unsupported Version Detection
Upgrade the WordPress installation to the latest version under Domains > example.com > WordPress > select the instance > Update:
SMTP Service Cleartext Login Permitted
To get rid of mentioned above errors:
Connect to the server via SSH.
# plesk sbin pci_compliance_resolver --enable
Running the utility with the
--enable option applies the following security changes to Plesk services:
Sets the list of ciphers.
DHparameter's size to 2048.
Disables SSL/TLS compression.
disable_plaintext_auth = yesfor Dovecot.
Disallows plaintext authentication for non-encrypted connections to Courier Mail Server.
In case it is needed to set some specific parameters for the each service, use
To read more about both utilities, check Advanced Administration's guide for Linux .
SSL Medium Strength Cipher Suites Supported
Medium strength ciphers are used. In order to pass it, increase ciphers' strength for a corresponding daemon.
FTP Supports Cleartext Authentication
According to PCI DSS if FTP connections to the server are allowed, all FTP connections except secure FTPS ones must be prohibited in Tools & Settings > Security Policy > Allow only secure FTPS connections:
PHP expose_php Information Disclosure
The error means that PHP is configured in a way that allows disclosure of potentially sensitive information to an attacker through a special URL. The solution is in the PHP configuration file
php.ini , define
expose_php Off . Restart the web server daemon to put this change into effect.
Web Application Potentially Vulnerable to Clickjacking
In order to protect the website from clickjacking please add following lines in
CONFIG_TEXT: [security]sameOriginOnly = true
Note: This option has been implemented in Plesk Onyx only and has not been tested in Plesk 12.5. In case of any issues please upgrade to Plesk Onyx.
Note: Check Clickjacking Defense Cheat Sheet for additional information regarding clickjacking.