Feature Suggestions
Please provide here your suggestion for new functionality for Plesk. We encourage you to review and vote for suggestions of others. The top-ranked suggestions are likely to be included in the next versions of Plesk.
Please write in English so that voters from all over the world can read and support your request.
Off-topic posts will be removed from here
128 results found
-
Email notifications/alerts for Modsecurity (WAF)
It will be great to have the ability to receive an email notification from Modsecurity (WAF) when protection has been breached with corresponding breach information (SQL injection, Command injection, Cross-site scripting, etc.).
8 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IG -
Social Login SSO - Microsoft O365 Support
Support Microsoft O365 for the Social Login extension for single-sign-on (SSO).
12 votes -
OWASP security recommendation hide php version from web server by default
I've noticed that in a default plesk installation the web server is configured to disclose php version. This could be exploited especially with a lot of websites running insecure php versions still.
I think it's not much trouble to implement this simple "security through obscurity" step to not disclose this information and help attackers detect vulnerabilities in PHP itself.
5 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IG -
Centralized SSL Certificate Support
I would like if you guys can add Centralized SSL Certificate Support in Plesk GUI, it would be easy to manage,
as I had added a UNC path (\172.16.0.11\shared-certificates) in my Plesk via command line but now I cannot switch back to local path (C:\shared-certificates) as it was configured with UNC path & if I add a local path via command line, it says that the UNC path is not available even though I am using local path.2 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular. Everyone, please continue voting for this feature if you consider it important.
—
IG -
User Role Permissions
Users with permissions to edit roles can edit rights that they do not own and create roles with rights that they do not own. It would be ideal if a user who has the permissions to edit roles can only change and assign rights that he owns.
1 voteThank you for your input! We will consider this functionality in upcoming releases if it will be popular. Everyone, please continue voting for this feature if you consider it important.
—
IG -
Deploy MTA Strict Transport Security
TLSEVERYWHERE
https://www.hardenize.com/blog/mta-sts
https://www.msxfaq.de/signcrypt/smtp_mta_sts.htm (German)59 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.— rk
-
SAML integration
For setups with a large amount of plesk servers it would be very nice to be able to be able use a SAML integration to handle the user authentication.
40 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IG -
block bad bots by default
There are many bots that can actually DoS a server using Plesk. Since there's no way to limit their connections they can overload a server really easily. Currently the only way to block them is by reading the logs and implementing blocks in nginx or .htaccess rules.
It would be great if there could be some security by default. The community has created very comprehensive lists that could be used and auto updated / maintained by cron jobs.
Here's an example for Apache
https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/tree/master/Apache_2.4
And here's for Nginx
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
It could help mitigate attacks and vulnerability scans as well a…
11 votesThank you for your input. We will consider this functionality in upcoming releases, if it will be popular.
Everyone, please continue voting for this feature if you consider it important.BTW, we have following solution for Plesk – https://talk.plesk.com/resources/blocking-extra-bots-using-nginx.6/
—
IG -
Add ability to use the one Let's encrypt account Id for the whole server
Add ability to use the one Let's encrypt account Id for the whole server
After this, it will be possible to request Let's Encrypt Rate Limit Adjustment for the whole server.
https://docs.google.com/forms/d/e/1FAIpQLSetFLqcyPrnnrom2Kw802ZjukDVex67dOM2g4O8jEbfWFs3dA/viewform4 votesThank you for your input. We will consider this functionality in upcoming releases, if it will be popular.
Everyone, please continue voting for this feature if you consider it important.—
IG -
Password-protected directories: LDAP / Active Directory
Fetch users from AD for Password-protected directories
1 voteThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.—
IG -
2FA (two-factor authentication) for webmail, e.g. Google Authenticator for Roundcube login
Two-factor authentication for webmail
17 votesWe will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
-- PD
-
Let's encrypt wildcard for domain aliases
Currently, when requesting a wildcard certificate for a domain with multiple domain aliases, only the main domain gets a wildcard.
Let say you have a main domain domain.com and have 3 subdomains domain.fr, domain.co.jp and domain.eu.
When requesting a wildcard certificate including all aliases, you'll get :
domain.com
*.domain.com
domain.fr
domain.co.jp
domain.euwhere it would be more logical and usefull to have :
domain.com
*.domain.com
domain.fr
*.domain.fr
domain.co.jp
*.domain.co.jp
domain.eu
*.domain.eu7 votes -
Add option to Whitelist IP in Fail2Ban and mod_security
I always need to whitelist IPs in Firewall, Fail2Ban and mod_security.
u could add at least an option to also whitelist fail2ban in mod_security or even make two checkboxes in Firewall whitelisting to whitelist ip in all three modules.
also usage of dns instead of ip would be greate for example PayPal does recomment to whitelist dns for api!
THX
6 votesThank you for your input! We will consider this functionality in upcoming releases, if it will be popular.
Everyone, please continue voting for this feature if you consider it important.—
IG -
Enable SSH Key Generate via Plesk Control Panel
With the SSH Manager inside Plesk Onyx, it is extremely easy to add a new key to a subscription. The problem is, most users don't understand how to generate a key with tools like PuTTYgen and explaining it to them leaves them very confused. It would be very handy if, inside the SSH manager there was a way to request a new key pair be generated and added to a subscription automatically, so users don't have to go through the hassle of generating a key.
6 votesThank you for your input! We will consider this functionality in upcoming releases, if it will be popular.
Everyone, please continue voting for this feature if you consider it important.—
IG -
check passwords against Pwned Passwords API
Plesk should check user typed passwords against Pwned Passwords API
https://haveibeenpwned.com/API/v2
that way you could further improve systems running Plesk against Brute-Force attacks - and Dictionary attacks
WordFence plugin for WordPress is already offering this, checking WordPress administrator passwords against https://haveibeenpwned.com/API/v2
it shouldn't be too much work to compare Plesk password hash between Plesk and https://haveibeenpwned.com/API/
I would like to use this feature for all services (FTP, E-Mail, Plesk, WordPress, etc.)
It makes a lot of sense to do this, there are no drawbacks
it should be option that users can enable/disable
if you don't need it, you can disable…8 votesThank you for your input. We will consider this functionality in upcoming releases, if it will be popular.
Everyone, please continue voting for this feature if you consider it important.—
IG -
lock access to Plesk Admin on only one URL
There must be a possibily to lock up access to Plesk admin to only one or selected URL for security or other reason possible, For example i have 100 domains and i only want a few domain to access to Plesk Admin (https://domain.com:8443). This is not possible yet
y109 votes -
Deny access to all dot files by default
A lot of web applications that are either built or simply installed on a website use dot files and folders, whether those be .htaccess, .git, .env, etc.
Generally speaking dot files and folders are used to store either sensitive files or backend configuration which you would never want users to be able to access.
By default Apache has some protection built-in to restrict accessing dot files, but Nginx does not. This creates a potential security risk, for example I might install a web application or build one which has dot files in the public root, these most likely would be…
6 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IG -
deny access to .git folder by default
I think it would be great if you could prevent access to .git folders that are usually left exposed by users in the server when building the vhost templates .
It's very common that users forget to remove credentials and other sensitive information out of their repositories so by leaving the folder exposed it's possible for an attacker to gain access to this sensitive information.
Currently we manually protect those folders when we spot them but it would be nice if this was implemented from the start.
For example in nginx the following rule could be used.
location ~ /.git…
6 votes -
Implement Dropbox's (zxcvbn) password strength library
Please consider implementing Dropbox's password strength library in future versions of plesk. https://github.com/dropbox/zxcvbn
Right now (Plesk Onyx Version 17.8.11) very secure passwords such as applaud-bisque-batch-forefoot won't even pass the "medium" filter, and very bad passwords such as Pa$$word123 are marked "Strong".
Brute force cracking continues to get more sophisticated and the current strength ratings are misleading.
24 votesThank you for your input! We will consider this functionality in upcoming releases, if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IG -
Ability for Plesk administrator to disable Plesk customers to change their Plesk UI password
Please add ability for Plesk administrator to disable Plesk customers to change their Plesk UI password.
Message from customer:
I am working on a separate account management panel and I want the customer to log in with the same password. Can I prevent the user changing the password in Plesk.11 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IG
- Don't see your idea?