Plesk stands as one of the most widely utilized hosting platforms available today. Like other popular hosting environments, Plesk servers are frequently targeted by malicious actors seeking to gain high-privilege access to web applications and server resources. While Plesk offers various security extensions designed to strengthen website protection, relying solely on these without adhering to fundamental best practices can leave your site and the primary Plesk administrator account vulnerable to malware and exploits. This article aims to provide a clear understanding of Plesk and outline crucial security best practices to safeguard your digital assets.
What is Plesk?
To facilitate website management for owners, hosting administrators commonly deploy platforms and management tools that enable customers to customize their sites according to their specific business requirements. Plesk is a prominent tool in this space, often favored in environments that support a diverse range of operating systems and platforms as hosting options. It is particularly well-suited for hosting providers offering virtual private server (VPS) and dedicated server solutions to their clientele.
Plesk's appeal to both hosters and their customers lies in its seamless integration with popular content management systems (CMS) applications such as WordPress, Joomla, and Drupal. Given that most hosting customers utilize these CMS applications, Plesk simplifies site management for users and streamlines oversight for hosting providers. Furthermore, it supports essential database engines like MySQL, PostgreSQL, and Microsoft SQL Server, along with various web hosting applications including Apache Tomcat Java and ColdFusion.
Plesk also supports extensions to its core functionality, which can be used to add additional features to customer sites. Examples include Docker support, an SEO Toolkit, Git integration, Developer Pack, and KernelCare. While some of these extensions offer valuable security features, they typically do not provide a comprehensive solution that assures protection against all types of attacks, underscoring the need for broader security measures.
Why Plesk Security Hardening is Important
Considering that a single hosting server can accommodate hundreds of websites, a compromised Plesk installation could potentially impact a vast number of customers. Any unaddressed Plesk vulnerabilities, especially zero-day exploits, could affect thousands of sites across multiple servers. Therefore, administrators must remain vigilant and stay informed about the latest Plesk security advisories.
Historically, vulnerabilities in hosting platforms have demonstrated the critical importance of timely updates. For instance, an older Plesk vulnerability allowed attackers to gain unauthorized access to master passwords used by administrators to manage all websites on a server. Such a compromise could grant attackers complete control over any site hosted on that Plesk server. This type of vulnerability, which affected a significant number of sites before its discovery, highlights why consistent updates are a fundamental best practice.
Site hijacking, while severe, is not the sole consequence of a security breach. Attackers can upload malware or inject malicious code into file systems. This malware might remain undetected, silently consuming server resources, which degrades performance and negatively impacts the customer experience. This can lead to increased customer complaints and, ultimately, damage to a hosting provider's reputation. Furthermore, malicious software running on a server can eavesdrop on data transmissions, potentially leading to the theft of sensitive information.
Any damage incurred by servers, coupled with reputational harm to the hosting provider, stolen customer data, and compromised websites, invariably affects revenue. Instead of allocating resources to extensive cleanup efforts following a major security incident, hosting providers can proactively strengthen Plesk security. This approach better ensures data protection and safeguards customer websites, contributing to long-term stability and trust.
Security Best Practices for Plesk
Whether you are a server administrator or an individual site owner, it is crucial to implement these best practices across all your managed sites. Even a single compromised website can have ripple effects on server performance and security, emphasizing that Plesk security should always be a paramount concern.
1. Update Consistently
Whenever a security vulnerability is identified, or bugs are reported and subsequently fixed, Plesk developers release updates. While all updates are important for system stability and new features, security patches are absolutely vital for shielding websites from known vulnerabilities. These updates are specifically designed to remediate weaknesses discovered in live environments. Neglecting to patch the Plesk application leaves your site, and any other sites managed by Plesk, exposed to potential exploits.
Outdated software has been the root cause of numerous significant data breaches. To ensure you always have the latest version, you can configure Plesk to automatically install updates. However, it's worth noting that Plesk might go offline for a brief period after updates, which may not be ideal for large hosting operations. If automatic updates are not feasible, administrators should subscribe to notifications for Plesk updates. This ensures they are promptly alerted when updates are available, enabling them to apply necessary software patches as soon as possible.
2. Use Password Complexity Rules When Creating Passwords
Users often reuse the same passwords across multiple platforms, and these passwords typically consist of common words, sometimes combined with a few numbers. Such passwords, especially when short and reused, are highly susceptible to brute-force attacks. Attackers can identify a user's password on one compromised site and then attempt to use the same credentials to authenticate and compromise a Plesk account.
Hosting providers can enforce strong password rules to ensure that users create cryptographically secure passwords that are resilient to brute-force attempts. The longer a password, the more secure it is against such attacks, but mere length is insufficient. Users must also adhere to complexity rules, which typically require passwords to be a combination of uppercase and lowercase letters, numbers, and special characters. For even greater security, characters should be randomized and avoid dictionary words or easily guessable sequences.
Plesk allows administrators to set up password rules; however, it often suggests a minimum length of eight characters. Modern security analysis indicates that an eight-character password, even with a mix of character types, can be cracked in a relatively short time, making it cryptographically insecure. For robust protection against brute-force attacks, hosting providers should enforce a minimum of 10 characters for master passwords, and encourage users to adopt passwords of 10-12 characters or more.
3. Enforce Multi-Factor Authentication
Phishing attacks and brute-force password attempts are pervasive threats. While a Plesk administrator cannot compel users to employ unique passwords across all their online accounts, multi-factor authentication (MFA) provides a critical defense layer. Should a user or Plesk administrator fall victim to a phishing attack or have their password compromised, MFA would prevent an unauthorized threat actor from authenticating into the targeted account.
Traditional text message-based two-factor authentication (2FA) has shown vulnerabilities, particularly with issues related to the SS7 protocol, which can allow attackers to hijack messages. SIM swapping is another concern, where attackers use social engineering to redirect a targeted user's messages to their own SIM card. For these reasons, most organizations now prefer to use authenticator applications, which generate a unique, time-based code for the second step in the 2FA process.
Plesk supports integration with authenticator applications, such as Google Authenticator, which can be downloaded to a user’s smartphone. Implementing this feature typically requires the installation of an extension, but the added security for authentication against phishing attacks makes it a worthwhile endeavor. Authenticator apps generate codes used in the second phase of MFA, offering a significantly more secure alternative to relying on text messages.
4. Use SSL/TLS for Remote Administration and SSH
SSH (Secure Shell) is a widely used protocol for remote administration of Linux machines. However, if not properly secured, it introduces several potential threats, including the risk of complete server takeover via a compromised root account. To protect SSH on both the main physical server and individual user instances, several best practices should be implemented:
- Utilize a keyfile for authentication instead of relying solely on passwords.
- Configure SSH to operate on an alternative, non-standard port.
- Disable direct authentication for the root user via SSH.
Implementing SSL/TLS certificates will encrypt all traffic exchanged between a user’s computer and the hosting server. This encryption is vital for protecting against eavesdropping and man-in-the-middle attacks, which could otherwise be leveraged to steal sensitive information during remote administration sessions.
5. Use sFTP and not FTP for File Sharing
It is still common for hosting companies to offer FTP (File Transfer Protocol) for file management. However, FTP transmits data in cleartext, meaning any files uploaded or downloaded using FTP are vulnerable to man-in-the-middle attacks and data theft. Similar to sending financial data over unencrypted HTTP, transferring files with FTP poses significant security risks. Any sensitive information contained within uploaded files could be intercepted, manipulated, or stolen.
Secure FTP (sFTP), on the other hand, employs encryption to secure file transfers, much like HTTPS adds encryption to the HTTP protocol. This additional layer of security protects file transfers from eavesdropping and unauthorized access. While sFTP functions similarly to traditional FTP, it requires that users utilize FTP software that supports the sFTP protocol, ensuring that all data transfers are encrypted and secure.
6. Automate CMS Updates
Many content management systems, like WordPress, offer options to enable automatic updates. Plesk also provides functionality to automate these updates, ensuring that your CMS software is consistently equipped with the latest patches and upgrades. This proactive approach secures the software against newly discovered common vulnerabilities and exposures (CVEs). When updating a CMS like WordPress, it is equally crucial to ensure that all installed plugins are also updated, as outdated plugins can often introduce new vulnerabilities to a site.
Beyond the core CMS, a single website often runs several other applications, including gallery software, e-commerce systems, and email components. Plesk offers features that allow for the automatic updating of these various applications as well. By automating these updates, you can significantly reduce the likelihood of these applications becoming a source of compromise, maintaining a more secure and robust online environment.
7. Secure Plesk and the Website with SSL/TLS
Much like FTP, an unencrypted, cleartext connection to the Plesk software or to a website itself exposes any transferred data to man-in-the-middle attacks. Website owners should be strongly encouraged to implement an SSL/TLS certificate for their sites to protect their users' data. Furthermore, hosting providers must consistently apply SSL/TLS certificates to all Plesk connections.
Enabling SSL/TLS for Plesk pages is essential for preventing users from falling victim to password theft during man-in-the-middle attacks. Any web pages that transmit sensitive data should only be accessible over HTTPS. Therefore, host administrators should configure redirects from HTTP to HTTPS, ensuring that users are automatically routed to a secure, encrypted connection whenever they attempt to access Plesk through an unencrypted channel.
8. Configure the Domain to Avoid Clickjacking
Clickjacking is a deceptive threat designed to trick users into unknowingly performing commands while interacting with what appears to be a legitimate, attacker-controlled site. This attack typically involves a hidden iframe overlay containing the legitimate site, which is unknown to the user. The attacker loads the iframe with content from the authentic site, often when the targeted victim is already authenticated. As the victim clicks buttons or inputs information on the attacker-controlled overlay, these actions are secretly transmitted to the legitimate site, potentially triggering actions such as unauthorized bank transfers or the disclosure of sensitive information.
Website owners can protect their sites from being exploited in clickjacking attacks by implementing the X-Frame-Options header in server responses, with its value set to DENY. In Plesk, you can configure Apache and Nginx domains to explicitly block third-party sites from embedding your domain within an iframe. This server header should be configured as follows:
X-Frame-Options: DENY9. Configure Plesk with Trusted Hosts to Avoid Open URL Redirects
When developers implement user redirects based on query string parameters, it can inadvertently open the site to malicious URL redirects. For example, consider a user site with a URL structured as: mysite.com?redirect=mysite.com/loggedin. If programmers automatically redirect users based on the "mysite.com/loggedin" value, an attacker could manipulate this parameter to redirect users to their own malicious site. Attackers can create a link that appears to originate from a legitimate domain but then uses that domain to forward unsuspecting users to a fraudulent website designed for data theft. Because the initial link points to a legitimate site, targeted victims may mistakenly believe they are accessing a safe domain.
To mitigate this vulnerability within Plesk, administrators can establish a whitelist of trusted domains and add them to the Plesk configuration file. In the panel.ini file, within the security section, there is a configuration option named "trustedRedirectHosts." In this section, you can specify a list of trusted domains to which users are permitted to be redirected after authentication.
An example configuration allowing redirects only to mydomain.com in the panel.ini file would appear as follows:
[security]
trustedRedirectHosts = mydomain.com10. Restrict Remote Access via the Plesk API
The Plesk application includes an API (Application Programming Interface) that enables administrators to interact with the software programmatically or allows users to configure settings remotely. To reduce the potential attack surface, administrators should disable the Plesk API when it is not actively being used. This can be achieved by modifying the panel.ini file. Within the "api" section of the panel.ini file, you have the option to either completely turn off the API or to whitelist specific IP addresses that are authorized to access it.
To disable the Plesk API entirely, use the following configuration in panel.ini:
[api]
enabled = offAlternatively, the following configuration whitelists two specific IP addresses, ensuring that only users or servers originating from these IP addresses can access the API:
[api]
allowedIPs = 10.58.108.100,192.168.0.011. Restrict Administrative Access
If a master password is compromised, or a user with administrative privileges has their password stolen, an attacker could potentially take control of websites and inflict significant damage to site code and configurations. To minimize the impact of such a compromise, Plesk administrators can limit potential damage by providing a whitelist of IP addresses that are permitted to access administrative functions. While a blacklist can also be used to block specific IP addresses, a whitelist offers a more secure, "deny all by default" approach.
To configure a whitelist for administrative access, follow these instructions:
- Navigate to Tools & Settings > Restrict Administrative Access (located under "Security").
- Click Settings, select the "Denied from the networks that are not listed" radio button, and then click OK.
- Click Add Network and specify the individual IP address or ranges of IP addresses from which administrative access to Plesk should be allowed:
- Individual IP addresses (e.g., 192.168.1.110)
- Subnets of IP addresses (e.g., 123.0.0.1/16 or 123.123.*.*)
- Click OK to save your changes.
12. Mitigate the Symlinks Vulnerability
Subscribed users can access their subscription documents using a feature in web servers like Apache or Nginx known as Symlinks (symbolic links). These links employ an alias to provide access to documents. However, this feature can expose Plesk to attacks where a third-party subscribed user might view sensitive subscription documents belonging to other users if they discover the aliased link. The information often contained in subscription documents can be highly sensitive (e.g., passwords and CMS settings), making this a critical vulnerability that requires mitigation. The specific settings for Symlink mitigation depend on the host operating system and the content management system in use. Plesk provides detailed instructions on how to mitigate the Symlink vulnerability within its official documentation.
13. Configure Plesk to Use Enhanced Security Mode
Enhanced Security Mode is enabled by default in Plesk version 11 and all subsequent releases. However, for installations that have been converted from older versions or are pre-version 11, this mode must be configured manually. The setting for Enhanced Security Mode can be found in the Security Policy section of Plesk. It is crucial to verify that the "Enhanced security mode" checkbox is set to "On" to ensure full protection.
The enhancements provided by this security configuration are designed to protect sensitive data from being compromised after a security incident. Specifically, it performs the following critical functions:
- Encrypts Plesk passwords stored within the database.
- Disallows the retrieval of sensitive data, such as passwords, via the API.
- Ensures that password recovery emails no longer contain the password in cleartext, enhancing security during account recovery processes.
14. Follow PCI-DSS Compliance Regulations
Compliance regulations mandate that companies adhere to a comprehensive set of guidelines designed to safeguard user data and prevent substantial penalties for violations. PCI-DSS (Payment Card Industry Data Security Standard) is specifically applicable to financial transactions, a common feature on hosting provider sites that process customer payments. Site owners should also be aware of any other relevant compliance regulations pertinent to their business operations.
Plesk offers several configuration options that allow for granular control over data security. These configurations address various aspects of compliance, including:
- Limiting SSL/TLS ciphers to only those considered cryptographically secure.
- Blocking external connections to the MySQL database server.
- Protecting files and setting appropriate file permissions.
- Securing FTP access to prevent unauthorized data transfer.
By carefully configuring these settings, hosting providers and site owners can significantly improve their adherence to PCI-DSS and other critical security standards, thereby protecting sensitive financial and customer data.
15. Employing a Comprehensive Security Solution
While diligently following security best practices significantly reduces risk and protects Plesk servers and hosted sites from exploits, these measures alone do not provide active threat monitoring or immediate alerts when a threat is detected. No single solution offers 100% risk elimination, but integrating a comprehensive security solution alongside best practices can further harden your defenses. A robust security solution often includes features such as a malware scanner and a server antivirus.
By implementing such a solution, you gain not only methods to prevent malware and exploits but also the ability to continuously monitor your assets for any threats that might bypass initial security layers. Adding active monitoring to your site allows you to detect and address threats proactively, before they can escalate and cause extensive damage to potentially hundreds of sites on a single server. This multi-layered approach ensures a more resilient and secure hosting environment.
Elevate your web hosting security by considering a complete security suite. Such solutions provide a synergy of antivirus capabilities, firewalls, web application firewalls (WAF), PHP security layers, patch management, and domain reputation monitoring, often with an intuitive user interface and advanced automation. This integrated approach allows you to maintain server safety and operational efficiency, freeing you to focus on other core business activities.
