Top 15 Plesk Server Security Best Practices to Protect Your Website

Plesk stands as one of the most widely utilized hosting platforms available today. Much like cPanel, these popular hosting platforms are frequent targets for malicious actors seeking to gain high-privilege access to web applications and server resources. While Plesk offers a variety of security extensions designed to enhance site protection, relying solely on these extensions without adhering to fundamental security best practices can still leave your website and the core Plesk master account vulnerable to various forms of malware and exploits. This article delves into the intricacies of Plesk and outlines critical security best practices to help you fortify your hosting environment.

What is Plesk?

To empower website owners with effective site management capabilities, hosting administrators frequently deploy platforms and management tools that allow customers to tailor their web presence to meet specific business requirements. Plesk is a prominent tool in this category, often deployed alongside cPanel. It distinguishes itself by being particularly well-suited for environments that support a diverse array of operating systems and hosting platforms, making it an ideal choice for providers offering virtual private server (VPS) and dedicated server options to their clientele.

Plesk’s appeal to both hosters and their customers lies in its seamless integration with widely used Content Management Systems (CMS) such as WordPress, Joomla, and Drupal. Given that a majority of hosting customers operate with these CMS applications, the inclusion of Plesk simplifies site management for users and streamlines oversight for hosting providers. Furthermore, it boasts robust support for various database engines, including MySQL, PostgreSQL, and Microsoft SQL Server, as well as popular web hosting applications like Apache Tomcat Java and ColdFusion, offering a comprehensive solution for diverse web hosting needs.

Beyond its core functionalities, Plesk supports a rich ecosystem of extensions that significantly broaden the capabilities available to customer sites. Notable examples include Docker support, an SEO Toolkit, Git integration, a Developer Pack, Servershield by CloudFlare, and KernelCare. While some of these extensions undeniably contribute to security protection, it's important to recognize that they typically do not provide an exhaustive solution capable of safeguarding against all potential attack vectors. A multi-layered security approach, combining these extensions with robust best practices, is always recommended.

Why Plesk Security Hardening is Important

Considering that a single server might host hundreds of websites, a compromise of the Plesk platform can have far-reaching consequences, potentially impacting a multitude of customers simultaneously. The discovery of any zero-day Plesk vulnerabilities could rapidly affect thousands of sites across numerous servers. Therefore, it is absolutely crucial for administrators to remain diligently updated on the latest Plesk advisories and security patches to mitigate such widespread risks.

A stark illustration of the potential impact of a Plesk zero-day vulnerability occurred in 2012, when a flaw in the hosting platform enabled attackers to extract the master password employed by hosting administrators to manage all websites on a server. Armed with this password, attackers were able to seize control of any site hosted on the affected Plesk server. This critical vulnerability, prevalent in older Plesk versions (underscoring the importance of consistent updates), impacted an estimated 50,000 sites before its detection and remediation, highlighting the severe consequences of unaddressed security issues.

While site hijacking is undeniably one of the most severe outcomes, it is not the only form of damage that can result from a Plesk compromise. Attackers can upload malicious software (malware) or inject code files containing harmful content. Such malware can linger undetected, silently consuming server resources, which in turn degrades performance and negatively impacts customer experience. This can lead to a cascade of customer complaints and ultimately tarnish the hosting company’s reputation. Furthermore, malicious software operating on the server can clandestinely eavesdrop on data transmissions and potentially steal sensitive information, leading to significant data breaches.

The cumulative effects of server damage, reputational harm to the hoster, stolen customer data, and compromised websites directly translate into a detrimental impact on hoster revenue. Rather than allocating resources to manage and recover from a large-scale compromise, hosters can proactively invest in hardening Plesk security. This preventative approach better ensures data protection, safeguards customer websites, and maintains the integrity and profitability of their operations.

Security Best Practices for Plesk

Whether you operate as a host server administrator or a website owner, the implementation of these robust security best practices is paramount across all your managed sites. Even a single compromised website can negatively impact overall server performance and security. Therefore, maintaining strong Plesk security should consistently be a top priority to protect your entire hosting environment.

Update Consistently

Whenever a security vulnerability is identified or bugs are reported and subsequently remediated, Plesk developers promptly release updates. While all updates are important for system stability and feature enhancements, security patches hold particular significance as they directly address and mitigate known vulnerabilities. These updates are specifically designed to patch flaws discovered "in the wild." Neglecting to keep your Plesk application patched leaves your website, and any other sites managed by Plesk, exposed to these known exploits, making them easy targets for attackers.

Out-of-date software has been a primary contributing factor in numerous major data breaches, including prominent incidents like the well-known Equifax compromise. To ensure your Plesk installation always runs the latest version, you can utilize configurations to automatically install Plesk updates. However, it's worth noting that Plesk might go offline for a few minutes during updates, a factor that large hosting providers may find challenging for critical production environments. If automatic updates are not feasible, administrators should configure notifications to alert them immediately when new Plesk updates are available, enabling prompt manual patching to maintain optimal security.

Use Password Complexity Rules When Creating Passwords

Users often exhibit a tendency to reuse the same password across multiple online services, frequently opting for easily memorable combinations of words, sometimes with a few numbers appended. Such short, predictable passwords, especially when reused, are highly susceptible to brute-force attacks. An attacker could potentially discover a user's password on a less secure external site, and then attempt to use these same compromised credentials to authenticate and gain unauthorized access to their Plesk account.

Hosting providers can significantly enhance security by implementing and enforcing robust password complexity rules. These rules ensure that users create cryptographically secure passwords that are highly resistant to brute-force attempts. While a greater number of characters inherently increases security, character count alone is insufficient. Passwords must also adhere to complexity rules, typically requiring a combination of uppercase and lowercase letters, numbers, and special characters. For even greater security, characters should be randomized and avoid dictionary words or common phrases, making them exponentially harder to guess or crack.

Plesk allows you to set up password rules; however, its default suggestion of an eight-character minimum is now considered inadequate. A typical eight-character password, comprising one uppercase character, five lowercase letters, one number, and one special character, can often be cracked in approximately two hours, rendering it cryptographically insecure against modern attack methods. Hosters should, therefore, mandate at least 10 characters for the master password to effectively protect it from brute-force attacks. Furthermore, users should be strongly encouraged to create passwords between 10 and 12 characters in length for their individual accounts.

Enforce Multi-Factor Authentication

Phishing attacks and brute-force password attempts remain pervasive threats in the digital landscape. While a Plesk administrator cannot compel every user to adopt a unique password across all their online services, Multi-Factor Authentication (MFA) provides a critical layer of defense. Should a user or even the Plesk administrator fall victim to a phishing attack, MFA acts as a formidable barrier, preventing a threat actor from successfully authenticating into the targeted account, even if they possess the correct password.

It's important to note that traditional text message-based two-factor authentication (2FA) has been found to be vulnerable. Exploits within the SS7 protocol can allow attackers to intercept messages, and SIM swapping, where attackers use social engineering to redirect a user's messages to their own SIM card, also poses a significant risk. For these compelling reasons, most organizations now advocate for the use of authenticator applications that generate time-based, user-specific codes for the second step in 2FA.

Plesk seamlessly integrates with the Google Authenticator application, which can be easily downloaded to a user's smartphone. While this feature requires the installation of an extension, the enhanced security it provides against phishing attempts makes it a highly worthwhile investment. The Authenticator app generates dynamic codes used during the second phase of MFA, offering a significantly more secure alternative to relying on potentially vulnerable text messages for authentication.

Use SSL/TLS for Remote Administration and SSH

SSH (Secure Shell) is a widely used protocol for the remote administration of Linux machines. However, if not properly secured, it can expose servers to several significant threats, including the risk of a complete server takeover if the root account is compromised. To protect SSH from such vulnerabilities on both the main physical server and individual user instances, several best practices should be implemented:

• Utilize a keyfile for authentication instead of relying solely on passwords, which can be brute-forced.
• Configure SSH to operate on an alternative, non-standard port to reduce automated scanning attempts.
• Disable direct authentication for the root user on SSH, forcing elevated privileges after logging in with a non-root account.

Furthermore, implementing SSL/TLS certificates will encrypt all traffic exchanged between a user’s computer and the host server. This crucial encryption protects against eavesdropping and man-in-the-middle attacks, which could otherwise be leveraged to intercept and steal sensitive information, thereby compromising data confidentiality and integrity during remote administrative sessions.

Use sFTP and not FTP for File Sharing

It is still common for hosting companies to offer FTP (File Transfer Protocol) as a means for users to manage their files. However, FTP is an inherently insecure protocol that transfers data in cleartext, meaning information is sent unencrypted over the network. This makes any files uploaded or downloaded using FTP highly vulnerable to man-in-the-middle attacks and data theft, where malicious actors can easily intercept and read sensitive content.

Transferring files via FTP is as risky as transmitting financial data over an unencrypted HTTP connection. Any sensitive data contained within uploaded or downloaded files could be intercepted, manipulated, or outright stolen by unauthorized parties. For this reason, it is strongly advised to transition to Secure FTP (sFTP).

Secure FTP (sFTP) utilizes encryption to secure file transfers, much like how HTTPS adds encryption to the HTTP protocol. It establishes a secure channel that encrypts all data in transit, providing a vital layer of security against eavesdropping and data compromise. While sFTP functions similarly to FTP in terms of file management, it critically incorporates encryption, requiring users to employ FTP client software that supports the sFTP protocol for secure operations.

Automate CMS Updates

While Content Management Systems (CMS) like WordPress offer built-in options to enable automatic updates, Plesk also provides functionality to manage these updates centrally. Automating CMS updates is a crucial security measure, ensuring that the software is always equipped with the latest patches and upgrades. These updates are vital for securing the CMS against newly discovered Common Vulnerabilities and Exposures (CVEs) and other security flaws. When updating a CMS like WordPress, it's equally important to remember that all installed plugins and themes must also be kept up-to-date to prevent them from becoming potential entry points for vulnerabilities.

A single website typically runs more than just CMS software; site owners often utilize various applications such as gallery software, e-commerce systems, and email applications. Each of these components represents a potential vulnerability if not regularly updated. Plesk offers functionality that enables automatic updates for these diverse web applications. By activating this feature, you can significantly reduce the risk of compromise stemming from outdated software components across your entire web presence, ensuring a more secure and stable environment.

Secure Plesk and the Website with SSL/TLS

Much like the insecure nature of FTP, a cleartext (unencrypted) connection to the Plesk management interface or the website itself leaves any transmitted data vulnerable to man-in-the-middle attacks. In such attacks, malicious actors can intercept and read sensitive information as it passes between the user and the server. Website owners should be strongly encouraged to implement SSL/TLS certificates for their sites to protect their users' data and ensure a secure browsing experience. Concurrently, hosting providers must consistently apply SSL/TLS certificates to all Plesk connections.

Implementing SSL/TLS on Plesk pages ensures that users are protected from password theft and other data compromises during man-in-the-middle attacks. Any web pages involved in the transfer of sensitive data, whether within Plesk or on hosted websites, should only be accessible over HTTPS. To enforce this, host administrators should configure permanent redirects from HTTP to HTTPS, ensuring that users who attempt to connect to Plesk or their websites via unencrypted channels are automatically routed to the secure, encrypted connection.

Configure the Domain to Avoid Clickjacking

Clickjacking is a deceptive threat designed to trick users into unknowingly performing actions or commands by interacting with an attacker-controlled website. This exploit typically involves a hidden iframe overlaying a legitimate site, often when the targeted victim is already authenticated. As the victim clicks buttons or enters information on what appears to be a benign part of the attacker’s site, these actions are secretly transmitted to the legitimate, hidden site. This could lead to unintended consequences such as unauthorized bank transfers or the disclosure of sensitive personal information.

To protect websites from being exploited in clickjacking attacks, owners should implement the X-Frame-Options HTTP header in their server responses, setting its value to DENY. In Plesk, you can configure both Apache and Nginx domains to block third-party sites from embedding your domain within an iframe. This crucial server header, looking like X-Frame-Options: DENY, effectively prevents your site from being used in such malicious overlays, safeguarding your users from this prevalent attack vector.

Configure Plesk with Trusted Hosts to Avoid Open URL Redirects

When developers implement user redirects based on query string parameters, it can inadvertently create an opening for malicious URL redirects. For instance, consider a user's site URL structured as: mysite.com?redirect=mysite.com/loggedin. If the application automatically redirects users based on the value provided in the "redirect" parameter, an attacker can manipulate this URL to direct users to their own malicious site. Attackers often craft links that appear to point to the legitimate site's domain but then exploit the open redirect vulnerability to send targeted victims to a fraudulent website designed for data theft. Because the initial link was to a legitimate domain, victims often perceive it as a safe destination.

To effectively mitigate this vulnerability within Plesk, administrators should establish a whitelist of approved domains. These trusted domains can then be added to the Plesk configuration file, specifically within the panel.ini file. In the [security] section of this file, a dedicated configuration labeled trustedRedirectHosts allows you to specify which domains users can be safely redirected to after authentication. This ensures that all post-authentication redirects occur only to trusted, verified locations.

For example, to restrict all redirects to only mydomain.com, the configuration in the panel.ini file would appear as follows:

[security]
trustedRedirectHosts = mydomain.com

Implementing this measure significantly enhances security by preventing attackers from leveraging your domain for arbitrary redirects to malicious external sites.

Restrict Remote Access via the Plesk API

The Plesk application includes a robust API (Application Programming Interface) that enables administrators to interact with the software programmatically and allows users to configure settings remotely. To minimize the potential attack surface, administrators should disable the API when it is not actively required for operations. Disabling the Plesk API, or restricting access to it, can be managed directly within the panel.ini configuration file. Within the [api] section of this file, you have the option to either completely turn off the API or to create a whitelist of specific IP addresses that are permitted to access it.

To completely disable the Plesk API, use the following configuration in your panel.ini file:

[api]
enabled = off

Alternatively, to whitelist specific IP addresses, allowing only users or servers originating from these addresses to access the API, use a configuration similar to this example:

[api]
allowedIPs = 10.58.108.100,192.168.0.0

By carefully managing API access, you can significantly enhance the security posture of your Plesk environment, reducing unauthorized remote interactions.

Restrict Administrative Access

In the unfortunate event that the master password for Plesk is compromised, or if a user with administrative privileges has their account credentials stolen, an attacker could potentially take complete control of hosted sites and inflict significant damage to their code and data. To mitigate the potential impact of such a compromise, Plesk administrators can implement a whitelist of specific IP addresses that are permitted to access administrative functions. While a blacklist can be used to block specific IP addresses, a whitelist offers a far more secure approach by explicitly allowing only known, trusted sources, making it much less permissive and more protective.

To configure a whitelist for administrative access, follow these instructions:

• Navigate to Tools & Settings > Restrict Administrative Access (found under the “Security” section).
• Click on Settings, then select the “Denied from the networks that are not listed” radio button, and confirm by clicking OK.
• Click Add Network and specify the individual IP address or ranges of addresses from which administrative access to Plesk should be permitted. Examples include:
  • Individual IP addresses (e.g., 192.168.1.110)
  • Subnets of IP addresses (e.g., 123.0.0.1/16 or 123.123.*.*)
• Finally, click OK to save your changes.

This method ensures that only authorized network locations can access critical administrative controls, significantly reducing the risk of unauthorized access even if credentials are stolen.

Mitigate the Symlinks Vulnerability

Plesk users with subscriptions are able to access their subscription-related documents through a feature in web servers like Apache or Nginx known as Symlinks (symbolic links). These links use an alias to point to underlying documents. However, this functionality can expose Plesk to a specific type of attack where a malicious third-party subscribed user, if they can guess or discover the aliased link, could potentially view the subscription documents of other subscribed users. Given that subscription documents often contain sensitive information, such as passwords, configuration details, and CMS settings, this constitutes a significant vulnerability that absolutely must be addressed.

The specific settings required to mitigate the Symlink vulnerability can vary depending on the host operating system and the Content Management System (CMS) in use. Fortunately, Plesk provides comprehensive guidance on how to effectively mitigate this risk within their official documentation. Consulting this documentation is essential for implementing the correct and most robust mitigation strategies tailored to your specific environment, ensuring that sensitive data remains protected from unauthorized access through symlink exploitation.

Configure Plesk to Use Enhanced Security Mode

Enhanced Security Mode is a vital feature that is enabled by default in Plesk version 11 and all subsequent releases. However, for installations that have been converted from earlier versions or for those running older iterations, this mode must be manually configured to ensure maximum protection. The setting for Enhanced Security Mode is conveniently located within the Security Policy section of the Plesk interface. It is crucial to verify that the “Enhanced security mode” checkbox is set to “On” to activate these critical protections.

The enhancements provided by this security configuration are specifically designed to protect sensitive data from being stolen or exposed in the aftermath of a security compromise. When activated, Enhanced Security Mode implements several key safeguards:

• It encrypts Plesk passwords stored within the database, making them unreadable to unauthorized parties even if the database is accessed.
• It disallows the retrieval of sensitive data, such as passwords, through the API, preventing potential exploitation of API vulnerabilities.
• Password recovery emails no longer contain the actual password in cleartext, reducing the risk if an email account is compromised.

By ensuring Enhanced Security Mode is active, you significantly bolster your Plesk environment's resilience against data breaches and unauthorized access to critical information.

Follow PCI-DSS Compliance Regulations

Compliance regulations mandate that companies adhere to a stringent set of guidelines to safeguard user data, thereby avoiding substantial penalties for violations. PCI-DSS (Payment Card Industry Data Security Standard) is specifically tailored to financial transactions, a common occurrence for hosting providers who process customer payments. Beyond PCI-DSS, site owners should also be thoroughly aware of other industry-specific and regional compliance regulations that govern their business operations, ensuring a comprehensive legal and security framework.

Plesk offers several configuration options that are instrumental in controlling and enhancing the security of data, particularly with regard to PCI-DSS compliance. These configurations cover a range of critical security aspects, including:

• Imposing strict limitations on SSL/TLS ciphers, allowing only those deemed cryptographically secure to be used.
• Blocking external connections to the MySQL database server, reducing the attack surface.
• Protecting files and file permissions to prevent unauthorized access and modification.
• Securing FTP access, typically by advocating for sFTP or other encrypted transfer methods.

Adhering to these configurations and understanding the broader compliance landscape is essential for protecting sensitive customer data and maintaining operational integrity.

Use the Imunify360 Plesk Extension

While diligently following the best practices outlined previously significantly reduces risk and fortifies the Plesk server and its hosted websites against exploits, no security solution is entirely immune to all threats. These best practices form a strong foundation, but they don't inherently provide active monitoring or immediate alerts when a threat is detected. This is where the Imunify360 Plesk extension becomes an invaluable addition, working synergistically with best practices to further harden your security posture.

Imunify360 offers a comprehensive suite of security tools, including a robust Linux malware scanner and an advanced Linux server antivirus solution. By integrating Imunify360, you gain not only effective methods to stop malware and exploits but also the crucial capability to actively monitor your digital assets for any threats that might attempt to bypass existing security measures. Adding continuous monitoring to your site allows you to detect and address potential threats proactively, before they can escalate and inflict more substantial damage, especially across hundreds of sites potentially hosted on a single server.

Elevate your web hosting security to an unparalleled level with the comprehensive Imunify360 security suite. Imunify360 is a holistic security platform where all components work in concert to ensure your servers remain safe, secure, and fully operational, allowing you to concentrate on other core business tasks. Imunify360 represents a powerful synergy of Antivirus, Firewall, Web Application Firewall (WAF), PHP Security Layer, Patch Management, and Domain Reputation services, all managed through an intuitive user interface and advanced automation. Experience the difference by trying Imunify360 free for 14 days and observe tangible security improvements in as little as one week. Invest in proactive security and secure your servers now!