If your hosting environment doesn't utilize cPanel, chances are you're using Plesk, one of the most prevalent hosting platforms available today. Like cPanel, Plesk is a frequent target for hackers aiming to gain high-privilege access to web applications and server resources. While Plesk offers various security extensions to enhance site protection, relying solely on these without adhering to fundamental best practices can leave your website and the primary Plesk master account vulnerable to malware and exploits. This comprehensive article will introduce you to Plesk and detail crucial security best practices to fortify your server.
What is Plesk?
To assist website owners in managing their online presence, hosting administrators deploy various platforms and management tools, enabling customers to customize their sites according to business requirements. Plesk stands as one of the most popular tools alongside cPanel, frequently employed in environments offering multiple operating systems and platforms as hosting options. It is particularly well-suited for hosting providers who offer Virtual Private Server (VPS) and dedicated server options to their clients.
Plesk's appeal to hosters and their customers stems from its seamless integration with widely used Content Management Systems (CMS) such as WordPress, Joomla, and Drupal. Given that the majority of hosting customers work with these CMS applications, installing Plesk simplifies site management for clients and streamlines oversight for hosting providers. The platform supports various database engines like MySQL, PostgreSQL, and Microsoft SQL Server, as well as web hosting applications including Apache Tomcat Java and ColdFusion.
Furthermore, Plesk supports extensions to its core code, which can be utilized to add extra functionality to customer websites. Examples include Docker support, SEO Toolkits, Git integration, Developer Packs, Servershield by CloudFlare, and KernelCare. While some of these extensions offer valuable security features, it's important to recognize that they do not constitute a complete solution capable of providing comprehensive protection against all types of attacks.
Why Plesk Security Hardening is Important
Considering that a single server might host hundreds of websites, a compromised Plesk installation could potentially impact hundreds of customers. Any zero-day Plesk vulnerabilities could affect thousands of sites across numerous servers, making it imperative for administrators to remain consistently updated on the latest Plesk advisories and security patches.
As a stark illustration of the potential consequences of a Plesk zero-day vulnerability, in 2012, a critical flaw in the hosting platform allowed attackers to extract the master password used by hosting administrators to manage all websites on the server. With this stolen password, attackers gained the ability to seize control of any site hosted on that Plesk server. This vulnerability, affecting older Plesk versions (highlighting the importance of consistent updates), compromised approximately 50,000 sites before its discovery and subsequent remediation.
Website hijacking is just one of many potential damages, albeit among the most severe. Attackers can also upload malware or inject malicious code into files. Such malware might remain undetected, silently exhausting server resources and severely degrading customer experience through reduced performance. This ultimately leads to customer complaints and significant reputational damage for the hosting company. Moreover, malware running on the server can clandestinely eavesdrop on data, potentially leading to the theft of sensitive information.
Any damage incurred by servers, the hoster’s reputation, stolen customer data, and compromised websites directly impacts the hoster's revenue. Instead of allocating resources to clean up a widespread compromise, hosters can proactively harden Plesk security, thereby ensuring robust data protection and safeguarding customer websites more effectively.
Security Best Practices for Plesk
Whether you are a server administrator managing multiple hosting accounts or an individual website owner, these best practices are crucial and should be implemented across all your sites. Even a single compromised website can negatively affect overall server performance and security. Therefore, maintaining robust Plesk security should always be a top priority for everyone involved.
1. Update Consistently
Plesk developers regularly release updates to address newly discovered security vulnerabilities, report bugs, and remediate existing issues. While all updates are important, security patches are paramount for protecting sites from known exploits. These updates specifically address vulnerabilities found "in the wild." Neglecting to patch the Plesk application leaves your site, and any other sites managed by Plesk, exposed to these known exploits. Timely updates are a fundamental aspect of maintaining a secure server environment.
Out-of-date software has been a contributing factor in numerous major data breaches, including the widely publicized Equifax compromise. You can leverage Plesk's configuration options to automatically install updates, ensuring that you always run the latest version. However, Plesk might temporarily go offline for a few minutes after updates, so this automated approach might not always be feasible for large hosting providers. If automatic updates are not used, administrators should configure notifications to be alerted when new Plesk updates are available, prompting them to update the software as swiftly as possible.
2. Use Password Complexity Rules When Creating Passwords
Users often have a tendency to reuse the same or similar passwords across multiple websites, and these passwords are typically simple combinations of a word and a few numbers. Passwords with limited characters, especially when reused, are highly susceptible to brute-force attacks. Attackers can potentially uncover a user's password on a less secure site, then use those cracked credentials to authenticate and compromise the Plesk account, leveraging the same user habits.
Hosting providers can enforce robust password rules to ensure that users create cryptographically secure passwords that are resilient against brute-force attempts. While the number of characters in a password significantly increases its security, it’s not the sole factor. Users must also adhere to complexity rules, which mandate that passwords include a combination of uppercase and lowercase letters, numbers, and special characters. For even greater security, characters should be randomized and not derived from common dictionary words.
Plesk allows you to set up password rules, though its default suggestion of eight characters is now considered insufficient. An eight-character password, even with a mix of one uppercase, five lowercase, one number, and one special character, can be cracked in approximately two hours, rendering it cryptographically insecure. Hosters should implement a minimum of 10 characters for the master password to protect it from brute-force attacks, and users should be strongly encouraged to use passwords of 10 to 12 characters or more.
3. Enforce Multi-Factor Authentication
Phishing and brute-force password attacks remain widespread threats, and the Plesk administrator cannot compel every user to maintain a unique password across all their online accounts. Should a user or even a Plesk administrator fall victim to a phishing attack, multi-factor authentication (MFA) provides a critical barrier, preventing a threat actor from successfully authenticating into the targeted account, even if they possess the correct password.
Unfortunately, text message-based two-factor authentication (2FA) has been demonstrated to be insecure due to vulnerabilities in the SS7 protocol, which allow attackers to intercept messages. SIM swapping is another significant concern, where attackers use social engineering tactics to convince telecom representatives to redirect messages intended for a targeted user to the attacker's SIM card. For these reasons, most organizations now prefer using authenticator applications to generate a user-specific, time-based code for the second step in 2FA.
Plesk integrates with the Google Authenticator application, which can be downloaded to a user’s smartphone. While this feature requires the installation of an extension, the enhanced security it provides against phishing attacks is well worth the effort. The Authenticator generates unique, temporary codes used in the second phase of MFA, offering a significantly more secure method than relying on text messages.
4. Use SSL/TLS for Remote Administration and SSH
SSH is a widely adopted protocol for the remote administration of Linux machines, but if not properly secured, it introduces several security risks, including the potential for a complete server takeover via the root account. Several best practices can be implemented to protect SSH from compromise on both the main physical server and individual user instances:
- Utilize a keyfile for authentication instead of passwords, which are more susceptible to brute-force attacks.
- Configure SSH to operate on an alternative, non-standard port to reduce automated scanning attempts.
- Disable direct authentication for the root user on SSH, forcing elevated privileges after initial login.
Implementing SSL/TLS certificates will encrypt all traffic exchanged between the user's computer and the host server. This encryption safeguards against eavesdropping and man-in-the-middle attacks, which could otherwise be leveraged to steal sensitive information during remote administration sessions.
5. Use sFTP and not FTP for File Sharing
It is common for hosting companies to offer FTP (File Transfer Protocol) for their users, but FTP is an inherently insecure protocol that transfers data in cleartext. This means that any files uploaded or downloaded using FTP are vulnerable to man-in-the-middle attacks and data theft. Transferring files via FTP is as risky as transmitting sensitive financial data over unencrypted HTTP. Any confidential information contained within uploaded or downloaded files could be intercepted, manipulated, or stolen by malicious actors.
Secure FTP (sFTP), on the other hand, employs encryption to secure file transfers, akin to how HTTPS adds encryption to the HTTP protocol. This added layer of security protects file transfers from eavesdropping and ensures data integrity. sFTP functions similarly to traditional FTP, but with the crucial addition of encryption, requiring users to utilize FTP client software that supports the sFTP protocol.
6. Automate CMS Updates
While many Content Management Systems (CMS) like WordPress offer options to enable automatic updates, Plesk also provides functionality to automate these crucial updates directly from its interface. Automating updates ensures that your CMS software is always equipped with the latest patches and upgrades, which are vital for securing the software against the newest Common Vulnerabilities and Exposures (CVEs). When updating WordPress, it's essential not to overlook the need to update all installed plugins as well, as outdated plugins can often introduce significant vulnerabilities to your site.
Beyond the primary CMS, a single website often runs several other applications, including gallery software, e-commerce systems, email applications, and more. All these components require regular updates to maintain security. Plesk provides functionality that enables automatic updates for these applications, effectively preventing them from becoming the source of a compromise.
7. Secure Plesk and the Website with SSL/TLS
Just like with FTP, an unencrypted, cleartext connection to the Plesk software or to the website itself leaves any transferred data vulnerable to man-in-the-middle attacks. Website owners should be strongly encouraged to implement an SSL/TLS certificate for their site, not only for their own security but also for the safety of their users. Crucially, hosting providers should always ensure that SSL/TLS certificates are applied to Plesk connections themselves.
Adding SSL/TLS to Plesk pages guarantees that users will not fall victim to password theft during man-in-the-middle attacks. Any web pages that transmit sensitive data should only be accessible over HTTPS. Therefore, host administrators must configure redirects from HTTP to HTTPS, ensuring that when users attempt to connect to Plesk or their websites via unencrypted channels, they are automatically and securely redirected.
8. Configure the Domain to Avoid Clickjacking
Clickjacking is a deceptive threat designed to trick users into unknowingly performing commands as they click buttons or enter information on an attacker-controlled site. This attack typically involves a hidden iframe overlaying a legitimate site, which is often loaded with the targeted victim already authenticated. As the victim interacts with the attacker's seemingly innocuous site, their clicks and inputs are secretly directed to the legitimate site in the hidden iframe, potentially executing actions such as bank transfers or disclosing sensitive information without their awareness.
Website owners can protect their sites from being exploited in clickjacking attacks by adding the X-Frame-Options header to server responses, with the header value set to DENY. In Plesk for Linux, you can configure both Apache and Nginx domains to block third-party sites from embedding your domain within an iframe, thus preventing clickjacking attacks. The relevant server header should be configured as follows:
X-Frame-Options: DENY9. Configure Plesk with Trusted Hosts to Avoid Open URL Redirects
When developers implement user redirects based on query string parameters, it can inadvertently expose the site to malicious open URL redirects. For instance, consider a user's site with the URL: mysite.com?redirect=mysite.com/loggedin. If the programming automatically redirects users based on the "mysite.com/loggedin" value, an attacker can manipulate this URL to redirect users to their own malicious site. Attackers can craft a link pointing to the legitimate site's domain, then use this legitimate domain to redirect unsuspecting users to a phishing website designed to steal data. Because the initial link appeared to be from a legitimate source, targeted victims are often led to believe they are accessing a safe domain.
To mitigate this vulnerability within Plesk, administrators can establish a whitelist of trusted domains and incorporate them into the Plesk configuration file. Within the panel.ini file, under a dedicated "security" section, there is a configuration option labeled "trustedRedirectHosts." In this section, you can specify a trusted domain to which users will be redirected after successful authentication, preventing arbitrary redirects to external sites.
An example configuration in the panel.ini file that allows redirects only to mydomain.com would appear as follows:
[security]
trustedRedirectHosts = mydomain.com10. Restrict Remote Access via the Plesk API
The Plesk application includes a robust API that enables administrators to programmatically interact with the software or allows users to configure settings remotely. To significantly reduce your attack surface when the API is not actively in use, administrators should consider disabling it entirely. Disabling the Plesk API can be achieved by editing the panel.ini file. Within the "api" section of this file, you have the option to either completely turn off the API or to create a whitelist of specific IP addresses that are permitted to access it.
To disable the Plesk API entirely, use the following configuration in panel.ini:
[api]
enabled = offAlternatively, the following configuration whitelists two specific IP addresses, ensuring that only users or servers originating from these two IP addresses can access the API:
[api]
allowedIPs = 10.58.108.100,192.168.0.011. Restrict Administrative Access
Should the master password be compromised or if a user with administrative privileges has their password stolen, an attacker could gain control over websites and inflict significant damage to site code and server configurations. The Plesk administrator can effectively limit the potential damage from a compromised password by implementing a whitelist of IP addresses specifically allowed to access administrative functions. While a blacklist can also be used to block specific IP addresses, a whitelist offers a much more secure and restrictive approach, allowing access only from explicitly approved sources.
To configure a whitelist of IP addresses, follow these instructions:
- Navigate to Tools & Settings > Restrict Administrative Access (found under the “Security” section).
- Click Settings, then select the “Denied from the networks that are not listed” radio button, and confirm by clicking OK.
- Click Add Network and specify the IP address or addresses from which administrative access to Plesk must be permitted. This can include:
- Individual IP addresses (e.g.,
192.168.1.110) - Subnets of IP addresses (e.g.,
123.0.0.1/16or123.123.*.*)
- Individual IP addresses (e.g.,
- Click OK to save the changes.
12. Mitigate the Symlinks Vulnerability
Subscribed users can access their subscription documents using a feature in Apache or Nginx known as Symlinks (symbolic links). These links use an alias to provide access to documents, but this functionality can inadvertently expose Plesk to attacks where a malicious third-party subscribed user could potentially view the subscription documents of other subscribed users if they manage to discover the aliased link. Information contained within subscription documents is often highly sensitive, including passwords and CMS settings, making this a critical vulnerability that must be thoroughly mitigated. Symlink mitigation settings can vary depending on the host operating system and the specific CMS in use. Plesk provides detailed guidance on how to mitigate the Symlink vulnerability in their official documentation.
13. Configure Plesk to Use Enhanced Security Mode
Enhanced Security Mode is enabled by default in Plesk version 11 and all subsequent versions. However, if you are performing a conversion from an older version or if the setting has been manually altered, it must be configured manually to ensure its activation. This crucial setting can be found within the Security Policy section of Plesk. It is essential to verify that the “Enhanced security mode” checkbox is indeed set to “On” for optimal protection.
The enhancements provided by this security configuration are designed to protect sensitive data from being stolen following a potential compromise. Specifically, it achieves the following:
- Encrypts Plesk passwords when stored in the database, adding a layer of protection.
- Disallows the retrieval of sensitive data, such as passwords, through the API, preventing unauthorized access.
- Ensures that password recovery emails no longer contain the password in cleartext, reducing exposure during recovery processes.
14. Follow PCI-DSS Compliance Regulations
Compliance regulations mandate that companies adhere to a strict set of guidelines to safeguard user data and avoid substantial penalties for violations. PCI-DSS (Payment Card Industry Data Security Standard) specifically applies to financial transactions, a common activity on hosting provider sites where customer payments are processed. Site owners should also be thoroughly aware of any other compliance regulations pertinent to their specific business operations.
Plesk offers several configuration options designed to control data security in alignment with PCI-DSS requirements. These configurations cover various critical aspects of security, including:
- Limiting SSL/TLS ciphers to only those considered cryptographically strong and secure.
- Blocking external connections to the MySQL database server, reducing unauthorized access points.
- Protecting files and setting appropriate file permissions to prevent unauthorized modification or access.
- Securing FTP access, ensuring that file transfers comply with security standards.
15. Use the Imunify360 Plesk Extension
While diligently following best practices significantly reduces risk and fortifies the Plesk server and its hosted sites against exploits, it does not inherently monitor for threats or provide immediate alerts when a threat is detected. No single solution offers 100% risk-free protection. However, integrating the Imunify360 Plesk extension can work in powerful alignment with these best practices to further harden your security posture. Imunify360 includes a robust Linux malware scanner and a comprehensive Linux server antivirus solution.
By utilizing Imunify360, you gain not only effective methods to stop malware and exploits but also the ability for hosters and site owners to continuously monitor their digital assets for any threats that might attempt to bypass existing security measures. Adding active monitoring to your site enables you to detect and address threats before they escalate into more damaging incidents, potentially affecting hundreds of sites on a single server.
Elevate your web hosting security to the next level with the comprehensive Imunify360 security suite. Imunify360 is a complete security package where all components work synergistically to keep your servers safe and operational, allowing you to concentrate on other essential business tasks. Imunify360 offers a powerful combination of Antivirus, Firewall, WAF (Web Application Firewall), PHP Security Layer, Patch Management, and Domain Reputation features, all managed through an intuitive UI with advanced automation. Experience the benefits for yourself: try Imunify360 free for 14 days and observe significant security improvements in just one week.
