10 Plesk Server Security Best Practices

/ VPS Hosting Blog

Plesk is one of the most popular web hosting control panels, offering a user-friendly interface for managing servers and websites. However, like any server management tool, Plesk requires robust security configurations to protect against cyber threats. A misconfigured server can lead to data breaches, hacking attempts, or malware infections, which could compromise the integrity of your websites and sensitive user information.

In this blog post, we will examine 10 Plesk server security best practices to help you safeguard your server from vulnerabilities and attacks. Each section includes step-by-step instructions, recommended tools, and advanced configurations to ensure your Plesk server remains as secure as possible.

1. Keep Plesk Updated Regularly

Why Updates Are Important

Software updates are crucial because they patch security vulnerabilities, introduce new features, and improve overall performance. Cybercriminals often exploit known vulnerabilities in outdated software to gain unauthorized access.

How to Update Plesk

  • Log in to Plesk Panel.
  • Navigate to Tools & Settings > Updates and Upgrades.
  • Check for available updates and apply them immediately.
  • Enable automatic updates via Tools & Settings > Update Settings.

Advanced Update Practices

  • Set up email notifications for available updates.
  • Subscribe to Plesk Security Advisories to stay informed about vulnerabilities.
  • Regularly review installed extensions and update or remove outdated ones.

Recommended Resources:

2. Use Strong Administrator Credentials

Why Strong Credentials Matter

Using weak credentials is one of the most common security risks. Brute-force attacks target weak passwords to gain control over the Plesk server.

Best Practices for Secure Credentials:

  • Use a password with at least 16-20 characters, including uppercase, lowercase, numbers, and symbols.
  • Change passwords every 60-90 days.
  • Use a password manager like Bitwarden or LastPass to generate and store passwords securely.
  • Avoid using common passwords or variations of the same password across different accounts.
  • Ensure that no default passwords exist on newly installed services.

Renaming the Admin Username

To enhance security, rename the default admin username to something unique using the following command:

plesk bin admin --set-login newadminusername

3. Enable Two-Factor Authentication (2FA)

Why 2FA is Crucial

2FA adds an additional layer of security by requiring a second form of authentication, such as a one-time password (OTP), preventing unauthorized access even if your credentials are compromised.

Steps to Enable 2FA in Plesk:

  • Install the Google Authenticator extension.
  • Navigate to Extensions > Google Authenticator.
  • Configure and enable 2FA for admin and other users.
  • Ensure that backup codes are stored securely in case of device loss.

Enforcing 2FA for All Users

For additional security, enforce 2FA for all users, including resellers and clients, under User Roles & Permissions. You can also configure 2FA enforcement using server-wide policies.

4. Configure Firewall and IP Restrictions

Why Firewalls Are Essential

Firewalls act as a protective barrier between your server and potential cyber threats, blocking unauthorized access and malicious traffic.

Steps to Configure Firewall in Plesk:

  • Navigate to Tools & Settings > Firewall.
  • Enable Plesk Firewall and allow only necessary services.
  • Restrict admin panel access to trusted IP addresses.

Advanced Firewall Configurations

  • Use iptables to manually configure firewall rules:
iptables -A INPUT -p tcp --dport 8443 -s YOUR_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8443 -j DROP
  • Install Fail2Ban to prevent brute-force attacks:
plesk bin ip_ban --enable
  • Monitor firewall logs to detect any suspicious activity.

5. Secure SSH Access

Why SSH Security is Important

Since SSH provides direct server access, improper configurations can leave your server vulnerable to remote attacks.

Steps to Secure SSH:

  • Disable root login via SSH (/etc/ssh/sshd_config).
  • Change the default SSH port from 22 to something else (e.g., 2222).
  • Use SSH keys instead of passwords for authentication.
  • Limit SSH access to specific IP addresses using hosts.allow and hosts.deny.

Additional Hardening

  • Enable Port Knocking to make SSH access even more secure.
  • Set up automatic intrusion detection using Fail2Ban.

6. Use Web Application Firewall (WAF)

Why You Need a WAF

A Web Application Firewall (WAF) helps mitigate threats such as SQL injections, cross-site scripting (XSS), and brute-force attacks.

Best WAF Options for Plesk:

  • ModSecurity: Navigate to Tools & Settings > Web Application Firewall and enable it.
  • Use Cloudflare WAF for an additional security layer (Cloudflare).

Advanced WAF Configuration

  • Create custom ModSecurity rules to block specific attack patterns.
  • Implement rate limiting to prevent automated attacks.

7. Regularly Scan for Malware and Viruses

Why Malware Scanning is Important

Malware infections can lead to data breaches, blacklisting, and website defacement.

Recommended Tools for Malware Scanning:

  • Plesk Advisor: Provides security recommendations.
  • ImunifyAV: A free antivirus scanner for Plesk.
  • ClamAV: Open-source antivirus scanner.

Scheduling Regular Scans

Schedule regular malware scans using cron jobs:

clamscan -r /var/www/vhosts/
  • Set up real-time monitoring for malware detection.
  • Implement automatic removal of infected files.

8. Secure MySQL and Databases

Why Database Security Matters

Databases store sensitive information, making them a prime target for attackers.

Database Security Best Practices:

  • Change the default MySQL root password regularly.
  • Disable remote access unless necessary.
  • Use strong user passwords.
  • Enable SSL/TLS encryption for database connections.
  • Regularly check for SQL injection vulnerabilities.
  • Restrict user privileges to minimize risk.

9. Regularly Back Up Your Data

Why Backups Are Critical

Regular backups ensure you can restore your system in case of a security breach, accidental deletion, or server failure.

How to Configure Automatic Backups:

  • Go to Tools & Settings > Backup Manager.
  • Schedule daily/weekly backups.
  • Store backups offsite or in cloud storage (e.g., Amazon S3, Google Drive).

10. Monitor Logs and Set Up Alerts

Why Log Monitoring is Important

Monitoring logs helps detect suspicious activity before it becomes a major threat.

Key Log Files to Monitor:

  • Plesk logs: /var/log/plesk/.
  • Apache logs: /var/log/httpd/.
  • Fail2Ban logs: /var/log/fail2ban.log.
  • Implement automated alerts for abnormal activities.
  • Use SIEM (Security Information and Event Management) solutions.