Top 15 Plesk Server Security Best Practices to Protect Your Website

Plesk stands as one of the most widely adopted hosting platforms available today, often used by those who don't utilize cPanel. Like cPanel, Plesk is frequently targeted by malicious actors seeking high-privilege access to web applications and server resources. While Plesk offers various security extensions designed to enhance website protection, merely installing these extensions without adhering to a robust set of best practices can still leave your website and the primary Plesk master account exposed to malware and exploits. Proactive security measures are crucial in maintaining the integrity and availability of your online presence. This comprehensive guide will introduce you to Plesk and outline essential security best practices to safeguard your digital assets effectively.

• What is Plesk?
• Why Plesk Security Hardening is Important
• Security Best Practices for Plesk
  1. Update Consistently
  2. Use Password Complexity Rules When Creating Passwords
  3. Enforce Multi-Factor Authentication
  4. Use SSL/TLS for Remote Administration and SSH
  5. Use sFTP and not FTP for File Sharing
  6. Automate CMS Updates
  7. Secure Plesk and the Website with SSL/TLS
  8. Configure the Domain to Avoid Clickjacking
  9. Configure Plesk with Trusted Hosts to Avoid Open URL Redirects
  10. Restrict Remote Access via the Plesk API
  11. Restrict Administrative Access
  12. Mitigate the Symlinks Vulnerability
  13. Configure Plesk to Use Enhanced Security Mode
  14. Follow PCI-DSS Compliance Regulations
  15. Use the Imunify360 Plesk Extension
• Recommended Articles

What is Plesk?

To assist website owners in managing their online properties, hosting administrators often deploy platforms and management tools that enable customers to customize their sites according to their specific business requirements. Plesk is a leading control panel in this category, alongside cPanel, and is frequently chosen for environments that support a diverse array of operating systems and hosting platforms. It is particularly well-suited for hosting providers who offer Virtual Private Server (VPS) and dedicated server options to their clientele.

Plesk's appeal to both hosters and their customers lies in its seamless integration with popular Content Management Systems (CMS) applications such as WordPress, Joomla, and Drupal. Given that the majority of hosting customers utilize these CMS platforms, Plesk simplifies the management process for users and streamlines oversight for hosting providers. Furthermore, Plesk supports various robust database engines, including MySQL, PostgreSQL, and Microsoft SQL Server, as well as essential web hosting applications like Apache Tomcat Java and ColdFusion, offering a comprehensive and flexible environment.

The extensibility of Plesk is another key advantage, allowing for the addition of extra functionality to customer sites through extensions to its base code. Notable examples include Docker support, an SEO Toolkit, Git integration, a Developer Pack, Servershield by CloudFlare, and KernelCare. While some of these extensions provide security enhancements, it is important to recognize that they do not constitute a complete security solution capable of protecting against all potential attack vectors. A multi-layered approach incorporating best practices remains essential.

Why Plesk Security Hardening is Important

Considering that a single server operated by a hoster could be home to hundreds of websites, a compromise of Plesk could have widespread repercussions, potentially affecting hundreds of customers. Any zero-day vulnerabilities discovered in Plesk could impact thousands of sites across numerous servers, making it imperative for administrators to remain consistently updated on the latest Plesk security advisories and patches.

A notable historical example illustrating the gravity of Plesk zero-days occurred in 2012. A critical vulnerability in the hosting platform allowed attackers to extract the master password used by hosting administrators to manage all websites on a server. With this master password, attackers could seize control of any site hosted on the affected Plesk server. This vulnerability, prevalent in older Plesk versions (highlighting the crucial need for consistent updates), impacted approximately 50,000 sites before its discovery and subsequent remediation.

While site hijacking is one of the most severe consequences, it is not the only potential damage. Attackers can also upload malware or inject malicious code into files, leading to various issues. Such malware might remain undetected, silently consuming server resources, which degrades performance and negatively impacts customer experience. This can result in increased customer complaints and, ultimately, significant damage to the hosting company's reputation. Furthermore, malicious software running on the server could eavesdrop on data transmissions, leading to the potential theft of sensitive information, including personal or financial details.

Ultimately, any damage inflicted upon servers, the hoster’s reputation, stolen customer data, and compromised websites directly affects the hoster's revenue. Instead of allocating resources to extensive cleanup operations following a massive compromise, hosters can proactively invest in hardening Plesk security. This approach ensures better data protection and safeguards customer sites, fostering trust and maintaining business continuity.

Security Best Practices for Plesk

Whether you operate as a host server administrator or are a site owner, these critical security best practices should be rigorously implemented across all your sites. Even a single compromised website can negatively affect overall server performance and security posture, underscoring why Plesk security must always be a top priority. Adhering to these guidelines will create a much more resilient hosting environment.

1. Update Consistently

Whenever a security vulnerability is identified or bugs are reported and subsequently remediated, Plesk developers promptly release an update. While all updates are important for system stability and feature enhancements, security patches hold paramount importance for protecting sites from known vulnerabilities. These updates are specifically designed to address exploits discovered in the wild and close potential attack vectors. Neglecting to patch the Plesk application leaves your site, and any other sites managed by Plesk, open to exploitation by malicious actors.

Out-of-date software has been a contributing factor in numerous large-scale data breaches, including the widely publicized Equifax compromise. To ensure you always have the latest version, you can utilize configurations to automatically install Plesk updates. However, it's worth noting that Plesk might go offline for a few minutes after updates, a factor that large hosting providers might need to consider for their operational continuity. If automatic updates are not feasible, administrators should configure notifications for Plesk updates so that they are promptly informed and can initiate the software update process as soon as possible, minimizing the window of vulnerability.

2. Use Password Complexity Rules When Creating Passwords

Users often exhibit a tendency to reuse the same password across multiple online platforms, and these passwords are typically composed of simple words, sometimes with a few appended numbers. Passwords that are short, easily guessable, or reused across various sites are highly vulnerable to brute-force attacks and credential stuffing. Attackers could discover a user’s password on a less secure external site and then use these cracked credentials to authenticate and compromise the corresponding Plesk account, assuming the user employed the same password.

Hosters can significantly enhance security by applying stringent password rules. These rules ensure that users create cryptographically secure passwords that are robust and resistant to brute-force attempts. While the number of characters in a password is a factor, it is not sufficient on its own. Users must also adhere to complexity rules, which mandate that passwords include a combination of uppercase and lowercase letters, numbers, and special characters. For an even higher level of security, characters should be randomized and avoid dictionary words or common phrases, making them far more challenging to guess or crack.

Plesk provides the functionality to set up password rules, though it typically suggests a minimum length of eight characters. However, modern cybersecurity standards indicate that an eight-character password, even with complexity (e.g., one uppercase, five lowercase, one number, one special character), can be cracked in a matter of hours, rendering it cryptographically insecure. For robust protection against brute-force attacks, hosters should enforce a minimum of 10 characters for the master password, and users should be strongly encouraged to use passwords between 10-12 characters in length, incorporating a diverse mix of character types.

3. Enforce Multi-Factor Authentication

Phishing attacks and brute-force password attempts are pervasive threats in the digital landscape, and a Plesk administrator cannot compel every user to maintain unique passwords across all their online accounts. Should either a user or the Plesk administrator fall victim to a phishing attempt, multi-factor authentication (MFA) provides a critical layer of defense, preventing a threat actor from successfully authenticating into the targeted account even if they have stolen the password.

Traditional text message-based two-factor authentication (2FA) has been found to be vulnerable due to exploits in the SS7 protocol, which allow attackers to intercept messages. SIM swapping is another significant concern, where attackers use social engineering tactics to convince telecommunications representatives to redirect messages intended for a targeted user to the attacker’s SIM card. For these reasons, most organizations now advocate for the use of authenticator applications that generate time-based, user-specific codes for the second step in MFA, as they offer a much higher level of security.

Plesk integrates with the Google Authenticator application, which can be easily downloaded to a user's smartphone. While enabling this feature requires the installation of an extension, the enhanced security it provides against phishing and unauthorized access is well worth the effort. The Authenticator application generates unique, temporary codes that are used during the second phase of MFA, offering a significantly more secure alternative to relying on vulnerable text messages for verification.

4. Use SSL/TLS for Remote Administration and SSH

SSH (Secure Shell) is a widely used protocol for remote administration of Linux machines, but if not properly secured, it can introduce several significant threats, including the complete takeover of the server via the root account. To protect SSH from potential compromise on both the main physical server and individual user instances, several best practices should be implemented:

• Utilize a keyfile for authentication instead of relying solely on passwords, which are more susceptible to brute-force attacks.
• Configure SSH to operate on an alternative, non-standard port, making it less obvious to automated scanning tools.
• Disable direct authentication for the root user on SSH, forcing attackers to compromise another account first.

SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates play a crucial role by encrypting all traffic exchanged between a user’s computer and the host server. This encryption protects against critical security threats such as eavesdropping and man-in-the-middle attacks, which could otherwise be leveraged to steal sensitive information like login credentials, personal data, or proprietary files. Implementing SSL/TLS ensures that all remote administration sessions and file transfers remain confidential and secure.

5. Use sFTP and not FTP for File Sharing

It is still common for hosting companies to offer FTP (File Transfer Protocol) services to their users. However, FTP is an outdated protocol that transfers data in cleartext, meaning all files and credentials are sent unencrypted over the network. This makes any files uploaded or downloaded using FTP highly vulnerable to man-in-the-middle attacks and data theft. Transferring files via FTP is as risky as transmitting sensitive financial data over an unencrypted HTTP connection. Any confidential information contained within uploaded files could be easily intercepted, manipulated, or stolen by malicious actors.

Secure FTP (sFTP), in contrast, employs encryption to secure file transfers, much like how HTTPS adds encryption to the HTTP protocol. It integrates a robust layer of security into the file transfer process, effectively protecting data from eavesdropping and interception. While sFTP functions similarly to traditional FTP from a user's perspective, the key difference is the added encryption, which requires users to employ FTP client software that supports the sFTP protocol. Migrating to sFTP is a fundamental step in securing data in transit.

6. Automate CMS Updates

While content management systems like WordPress offer options to enable automatic updates, Plesk also provides robust functionality to manage these updates centrally. Activating automatic updates ensures that the CMS software is consistently equipped with the latest patches and upgrades, which are crucial for securing the platform against newly discovered Common Vulnerabilities and Exposures (CVEs). When updating WordPress or any other CMS, it is equally important to remember that all installed plugins and themes must also be updated regularly to prevent them from becoming an overlooked source of vulnerabilities on your site.

Beyond the primary CMS, a single website typically hosts several other applications, including gallery software, e-commerce systems, and various email or utility applications. Each of these components represents a potential entry point for attackers if not kept current. Plesk offers comprehensive functionality that enables automatic updates for these diverse applications. By configuring this, site owners and administrators can significantly reduce the attack surface and ensure that all web applications remain secure and protected from known exploits, thereby strengthening the overall security posture of the hosting environment.

7. Secure Plesk and the Website with SSL/TLS

Just like with FTP, establishing a cleartext connection to the Plesk management interface or to the website itself exposes any transferred data to significant risks, primarily from man-in-the-middle attacks. Website owners should be strongly encouraged to implement an SSL/TLS certificate on their sites to ensure the safety and privacy of their users. Crucially, hosting providers must always enforce SSL/TLS certificates for all connections to Plesk itself, guaranteeing secure administrative access.

Implementing SSL/TLS on Plesk pages ensures that users will not fall victim to password theft or data interception during man-in-the-middle attacks. Any web pages that handle or transmit sensitive data—such as login credentials, personal information, or financial details—should only be accessible over HTTPS. To enforce this, host administrators should configure permanent redirects from HTTP to HTTPS, ensuring that even if users attempt to connect to Plesk or their websites using cleartext channels, their browsers are automatically upgraded to a secure, encrypted connection. This practice is fundamental for data integrity and user trust.

8. Configure the Domain to Avoid Clickjacking

Clickjacking is a deceptive threat where attackers trick users into performing unintended actions by interacting with a seemingly legitimate but attacker-controlled site. This is typically achieved by overlaying a transparent or hidden iframe containing the genuine site over a malicious page, often when the targeted victim is already authenticated to the legitimate service. As the victim clicks on elements of the visible (malicious) page, their clicks are unwittingly redirected to the hidden iframe, executing commands on the legitimate site, which could include sensitive actions like bank transfers, password changes, or the disclosure of confidential information.

To protect their sites from being exploited in clickjacking schemes, website owners can implement a crucial security measure: adding the X-Frame-Options HTTP header to server responses. By setting the header value to DENY, administrators can prevent any third-party website from embedding their domain within an iframe. Plesk allows you to configure both Apache and Nginx domains to explicitly block this type of framing. The correct server header to achieve this protection should appear as follows:

X-Frame-Options: DENY

Implementing this header is a simple yet highly effective way to mitigate the risk of clickjacking attacks, safeguarding users from malicious redirects and unauthorized actions.

9. Configure Plesk with Trusted Hosts to Avoid Open URL Redirects

When developers implement user redirects based on query string parameters without proper validation, it creates an "open URL redirect" vulnerability, which attackers can exploit. For example, consider a legitimate user site URL like: mysite.com?redirect=mysite.com/loggedin. If the application automatically redirects users using the value provided in the redirect parameter, an attacker can manipulate this URL to direct users to their own malicious site. Attackers typically craft a link that appears to originate from the legitimate domain but then uses the open redirect vulnerability to forward the unsuspecting victim to a phishing site designed to steal data. Because the initial link seemed to point to a trusted domain, targeted victims are less likely to suspect foul play.

To effectively remediate this vulnerability within Plesk, administrators can establish a whitelist of trusted domains. These domains should be explicitly added to the Plesk configuration file, panel.ini. Within the [security] section of this file, there is a specific configuration option labeled trustedRedirectHosts. By populating this section, you can specify precisely which domains are considered safe for redirects after authentication, ensuring users are only directed to approved destinations.

An example configuration allowing redirects solely to mydomain.com in the panel.ini file would look like this:

[security]
trustedRedirectHosts = mydomain.com

This critical configuration prevents malicious redirection, thereby protecting users from phishing attempts and maintaining the integrity of your site's navigation flow.

10. Restrict Remote Access via the Plesk API

The Plesk application includes a powerful API (Application Programming Interface) that enables administrators to interact with the software programmatically and allows users to configure settings remotely. While highly convenient, an exposed API can significantly increase the attack surface of your Plesk server. To enhance security and reduce potential vulnerabilities, administrators should disable the API when it is not actively required for operations.

Disabling the Plesk API can be accomplished directly within the panel.ini configuration file. In the [api] section of panel.ini, you have two primary options: you can either completely turn off the API or implement an IP address whitelist to control access. The choice depends on your specific security requirements and operational needs.

To disable the Plesk API entirely, apply the following configuration in panel.ini:

[api]
enabled = off

Alternatively, to whitelist specific IP addresses, allowing only users or servers originating from these addresses to access the API, use the following configuration. This example whitelists two IP addresses:

[api]
allowedIPs = 10.58.108.100,192.168.0.0

By restricting API access to only trusted sources or disabling it when not in use, you significantly reduce the risk of unauthorized remote control and potential exploitation, thereby fortifying your Plesk server's security posture.

11. Restrict Administrative Access

In the event that the master password for Plesk is compromised, or a user with administrative privileges has their password stolen, an attacker could gain control over numerous websites and inflict severe damage to site code and configurations. To minimize the potential impact of such a compromise, Plesk administrators can implement strict controls by providing a whitelist of IP addresses that are permitted to access administrative functions. While a blacklist can also be used to block specific IP addresses, it is generally less secure than a whitelist because it is more permissive, allowing access by default unless explicitly denied.

To configure a whitelist of IP addresses for administrative access, follow these instructions:

• Navigate to Tools & Settings > Restrict Administrative Access (located under the "Security" section).
• Click on Settings, then select the "Denied from the networks that are not listed" radio button, and confirm by clicking OK. This action switches Plesk to a whitelist-based access control model.
• Click Add Network and specify the individual IP addresses or IP address ranges from which administrative access to Plesk should be allowed. You can enter:
  • Individual IP addresses (e.g., 192.168.1.110)
  • Subnets of IP addresses (e.g., 123.0.0.1/16 or 123.123.*.*)
• Finally, click OK to save your changes.

By carefully restricting administrative access to a predefined set of trusted IP addresses, you add a robust layer of security that significantly limits the exposure and potential damage from compromised credentials, even if they fall into the wrong hands.

12. Mitigate the Symlinks Vulnerability

Subscribed users on a Plesk server can typically access their subscription documents and files using a feature in web servers like Apache or Nginx known as Symlinks (symbolic links). These links function as aliases, providing convenient access to documents. However, this functionality can expose Plesk to a significant security vulnerability: if a third-party subscribed user discovers or guesses the aliased link, they could potentially view the subscription documents of other subscribed users. The information contained in subscription documents is frequently sensitive, often including crucial data such as passwords and Content Management System (CMS) settings, making this a critical vulnerability that demands mitigation.

The specific settings and methods for mitigating the Symlink vulnerability can vary depending on the host operating system and the CMS being utilized. Fortunately, Plesk provides comprehensive guidance on how to address and mitigate this vulnerability effectively in their official documentation. Administrators should consult these resources to implement the recommended security measures, ensuring that cross-user data exposure via symlinks is prevented and sensitive information remains protected within the Plesk environment.

13. Configure Plesk to Use Enhanced Security Mode

Plesk’s Enhanced Security Mode is enabled by default in versions 11 and later, offering a foundational layer of protection. However, for installations that have been converted from earlier versions or for any older Plesk deployments, this critical security mode must be configured manually to ensure full protection. The setting for Enhanced Security Mode is readily accessible within the Security Policy section of your Plesk control panel. Administrators should verify that the "Enhanced security mode" checkbox is explicitly set to "On" to activate these vital safeguards.

The enhancements provided by this security configuration are designed to robustly protect sensitive data from theft and unauthorized access, even in the unfortunate event of a system compromise. Specifically, Enhanced Security Mode:

• Encrypts Plesk passwords when stored in the database, making them unreadable to unauthorized parties.
• Disallows the retrieval of sensitive data, such as passwords, via the API, closing a potential exploit channel.
• Ensures that password recovery emails no longer contain the password in cleartext, preventing its exposure during account recovery processes.

By ensuring Enhanced Security Mode is active, Plesk administrators significantly strengthen the platform's defenses against internal and external threats, thereby protecting both the server infrastructure and client data with improved cryptographic measures.

14. Follow PCI-DSS Compliance Regulations

Compliance regulations mandate that companies adhere to a stringent set of guidelines designed to safeguard user data and prevent substantial penalties for violations. The Payment Card Industry Data Security Standard (PCI-DSS) is specifically relevant for entities that process, store, or transmit credit card information, a common occurrence for hosting providers facilitating customer payments. Beyond PCI-DSS, site owners must also be acutely aware of other compliance regulations pertinent to their specific business operations, such as GDPR, HIPAA, or CCPA, depending on their geographic location and the type of data they handle.

Plesk offers several configuration options that are instrumental in controlling data security and helping organizations meet PCI-DSS requirements. These configurations are designed to provide comprehensive protection across various aspects of the hosting environment:

• SSL/TLS Cipher Limitations: Restricting the use of SSL/TLS ciphers to only those considered cryptographically secure and robust, preventing the use of weaker, exploitable encryption methods.
• Blocking External Connections to the MySQL Database Server: Preventing unauthorized external access to sensitive databases, thereby minimizing the risk of data breaches.
• Protecting Files and File Permissions: Implementing strict file permissions to ensure that only authorized users and processes can access or modify critical system and website files.
• Securing FTP Access: Enforcing secure protocols like sFTP and disabling insecure cleartext FTP, which is crucial for protecting credentials and data during file transfers.

By diligently implementing these Plesk configurations and staying informed about all relevant compliance regulations, hosters can build a highly secure environment that protects sensitive information, fosters customer trust, and avoids costly legal and financial repercussions.

15. Use the Imunify360 Plesk Extension

While diligently following best practices significantly reduces risk and strengthens the protection of your Plesk server and the websites it hosts against exploits, no single solution can guarantee 100% risk-free operation. This is where comprehensive security tools become invaluable. Integrating the Imunify360 Plesk extension into your security strategy will work in synergy with your best practices to harden your security posture even further. Imunify360 provides a powerful Linux malware scanner and a robust Linux server antivirus solution, offering essential active defense capabilities.

With Imunify360, you gain more than just methods to stop malware and exploits; hosters and site owners can actively monitor their assets for any emerging threats that might bypass conventional security measures. By adding continuous monitoring and real-time threat detection to your site’s defenses, you can identify and address security incidents before they escalate and cause widespread damage, potentially affecting hundreds of sites on a single server. Its advanced capabilities include a comprehensive Web Application Firewall (WAF), PHP Security Layer, and automated patch management.

Take your web hosting security to the next level with the Imunify360 security suite. Imunify360 is a complete security suite where all components seamlessly work together to keep your servers safe and operational, allowing you to focus on other critical business tasks. Imunify360 represents a powerful synergy of Antivirus, Firewall, WAF, PHP Security Layer, Patch Management, and Domain Reputation services, all managed through an intuitive user interface with advanced automation. Experience the difference by trying Imunify360 free for 14 days and observe tangible security improvements in as little as one week.

Make your servers secure now!

Recommended articles:

• 18 ways to improve your cPanel security
• WordPress Security Ultimate Guide for 2023
• ModSecurity Rules 2023: How to Guide
• What are Antivirus False Positives and What to Do About Them?
• Shared Hosting Security Guide for 2021
• Security made easy with Imunify360
• Proactive vs. Reactive Security: 5 Tips for Proactive Cyber Security
• 15 security tips for Linux VPS Hosting
• Top 15 Plesk Server Security Best Practices to Protect Your Website
• Top 10 Web Hosting Security Best Practices
• What Are Your First Three Steps When Securing a Linux Server?
• What are steps to secure a Linux server?
• How to keep your website secure in 2021
• Ultimate Guide for DirectAdmin Security from Security Experts