How To Secure Your Plesk Server Guide For Plesk Admins Print

Important Disclaimer: Always test these security measures in a non-production environment first. While we maintain this guide regularly, please check Plesk's official documentation for the most up-to-date information, as security best practices evolve continuously.

What is Plesk?

Plesk is a professional web hosting control panel that simplifies the management of websites, servers, applications, and hosting businesses. It provides a user-friendly interface for tasks like website deployment, email management, and server administration that would otherwise require command-line expertise.

Prerequisites

• A Plesk server installation (compatible with all supported versions)
• Administrative access to your Plesk panel
• Basic understanding of server administration
• Backup of your current server configuration

Essential Security Measures

1. Keep Your System Updated

Regular updates are your first line of defense against security threats.

For Plesk:

• Enable automatic updates in Plesk
• Monitor the Plesk Update Log regularly
• Subscribe to Plesk security notifications

For Linux Systems:

# Debian/Ubuntu
apt update && apt upgrade -y

# RHEL/CentOS/Rocky Linux/AlmaLinux
dnf update -y   # For RHEL 8/CentOS 8 and newer
yum update -y   # For RHEL 7/CentOS 7

2. Strengthen Password Policies

Access Plesk's password settings through:

Tools & Settings > Security > Password Policy

Set these minimum requirements:

• Length: 12 characters
• Complexity: Must include uppercase, lowercase, numbers, and special characters
• Expiration: 90 days
• Previous password reuse: Disabled

3. Configure Firewall Protection

Only allow necessary ports:

Essential Plesk Ports:

• 8443 (Plesk Panel)
• 80/443 (Web Traffic)
• 21/22 (FTP/SSH)
• 25/465/587 (Mail Services)

Using UFW (Debian/Ubuntu):

# Enable UFW
sudo ufw enable

# Allow essential ports
sudo ufw allow 8443/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 22/tcp

Using FirewallD (RHEL/CentOS):

# Start and enable FirewallD
systemctl start firewalld
systemctl enable firewalld

# Allow essential ports
firewall-cmd --permanent --add-port=8443/tcp
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --permanent --add-port=22/tcp
firewall-cmd --reload

4. Implement SSL/TLS Security

1. Install Let's Encrypt certificates:
   • Navigate to Tools & Settings > SSL/TLS Certificates
   • Click "Add Certificate"
   • Select "Let's Encrypt"
2. Configure Apache SSL (Latest Version):

   # In your Apache SSL configuration
   SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
   SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
   SSLHonorCipherOrder     off
   SSLSessionTickets       off
   

5. Secure SSH Access

Edit /etc/ssh/sshd_config:

# Change SSH port
Port 2222

# Disable root login
PermitRootLogin no

# Use key authentication
PasswordAuthentication no
PubkeyAuthentication yes

# Restart SSH service
# For Debian/Ubuntu
systemctl restart ssh

# For RHEL/CentOS
systemctl restart sshd

6. PHP Security Configuration

Use PHP-FPM instead of mod_php:

1. Access Tools & Settings > PHP Settings
2. Select PHP-FPM for each domain
3. Configure recommended PHP settings:

display_errors = Off
expose_php = Off
max_execution_time = 30
memory_limit = 128M

7. Install Security Extensions

1. ModSecurity Setup:

# Debian/Ubuntu
apt install libapache2-mod-security2 -y
a2enmod security2
systemctl restart apache2

# RHEL/CentOS
dnf install mod_security mod_security_crs -y
systemctl restart httpd

2. Fail2Ban Implementation:

# Debian/Ubuntu
apt install fail2ban -y

# RHEL/CentOS
dnf install epel-release -y
dnf install fail2ban fail2ban-systemd -y

Create Plesk jail configuration:

nano /etc/fail2ban/jail.local

Add:

[plesk-panel]
enabled = true
port = 8443
filter = plesk-panel
logpath = /var/log/plesk/panel.log
maxretry = 3
bantime = 3600

Start Fail2Ban:

# Both distributions
systemctl enable fail2ban
systemctl start fail2ban

8. WordPress Security

1. Enable WP Toolkit Security Check
2. Configure automatic updates:
   • Core updates
   • Plugin updates
   • Theme updates
3. Install security plugins through WP Toolkit

9. MySQL/MariaDB Security

# Secure MySQL installation
mysql_secure_installation

# Set secure permissions
chmod 600 /etc/mysql/my.cnf   # Debian/Ubuntu
chmod 600 /etc/my.cnf         # RHEL/CentOS

Recommended my.cnf settings:

[mysqld]
bind-address = 127.0.0.1
local-infile = 0
symbolic-links = 0

Common Issues and Troubleshooting

Issue: Failed Login Attempts

1. Check Plesk logs:

   tail -f /var/log/plesk/panel.log

2. Review Fail2Ban status:

   fail2ban-client status

Issue: SSL Certificate Errors

1. Verify certificate installation:

   openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

2. Check Apache configuration:

   # Debian/Ubuntu
   apache2ctl -t
   
   # RHEL/CentOS
   httpd -t
   

Issue: SELinux Conflicts (RHEL/CentOS)</h3 >

1. Check SELinux status:

   sestatus

2. View SELinux alerts:

   ausearch -m AVC -ts recent

3. Configure SELinux for Plesk:

   setsebool -P httpd_can_network_connect 1

Best Practices

• Regularly backup your server configuration
• Monitor server logs daily
• Implement change management procedures
• Document all security modifications
• Maintain an incident response plan
• Schedule regular security audits

Additional Resources

• Plesk Security Documentation
• Apache Security Best Practices
• PHP Security Configuration

Remember: Security is an ongoing process, not a one-time setup. Regularly review and update your security measures to maintain optimal protection.