Skip to content

Feature Suggestions

Please provide here your suggestion for new functionality for Plesk. We encourage you to review and vote for suggestions of others. The top-ranked suggestions are likely to be included in the next versions of Plesk.

Please write in English so that voters from all over the world can read and support your request.

For technical assistance, contact Plesk support
For questions, bug reports, discussions and free assistance, check our Forum and Facebook page
For additional information, see Documentation, Knowledge Base and Blog
Follow us on Twitter for more news on Plesk development

Off-topic posts will be removed from here

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback

132 results found

  1. Use FSRM to block the execution of binaries and scripts in vhosts folder in Plesk Windows

    Provide the ability to use File Server Resource Monitor to block the execution of *.bat, *.exe and *.cmd that are executables which can contain malicious code or malware and thus we don't allow them to be executed by customer by any means. The use of FSRM blocks the installation of WordPress, Joomla and woocommerce because it needs permission to run scripts in vhosts folders.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  2. Stop postfix from delivering mail locally when MX record points externally to avoid mailbox hijack e.g. @gmail.com addresses.

    Prevent mail interception / hijack where any customer can create domains when not prohibited explicitly and intercept for example a john.doe@gmail.com mailbox because SMTP will deliver this locally if the mailbox exists.

    Almost every domain on the internet does have its own MX record and many of them are operate their own email server (not only Gmail). Why not address this potential security issue by checking MX records not only if the domain exists locally.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Thank you for your idea! We will consider this functionality in upcoming releases if it will be popular.

    Everyone, please continue voting for this feature if you consider it important.

    For the time being, please consider using Tools & Settings > Security > Prohibited Domain Names to prevent users from creating well-known domain names in their accounts.

    - PD

  3. plesk advisor score functionality needs enhancement

    The Plesk advisor complains about not having installed the Plesk firewall, but it doesn't check iptables rules. I have setup my own iptables rules deriven and enhanced from the Plesk firewall. My setup also supports ipset rules which Plesk doesn't.
    Thus, the advisor score mechanism should check if iptables rules are present and setup sophisticatedly.
    Please refer to: https://talk.plesk.com/threads/plesk-firewall-2-1-5-412-still-has-problems.371747/page-2

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  4. Implement OpenApp Sec in Web Application Firewall

    Implement open app sec, as plesk customize the nginx package:

    https://www.openappsec.io/playground
    https://github.com/openappsec/openappsec

    It would be good if is possible to use under plesk because it is a good tool, open source and free, and probably better than comodo/owasp rules.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  5. Track who changed the Plesk Administrator password

    The idea is to know who and when changed the Plesk admin password. If it's from CLI, what user (usually root), or if it's on GUI, what IP.
    That should be noted in the action log.
    Right now it isn't.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  6. For security reasons: Turn off outputting PHP Version and also Webserver Version

    PHP configuration:
    Add the following Lines for Security Reasons!

    exposephp = off
    server
    tokens off

    Why didn't Plesk decide to make these lines available as options in Plesk, as options?
    In my opinion, no one cares which version I use when it comes to port scanning / Showdan.io. Especially with Showdan.io, you can filter computers that are vulnerable in seconds, e.g. find web servers or PHP versions that are problematic.

    I ask for options in the GUI for ON / OFF, although someone at Plesk should first explain to me why these version numbers of vo, web server Nginx…

    11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  7. Automatic/option for hiding of Plesk, PHP, Apache, Nginx, Wordpress, Drupal, etc. 'reveals'

    It would be so useful to accommodate one hardening feature, and that would be to switch on/off the server reveal options for Nginx/Apache (Lightspeed, whatever), the expose_php attribute for the version number in PHP (and equivalent in Perl, etc.), the Wordpress/Drupal (and Joomla, etc.), reveal of their presence and version numbers. See this article for the cybersecurity relevance of that (there's a lot more on the 'securityheaders.com' website and free checkers for all of this there too), but I pick this as an illustration of what I'm referring to with php:

    https://serverhealers.com/blog/hide-php-version-x-powered

    All of these things are simple, and just…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Thank you for your idea! We will consider this functionality in upcoming releases if it will be popular.

    Everyone, please continue voting for this feature if you consider it important.

    Here I'd like to add, though, that in the real world attackers simply test a website against all known vulnerabilities, regardless what webserver, PHP or other software version they detect. Actually, such version information are of no interest, they simply drive tests against all known flaws. So adding the feature will probably not help against hacking attempts.

    -- PD

  8. Modify Wordpress integrity checker for security optimisations

    So if I create a new Wordpress installation and then I make certain minor security adjustments that are highly recommended in cybersecurity forums, then I will get errors that it is broken through Plesk. I will then forever more be warned that it is broken in Plesk (not in Wordpress) on account of absence of those files, which (as I say) is a deliberate choice I made).

    Ideally this would be modified in the install process (e.g. question: "Would you like to remove the readme and license files after installation?" (then explain why it is important to in a hover…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  9. add sshd to services list for restart or enabling on demand

    Sometimes it's usefuil to be able to restart the sshd service, especially if the service is not reachable anymore. For increased security it could also be usefull to enable sshd only if needed other the panel.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  10. Fail2Ban option to apply custom firewall rule to banned IPs

    It would be great to have an option in Fail2ban to send the blocked IPs directly to a Custom Firewall Block Rule, to block these IPs permanently.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  11. Additional Account Authentication via Email

    This is a request for the implementation of an optional extra layer of authentication via email for customers and resellers who want to login to a Plesk server. Which would improve security by making it much less effective/useful for customers to share their login details with others.

    Although similar in concept to 2FA, this is different than the already available 2FA extension as "email account authentication" poses way less of a barrier to non tech savvy users as no additional apps or devices are needed for authentication. Just email. 

    Ideally it would work something like this: a server administrator could enable "email account authentication" so…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  12. Harden Your PHP for Better Security

    We should all consider PHP security, giving us the option to Harden our PHP through the GUI or add an optimizer that does it automatically by scanning the websites.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  13. Add support for Heimdal Agent

    Add official support to Heimdal Agent (https://heimdalsecurity.com/) for Plesk on Linux servers, including ARM architecture servers.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    It seems that Heimdal Agent is a client component of their offer that collects data from a server or interacts with the server. Nothing speaks against installing that on a Plesk maintained server. "Support for Heimdal Agent" probably means that it can be installed as an extension or from a software catalog like APS catalog?

    -- PD

  14. DKIM Weekly Rotation of key, with new 'selector' where previous selector is removed the next week

    As in:
    https://proton.me/blog/dkim-replay-attack-breakdown

    Rotating DKIM is highly important.

    Currently, it' **** easy to rotate the DKIM key on Plesk, not to talk of updating DNS and running Route 53 update.

    This is asked to be implmented, where a second key is added, and new mails use it.

    Old key would be depreciated a week later, as previous emails are still in the progress.

    Rotate your DKIM keys regularly – Rotating our DKIM keys allowed us to quickly stop the attack and buy time for the permanent solution. Although tedious and risky to do manually, Proton’s DKIM key management system(new window)…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  15. Oversign Emails' DKIM From, To, and CC headers

    As in:
    https://proton.me/blog/dkim-replay-attack-breakdown

    Oversign From, To, and CC headers – Most DKIM implementations always sign the From, To, and CC headers if they are present in an email, preventing them from being modified if the message is resent. However, if these headers are missing, they are often unsigned, opening the door to replay attacks with forged headers that make the fraudulent emails seem legitimate. Oversigning mitigates these attacks by signing these sensitive headers in all cases, even if they are blank. If you use Proton to send your email, this oversigning is done for you automatically by our mail servers.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  16. Ability to disable aum automatic updates in mod security and apply it manually

    Provide the ability to disable aum
    automatic updates in mod security and apply it manually

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  17. Add option to mitigate known vulnerabilities by default during installation of WordPress

    There is an option in WP Toolkit to mitigate the Unauth. Blind SSRF vulnerability. However, this may only be applied only once WordPress has already been installed. Please add possibility to secure the instance in this regard (and any other vulnerabilities that might be found later, if such option is added to WP Toolkit) directly when installing WordPress.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  18. Plesk Admin Login - Enable IP Address Locking. In other words, like a firewall, specify the IP address source

    Plesk Admin Login - Enable IP Address Locking. In other words, like a firewall, specify the IP address source.

    This simply eliminates concerns about password hacking as a Dedicated IP (source location) can be specified just like Remote Desktop.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  19. Improve Plesk Country Firewall Usability

    Plesk Country Firewall
    1) Add a check for duplicate country abbreviations on save.
    2) (x) add checkbox to sort alphabetically
    3) Add a drop down to select the country. Currently you have to look up the country 2 digit code. So add a drop down to select country then add the 2 digit abbreviation.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Most ISO codes of rogue nations are well known. We think that changes to geo IP blocking are rarely needed. To keep development costs reasonably low, perfect comfort for rarely used features is not a priority. In a server's lifetime it may occur twice that this is changed, so we wonder how often this feature is used in your daily routine that the added comfort is required? Please comment how you determine the countries to be blocked and why you change countries often so that we understand your routine better and can provide a better product while trying to keep license prices low.

  20. Block IP address ranges of cloud services (AWS, Google, DigitalOcean)

    Be able to block IP address ranges of cloud services (e.g. AWS, Google, DigitalOcean) via Plesk Firewall to avoid junk traffic and hacking attempts.
    At the moment, it is only possible to block IP addresses by countries

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Security  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
← Previous 1 3 4 5 6 7
  • Don't see your idea?

Feedback and Knowledge Base