Plesk is one of the popular web hosting control panel alongside CPanel. Both have its pro and cons, at the end of the day, maintaining a good security performance depends on your due diligence. Today, we’re not going to talk about Plesk vs CPanel, as a long time user of both hosting control panels, we’ll be talking about using the essential security tools for Plesk.
One of the Plesk’s features is the ability to quickly add extensions that improve your system’s security. Back in the good old days, when your site was hacked, it means someone probably defaced your index.php or index.html. As cybersecurity grew more complex and it involved profiting from hacking, hackers now hide hidden codes deep in your website, some to redirect your traffic, some to mine for bitcoin, while others are there to gather information.
As a person that uses Plesk for 10+ years, here are some of my favorite free security tools. And since WordPress is most likely the main CMS installed on your server, do note that a good security doesn’t mean having a rock solid server, it means keeping all of your WordPress Themes and Plugins up to date.
All Plesk comes with WAF, also known as Web Application Firewall. It comes with 3 free security rules. A rule set is a package that contains files with specific security rules. Security rules are checked by the web application firewall engine for each incoming HTTP request. They are Atomic Basic ModSecurity, OWASP ModSecurity and Comodo ModSecurity (subscription based but free).
Between these free 3 security rules, I like Comodo the best. Comodo Web Application Firewall (CWAF) provides powerful, real-time protection for web applications and websites running on Apache, LiteSpeed and Nginx on Linux. CWAF supports ModSecurity rules, providing advanced filtering, security and intrusion protection.
- Protect sensitive customer data
- Block unauthorized access
- Prevent SQL injection and Cross Site Scripting (XSS) attacks
↓ 02 – Fail2ban
Fail2ban scans log files and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time. Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times. The basic idea behind fail2ban is to monitor the logs of common services to spot patterns in authentication failures.
- Stops Brute Force Attack on your login page
↓ 03 – Sucuri Security Scanner
The Sucuri Security Scanner remotely detects website security issues, blacklist warnings, and malware visible in the source code. You can set a custom scan time and the alerting mechanism will notify the server administrator if any warnings are detected. Sucuri’s Monitoring solution provides the components you need to oversee your website security. It includes multiple scanners that, combined, can cover all aspects of your website security monitoring.
- Detect website for malware infections and hidden codes
- Monitor blacklist status (Google, McAfee, etc.)
- Receive email notifications for security issues
- View website security details and information
If you’re running WordPress on your Plesk Server, one of the few ways to further harden your WordPress is to disable/delete your .htaccess file and insert the code into the Apache & nginx Settings for that domain. More often than not, hackers will try to redirect your site by inserting codes into your htaccess file.
- VirusTotal Website Check – This free extension scans all domains on your server for viruses, worms, trojans, and other malware.
- CloudFlare – Cloudflare works by taking over your DNS. It is a Security Services that protect and secure your servers, applications and APIs against denial-of-service attacks, customer data compromise, and abusive bots.