How to secure a Plesk server Print

General recommendations

• Keep Plesk up-to-date
• Set up the minimum password strength as Strong
• Filter all unused ports using a firewall. Ports that are required for Plesk functionality can be found here
• Secure Plesk and a mail server with SSL/TLS certificates
• Set up secure FTP connection
• Limit administrative access to Plesk
• Restrict Remote Access via XML API
• Install and configure Web Application Firewall (ModSecurity)
• Use WordPress Toolkit Security Check to implement security best practices for WordPress instances
• Enable automatic updates for WordPress and its modules as well as for other APS packages
• Avoid using outdated web application packages, as they might contain vulnerabilities. Upgrade these applications to the latest version if possible
• Install VirusTotal Website Check to scan websites using multiple anti-virus engines
• Use Google Authenticator extension to set up a multi-factor authentication
• In case of planning to set up PCI DSS Compliance, visit PCI DSS Compliance

Recommendations for Plesk on Linux

• Allow SSH access via a keyfile
• Use a non-standard port for SSH connections
• Forbid SSH authentication for root user
• Switch off Perl and Python if it is not required for a website and never use 'mod_perl' and 'mod_python'.
• Install a complete automated security solution Immunify360 to keep a server safe
• Install ImunifyAV to keep websites free of malware
• Install Fail2Ban to block hack attempts
• Do not use the PHP handler served as Apache module as it is not secure
• Enable automatic updates for system packages
• Use KernelCare extension to be sure that a server's kernel is up-to-date
• Configure the FTP passive port range on Linux
• Ensure that Apache does not allow the SSL 2.0/SSL 3.0 protocol
• Check the advanced documentation pages related to Plesk for Linux security: Enhancing Security

Recommendations for Plesk on Windows Server

• Use a non-standard port for RDP connections
• Switch off unused programming and scripting languages
• Always install latest Windows updates
• Prohibit customers from overriding handlers via web.config files
• Enable DDoS protection
• Configure the FTP passive port range on Windows Server
• Set up a file audit on Windows Server