Recently, Plesk have updated their Advisor extension (previously known as the Security Advisor) to include a score and a number of recommendations. While increased security is always a good thing, the recommendations don't always consider the whole story. When hosted on the Conetix platform, we have produced a set of recommendations which we have detailed below. Your current score may look something like this:
A low score may not be a full reflection on the overall server security and conversely a high score also may not equate to a secure server. Managing server security can be very complex and Conetix recommends that you throughly understand each option before making any changes.
Configure ModSecurity & Fail2ban
Conetix Recommendation: Install and configure these if your server has sufficient spare resources and you know what you're configuring. Enabling ModSecurity and Fail2ban will use increased system resources and may adversely affect any site on your server. Conetix already runs dedicated firewalls which features an Intrusion Protection System (IPS) to filter malicious traffic, as well as a Web Application Firewall (WAF) to help ensure only valid requests hit the server.
Configure the Plesk Firewall
Conetix Recommendation: Only required for GUI based setups. If you require the ability to edit firewall rules from within a point and click interface, you can install the Plesk Firewall extension to help manage your firewall rules. Conetix also has core firewalls in place with a number of explicit blocks (detailed here), to ensure any potentially vulnerable ports are blocked by default. The Plesk Firewall cannot override these, which means if you require a rule to be allowed then it must be submitted as a support request.
Configure Scheduled Backups
Conetix Recommendation: Conetix always recommends you run your own backups. We have a guide on this here: https://www.conetix.com.au/support/article/plesk-onxy-scheduling-backup. For an additional cost, Plesk have an extension available which will also copy this backups off to remote cloud storage platforms such as Dropbox, S3 and Google Drive.
Secure Plesk with an SSL/TLS certificate
Conetix Recommendation: We highly recommend using a valid SSL certificate for your Plesk installation and Conetix configures this for all managed servers by default. Click the secure button to use Let's Encrypt to generate and install a free certificate for you.
Switch to Up-To-Date PHP Versions
Conetix Recommendation: We highly recommend updating to modern PHP versions. We recommend using PHP 7.1 or higher, as even 5.6 and 7.0 will be at end of life within 6 months. This means that they won't receive any further bug fixes nor minor security fixes. There are also significant performance increases from running PHP 7.1 or higher.
If you have a question about an item not on this list, please just submit a support request and one of our team members will be able to provide further guidance.