Plesk is a commercial web hosting automation platform available for Linux and Windows servers. With over 20 years of development, it provides comprehensive management for web domains, email, databases, DNS, and security. Plesk’s enterprise-grade features, WordPress Toolkit, and extensive extension ecosystem make it popular among hosting providers. As a commercial product with dedicated security team and regular patches, Plesk has strong security foundations, but comprehensive hardening is still essential for production environments.
Vulnerability Details:
Description: An XPath injection vulnerability in the APS Catalog search functionality allows local attackers to escalate privileges on the system.
Action Required:
plesk bin versionplesk installer updateWorkaround (if update not immediately possible):
If APS Catalog is not in use, your server is not affected. To disable APS Catalog:
Add to /usr/local/psa/admin/conf/panel.ini:
[aps]
enabled = off
Note: Plesk has not disclosed a CVE identifier or CVSS score for this vulnerability. The fix was deployed automatically via Plesk’s update mechanism on February 24-25, 2026.
Plesk supports TOTP-based 2FA for all user accounts. Enable it immediately after installation.
Enable 2FA via Plesk UI:
Force 2FA for all administrators via CLI:
# Plesk CLI utility
plesk bin admin --show-preferences
# Enable 2FA enforcement (Plesk Obsidian+)
plesk bin poweruser --off # Disable power user mode if not needed
# Force 2FA for all admin users (via database)
plesk bin plib -d "UPDATE users SET two_factor_auth_enabled = 1 WHERE login = 'admin'"
Enable 2FA via Plesk CLI:
# Generate 2FA for specific user
plesk bin user --update username -2fa-enabled true
# Verify 2FA status
plesk bin user --info username
Secure the default admin account:
# Change admin password via CLI
plesk bin admin --update-password -password 'YourNewStrongPassword123!'
# Or interactively
plesk bin admin --update-password
Best practices:
Create new admin user via CLI:
# Create new administrator
plesk bin admin --create newadmin -email admin@example.com -passwd 'StrongPassword123!' -role Administrator
# Or create reseller with limited permissions
plesk bin reseller --create reseller1 -email reseller@example.com -passwd 'StrongPassword123!'
Delete or disable unused accounts:
# Disable user (soft delete)
plesk bin user --disable username
# Delete user permanently (use with caution)
plesk bin user --remove username
Restrict panel access by IP using Plesk’s built-in feature:
# Allow only specific IP addresses
plesk bin ip_ban --add 10.0.0.0/24 -allow true
# Block specific IPs
plesk bin ip_ban --add 192.168.100.100 -ban true
# List current IP bans/allowlist
plesk bin ip_ban --list
# Remove IP from ban list
plesk bin ip_ban --remove 192.168.100.100
Configure via Plesk UI:
Using iptables directly:
# Allow only from management network
sudo iptables -A INPUT -p tcp --dport 8443 -s 10.0.0.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8443 -j DROP
sudo iptables -A INPUT -p tcp --dport 8880 -s 10.0.0.0/24 -j ACCEPT # HTTP redirect
sudo iptables -A INPUT -p tcp --dport 8880 -j DROP
sudo iptables-save > /etc/iptables/rules.v4
Using firewalld:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" port port="8443" protocol="tcp" accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="8443" protocol="tcp" reject'
sudo firewall-cmd --reload
Using UFW:
sudo ufw allow from 10.0.0.0/24 to any port 8443
sudo ufw deny 8443
sudo ufw enable
Configure session settings in Plesk:
Via Plesk UI:
900 seconds (15 minutes)Edit Plesk configuration (/etc/psa/.psa.conf or via CLI):
# Session timeout (seconds)
plesk bin server --set-session-timeout 900
# Enable IP validation
plesk bin server --set-ip-validation true
Secure session handling in PHP (/etc/php/*/apache2/php.ini or /opt/plesk/php/*/etc/php.ini):
[Session]
session.cookie_httponly = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.cookie_samesite = Strict
session.use_strict_mode = 1
session.gc_maxlifetime = 900
Restart Plesk services:
sudo systemctl restart sw-cp-server
Configure password requirements in Plesk:
# Set password policy via CLI
plesk bin poweruser --set-password-policy -min-length 12 -require-special -require-numbers -require-uppercase
# Or via UI: Tools & Settings → Password Policy
Password policy settings:
# Minimum password length
plesk bin server --set-password-min-length 12
# Require special characters
plesk bin server --set-password-require-special true
# Require numbers
plesk bin server --set-password-require-numbers true
# Require uppercase
plesk bin server --set-password-require-uppercase true
# Password history (prevent reuse of last N passwords)
plesk bin server --set-password-history 12
Enforce password history via PAM:
# Install pam_pwhistory
sudo apt install libpam-pwquality # Debian/Ubuntu
sudo dnf install libpwquality # RHEL/CentOS
# Configure /etc/pam.d/common-password
password required pam_pwhistory.so use_authtok remember=12 enforce_for_root
password required pam_unix.so use_authtok sha512
Plesk uses HTTPS by default on port 8443. Replace self-signed certificate with valid certificate:
Option 1: Let’s Encrypt via Plesk (Recommended)
# Generate certificate for panel hostname
plesk bin extension --install letsencrypt
plesk bin letsencrypt --install -hostname plesk.example.com -email admin@example.com
# Or via UI: Tools & Settings → SSL/TLS Certificates → Let's Encrypt
Option 2: Manual Let’s Encrypt
sudo apt install certbot
# Generate certificate
sudo certbot certonly --standalone -d plesk.example.com
# Import to Plesk
plesk bin certificate --create plesk.example.com -cert /etc/letsencrypt/live/plesk.example.com/fullchain.pem -key /etc/letsencrypt/live/plesk.example.com/privkey.pem
# Apply to panel
plesk bin server --set-certificate plesk.example.com
Option 3: Upload commercial certificate
# Via UI: Tools & Settings → SSL/TLS Certificates → Upload Certificate
# Or via CLI:
plesk bin certificate --create "Commercial Cert" -cert /path/to/cert.crt -key /path/to/key.key -cacert /path/to/ca-bundle.crt
Configure SSL/TLS settings:
# Set minimum TLS version
plesk bin server --set-ssl-protocol TLSv1.2
# Configure cipher suites (Plesk Obsidian+)
plesk bin server --set-ssl-ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
Default Plesk ports:
| Port | Service | Required |
|---|---|---|
| 8443 | Plesk Admin Panel (HTTPS) | Yes |
| 8880 | Plesk Admin Panel (HTTP redirect) | Yes |
| 80 | HTTP (web domains) | Yes |
| 443 | HTTPS (web domains) | Yes |
| 21 | FTP | If FTP enabled |
| 22 | SSH | Recommended |
| 25 | SMTP | If mail enabled |
| 53 | DNS | If DNS enabled |
| 110/995 | POP3 | If mail enabled |
| 143/993 | IMAP | If mail enabled |
| 3306 | MySQL | No (localhost only) |
Plesk includes built-in firewall management (Firewall extension):
Install Firewall extension:
plesk bin extension --install firewall
Configure firewall via CLI:
# Enable firewall
plesk bin firewall --enable
# Add rules
plesk bin firewall --add-rule -name "SSH" -direction input -action allow -port 22 -protocol tcp
plesk bin firewall --add-rule -name "HTTP" -direction input -action allow -port 80 -protocol tcp
plesk bin firewall --add-rule -name "HTTPS" -direction input -action allow -port 443 -protocol tcp
plesk bin firewall --add-rule -name "Plesk Panel" -direction input -action allow -port 8443 -protocol tcp -source 10.0.0.0/24
# Block panel from public
plesk bin firewall --add-rule -name "Block Public Panel" -direction input -action deny -port 8443 -protocol tcp
# List rules
plesk bin firewall --list-rules
# Delete rule
plesk bin firewall --remove-rule "Rule Name"
Configure via Plesk UI:
Configure CSF (if installed instead of Plesk Firewall):
# Edit /etc/csf/csf.conf
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,8443,8880"
TCP_OUT = "20,21,25,53,80,110,443,465,587"
# Enable port scan protection
PS_INTERVAL = "60"
# Restart CSF
csf -r
Plesk includes built-in fail2ban integration:
Enable fail2ban protection:
# Install fail2ban (if not already installed)
sudo apt install fail2ban # Debian/Ubuntu
sudo dnf install fail2ban # RHEL/CentOS
# Plesk typically includes fail2ban rules by default
# Verify fail2ban status
plesk bin fail2ban --status
Plesk fail2ban jails (/etc/fail2ban/jail.local or /usr/local/psa/admin/conf/fail2ban/jail.local):
[plesk-auth]
enabled = true
port = 8443,8880
filter = plesk-auth
logpath = /var/log/psa/panel.log
maxretry = 5
bantime = 3600
findtime = 300
[plesk-bruteforce]
enabled = true
port = 8443,8880
filter = plesk-bruteforce
logpath = /var/log/psa/panel.log
maxretry = 3
bantime = 7200
findtime = 300
[postfix-sasl]
enabled = true
port = smtp,465,submission
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
bantime = 3600
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
logpath = /var/log/mail.log
maxretry = 3
bantime = 3600
[proftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 3
bantime = 3600
Create Plesk filter (/etc/fail2ban/filter.d/plesk-auth.conf):
[Definition]
failregex = ^.*Failed login.*<HOST>.*$
^.*Authentication failure.*<HOST>.*$
^.*Invalid.*password.*<HOST>.*$
^.*Login failed.*<HOST>.*$
^.*panel\.log.*Failed.*<HOST>.*$
ignoreregex =
Restart fail2ban:
sudo systemctl restart fail2ban
View banned IPs:
fail2ban-client status plesk-auth
fail2ban-client set plesk-auth unbanip <IP>
# Or via Plesk
plesk bin ip_ban --list
Configure Apache rate limiting:
# /etc/apache2/mods-available/ratelimit.conf
<IfModule mod_ratelimit.c>
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 400
SetEnv rate-limit-burst 200
</IfModule>
Configure mod_evasive for DDoS protection:
# /etc/apache2/mods-available/evasive.conf
<IfModule mod_evasive24.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify admin@example.com
DOSSystemCommand "su - root -c 'csf -d %s DDoS Attack'"
</IfModule>
Enable modules:
sudo a2enmod ratelimit
sudo a2enmod evasive
sudo systemctl restart apache2
Configure Nginx rate limiting (if using Nginx):
# /etc/nginx/conf.d/rate-limit.conf
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
server {
location /login/ {
limit_req zone=login burst=3 nodelay;
}
location / {
limit_req zone=one burst=10 nodelay;
}
}
}
Edit Plesk configuration via CLI:
# Disable debug in production
plesk bin server --set-debug false
# Session security
plesk bin server --set-session-timeout 900
plesk bin server --set-ip-validation true
# Login attempt limits
plesk bin server --set-login-attempts 5
plesk bin server --set-login-lockout-time 300
# File upload limits
plesk bin server --set-max-upload-size 10
Security settings via Plesk UI:
Plesk uses MySQL/MariaDB. Secure it:
# Run secure installation
sudo mysql_secure_installation
# Key settings:
# - Set root password
# - Remove anonymous users
# - Disallow root login remotely
# - Remove test database
Configure /etc/mysql/mariadb.conf.d/50-server.cnf:
[mysqld]
# Network security - bind to localhost only
bind-address = 127.0.0.1
skip-networking = 1
# Disable local infile
local-infile = 0
# Secure file handling
secure_file_priv = /var/lib/mysql-files
# Logging
log_error = /var/log/mysql/error.log
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 2
# Plesk-specific: use dedicated database user
Create restricted Plesk database user:
-- Login to MySQL
mysql -u root -p
-- Plesk uses psa database
-- Ensure user has minimal privileges
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON psa.* TO 'plesk'@'localhost' IDENTIFIED BY 'strong-password-here';
FLUSH PRIVILEGES;
-- Do NOT grant: FILE, PROCESS, SUPER, RELOAD, SHUTDOWN, GRANT OPTION
Edit Plesk PHP configuration (/opt/plesk/php/*/etc/php.ini or /etc/php/*/apache2/php.ini):
[Security]
expose_php = Off
allow_url_fopen = Off
allow_url_include = Off
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,passthru,leak,fopen,readfile
display_errors = Off
log_errors = On
error_reporting = E_ALL
html_errors = Off
[Resource Limits]
max_execution_time = 30
max_input_time = 60
memory_limit = 256M
post_max_size = 64M
upload_max_filesize = 64M
max_file_uploads = 20
[Session]
session.cookie_httponly = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.cookie_samesite = Strict
session.use_strict_mode = 1
session.gc_maxlifetime = 900
[Open Basedir]
open_basedir = /var/www:/tmp:/var/tmp
Restart web server:
sudo systemctl restart apache2 # Apache
sudo systemctl restart php*-fpm # PHP-FPM (if using)
sudo systemctl restart sw-cp-server # Plesk control panel
Secure Plesk installation:
# Plesk directory permissions
sudo chown -R root:root /opt/plesk
sudo chmod -R 755 /opt/plesk
sudo chmod 600 /etc/psa/.psa.conf
# Plesk admin directory
sudo chown -R admin:admin /var/www/localhost/htdocs
sudo chmod -R 755 /var/www/localhost/htdocs
# Web directory
sudo chown -R www-data:www-data /var/www
sudo chmod -R 755 /var/www
# User home directories
sudo chmod 711 /home
sudo chmod 711 /home/username
# Configuration files
sudo chmod 600 /var/www/clients/client1/.my.cnf
sudo chmod 644 /var/www/clients/client1/web1/web/.htaccess
# SSH directories
sudo chmod 700 /home/username/.ssh
sudo chmod 600 /home/username/.ssh/authorized_keys
Protect sensitive files:
# /etc/apache2/conf-available/plesk-hardening.conf
<FilesMatch "(config\.php|\.sql|\.log|\.bak|\.old)$">
Require all denied
</FilesMatch>
# Prevent directory listing
<Directory /var/www>
Options -Indexes
</Directory>
Disable PHP execution in upload directories:
# /etc/apache2/conf-available/disable-php-uploads.conf
<Directory "/var/www/clients/client*/web*/web/wp-content/uploads">
php_flag engine off
RemoveHandler .php .php3 .php4 .php5 .phtml
<FilesMatch "\.(php|php3|php4|php5|phtml)$">
Deny from all
</FilesMatch>
</Directory>
<Directory "/var/www/clients/client*/web*/web/images">
php_flag engine off
</Directory>
Secure SSH access:
# Edit /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
# Key settings:
Port 2222 # Change from default
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers admin-user
X11Forwarding no
AllowTcpForwarding no
Restart SSH:
sudo systemctl restart sshd
Plesk typically uses Postfix and Dovecot. Secure them:
Postfix configuration (/etc/postfix/main.cf):
# Disable VRFY command
disable_vrfy_command = yes
# Restrict relay
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# Rate limiting
smtpd_client_connection_rate_limit = 50
anvil_rate_time_unit = 60s
# TLS settings
smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_ciphers = medium
Dovecot configuration (/etc/dovecot/dovecot.conf):
# Disable plaintext auth without SSL
disable_plaintext_auth = yes
# SSL settings
ssl = required
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
# Logging
log_path = /var/log/dovecot.log
auth_verbose = yes
Restart mail services:
sudo systemctl restart postfix
sudo systemctl restart dovecot
Install Plesk Security extension for enhanced protection:
# Install Security extension
plesk bin extension --install security
# Configure via UI: Extensions → Security
# Or via CLI:
plesk bin security --enable-firewall
plesk bin security --enable-antivirus
plesk bin security --enable-waf
Security extension features:
Update Plesk:
# Check current version
plesk bin version
# Update Plesk
plesk bin autoinstall --upgrade
# Or via UI: Tools & Settings → Updates and Upgrades
# Check for available updates
plesk bin autoinstall --check-updates
Enable automatic updates:
# Configure automatic security updates
plesk bin autoinstall --enable-updates
# Set update schedule (weekly recommended)
plesk bin autoinstall --set-update-schedule weekly
Subscribe to security announcements:
Plesk log locations:
| Log File | Purpose |
|---|---|
/var/log/psa/panel.log |
Main panel logs |
/var/log/psa/auth.log |
Authentication logs |
/var/log/psa/error.log |
Panel errors |
/var/log/plesk/ |
Plesk operation logs |
/var/log/sw-cp-server/ |
Control panel server logs |
/var/log/apache2/ |
Apache access/error logs |
/var/log/mail.log |
Mail server logs |
/var/log/mysql/error.log |
Database errors |
/var/log/fail2ban/fail2ban.log |
Fail2ban actions |
View recent activity:
# Plesk panel logs
tail -f /var/log/psa/panel.log
# Filter for login events
grep -i "login\|auth" /var/log/psa/panel.log
# Failed login attempts
grep -i "failed\|invalid" /var/log/psa/panel.log | tail -50
# Control panel server logs
tail -f /var/log/sw-cp-server/sw-cp-server.log
# Mail logs
tail -f /var/log/mail.log
Set up alerts for:
Configure log rotation:
# /etc/logrotate.d/plesk
/var/log/psa/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 640 root adm
sharedscripts
postrotate
systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
Rsyslog configuration:
# /etc/rsyslog.d/plesk.conf
:filename, contains, "psa" /var/log/plesk/central.log
:filename, contains, "psa" @syslog.example.com:514
:filename, contains, "mail" @syslog.example.com:514
:filename, contains, "sw-cp-server" @syslog.example.com:514
# Restart rsyslog
sudo systemctl restart rsyslog
Filebeat for ELK stack:
# /etc/filebeat/modules.d/plesk.yml
- module: plesk
auth:
enabled: true
var.paths: ["/var/log/psa/auth.log"]
panel:
enabled: true
var.paths: ["/var/log/psa/panel.log"]
apache:
enabled: true
var.paths: ["/var/log/apache2/access.log", "/var/log/apache2/error.log"]
Install AIDE to detect file changes:
# Install AIDE
sudo apt install aide
# Initialize database
sudo aideinit
# Configure Plesk paths in /etc/aide/aide.conf
/opt/plesk/ p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
/var/log/psa/ p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
/var/log/plesk/ p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
/var/www/ p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
/etc/postfix/ p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
/etc/dovecot/ p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
# Schedule daily checks
0 5 * * * /usr/bin/aide --check
Plesk provides powerful CLI commands. Secure access:
Restrict CLI access:
# Only root and admin users should have sudo access
sudo visudo
# Add specific Plesk commands allowed for specific users
admin-user ALL=(ALL) NOPASSWD: /usr/bin/plesk bin user --list
admin-user ALL=(ALL) NOPASSWD: /usr/bin/plesk bin domain --list
Audit CLI usage:
# Log all Plesk CLI commands
echo 'ACTION="exec" EXE="/usr/bin/plesk" LOGFILE="/var/log/plesk-cli.log"' > /etc/rsyslog.d/plesk-cli.conf
# Or use auditd
sudo apt install auditd
sudo auditctl -w /usr/bin/plesk -p x -k plesk-cli
Plesk provides REST API for automation. Secure it properly:
Enable API access:
# Generate API key
plesk bin secret-key --create -login admin -ip 10.0.0.0/24 -description "Automation Key"
# List API keys
plesk bin secret-key --list
# Revoke API key
plesk bin secret-key --remove -key-id KEY_ID
API security best practices:
Example API call:
curl -k -H "Authorization: psa-secret-key-id KEY_ID" \
https://plesk.example.com:8443/api/v2/users \
-H "Content-Type: application/json"
Plesk backup configuration:
# Configure backup settings
plesk bin backup --set -backupdir /backup/plesk -rotation 7
# Create backup
plesk bin backup --create -backupdir /backup/plesk
# Encrypt backups
plesk bin backup --set -encryption true -encryption-password 'StrongPassword123!'
Backup security best practices:
chmod 700 /backupplesk bin plesk-db backup > backup.sqlConfigure remote backup:
# S3 backup
plesk bin backup --set -backupdir s3://bucket-name/plesk -s3-key KEY -s3-secret SECRET
# FTP backup
plesk bin backup --set -backupdir ftp://user:pass@ftp.example.com/plesk
| Control | Status | Notes |
|---|---|---|
| 2FA enabled for all admins | ☐ | Via user settings |
| HTTPS with valid certificate | ☐ | Let’s Encrypt recommended |
| Firewall configured | ☐ | Plesk Firewall or CSF |
| fail2ban deployed | ☐ | Plesk jails configured |
| Database hardened | ☐ | mysql_secure_installation |
| PHP hardening applied | ☐ | Disable dangerous functions |
| File permissions secured | ☐ | Config 600, directories 755 |
| SSH hardened | ☐ | Key-only auth, non-standard port |
| Mail server secured | ☐ | Postfix/Dovecot TLS |
| Security extension installed | ☐ | WAF, antivirus, malware detection |
| Backups encrypted | ☐ | Off-server storage |
| Centralized logging | ☐ | Forward to SIEM |
| Regular updates scheduled | ☐ | Plesk + system packages |
| File integrity monitoring | ☐ | AIDE configured |
| API keys secured | ☐ | If using API |
If you suspect a security breach:
Isolate the server
# Block external access via firewall
sudo iptables -P INPUT DROP
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Or via CSF
csf -d ALL
# Or via Plesk Firewall
plesk bin firewall --disable
Preserve evidence
cp -r /var/log/psa /root/psa-logs-$(date +%Y%m%d-%H%M%S)
cp -r /var/log/plesk /root/plesk-logs-$(date +%Y%m%d-%H%M%S)
cp -r /var/log/apache2 /root/apache-logs-$(date +%Y%m%d-%H%M%S)
cp -r /var/log/mail.log /root/mail-log-$(date +%Y%m%d-%H%M%S)
mysqldump -u root -p --all-databases > /root/all-db-$(date +%Y%m%d-%H%M%S).sql
Review recent activity
# Failed logins
grep -i "failed" /var/log/psa/panel.log | tail -100
# Check new accounts
plesk bin user --list
# Check new domains
plesk bin domain --list
# Check recent API calls
grep "api" /var/log/psa/panel.log | tail -50
Check for unauthorized changes
# Compare with AIDE database
sudo aide --check
# Look for recently modified files
find /opt/plesk -type f -mtime -7 -ls
find /var/www -type f -mtime -7 -ls
Change all credentials - Admin passwords, database passwords, FTP accounts, SSH keys, API keys
Scan for malware
# If Security extension is installed
plesk bin security --scan-malware
# Or use ClamAV
sudo apt install clamav clamav-daemon
sudo freshclam
sudo clamscan -r /var/www --move=/home/quarantine
Patch vulnerabilities - Update Plesk, PHP, web server, mail server, and all packages
plesk bin autoinstall --upgrade
Restore from clean backup - If compromise is severe
plesk bin backup --restore -backup-file /backup/plesk/backup-file.zip
Notify affected users - If customer data was exposed