Feature Suggestions
Please provide here your suggestion for new functionality for Plesk. We encourage you to review and vote for suggestions of others. The top-ranked suggestions are likely to be included in the next versions of Plesk.
Please write in English so that voters from all over the world can read and support your request.
Off-topic posts will be removed from here
106 results found
-
Passkey for Login
As passkey is the strongest MFA, it should be implemented as an extension or directly
1 voteThank you for your input! We will consider this functionality in upcoming releases if it becomes popular.
Everyone, please continue voting for this feature if you consider it important.
-- SH
-
separate user group for iwpd users
For plesk on windows
It would be helpful if plesk created a separate user group for all IWPD users.
That would allow me to set specific security settings to that group.
See this kb article as an example: https://www.plesk.com/kb/support/access-to-cmd-exe-and-powershell-exe-how-to-allow-it-to-subscription-users-and-deny-to-iis-users-on-a-plesk-server/
Because the IWPD user and account user are in the same psacln group we cannot use that group to block cmd or powershell access (since the domain account apparently needs to be able to run those commands).
The workaround revolves around manually creating a new security group and manually adding those users to the new group, the obvious problem with that…
1 voteThank you for your input! We will consider this functionality in upcoming releases if it becomes popular.
Everyone, please continue voting for this feature if you consider it important.
-- SH
-
Introduce other MFA methods besides the phone app
As for now, MFA extension is limited only to a phone app. It would be useful to introduce other authorization methods (e.g. mail) for this extension.
5 votesThank you for your suggestion. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
-- KvD
-
Malware scanner for Linux systems
maybe implement this tool from kaspersky into Plesk
Malware scanner for Linux systems
We’ve released a free application that allows you to scan Linux systems for known cyberthreats.
German:
1 voteThank you for your suggestion. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
-- KvD
-
Use FSRM to block the execution of binaries and scripts in vhosts folder in Plesk Windows
Provide the ability to use File Server Resource Monitor to block the execution of *.bat, *.exe and *.cmd that are executables which can contain malicious code or malware and thus we don't allow them to be executed by customer by any means. The use of FSRM blocks the installation of WordPress, Joomla and woocommerce because it needs permission to run scripts in vhosts folders.
1 voteThank you for your suggestion. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
-- KvD
-
Stop postfix from delivering mail locally when MX record points externally to avoid mailbox hijack e.g. @gmail.com addresses.
Prevent mail interception / hijack where any customer can create domains when not prohibited explicitly and intercept for example a john.doe@gmail.com mailbox because SMTP will deliver this locally if the mailbox exists.
Almost every domain on the internet does have its own MX record and many of them are operate their own email server (not only Gmail). Why not address this potential security issue by checking MX records not only if the domain exists locally.
1 voteThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
For the time being, please consider using Tools & Settings > Security > Prohibited Domain Names to prevent users from creating well-known domain names in their accounts.
- PD
-
plesk advisor score functionality needs enhancement
The Plesk advisor complains about not having installed the Plesk firewall, but it doesn't check iptables rules. I have setup my own iptables rules deriven and enhanced from the Plesk firewall. My setup also supports ipset rules which Plesk doesn't.
Thus, the advisor score mechanism should check if iptables rules are present and setup sophisticatedly.
Please refer to: https://talk.plesk.com/threads/plesk-firewall-2-1-5-412-still-has-problems.371747/page-22 votesThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
-- PD
-
For security reasons: Turn off outputting PHP Version and also Webserver Version
PHP configuration:
Add the following Lines for Security Reasons!exposephp = off
servertokens offWhy didn't Plesk decide to make these lines available as options in Plesk, as options?
In my opinion, no one cares which version I use when it comes to port scanning / Showdan.io. Especially with Showdan.io, you can filter computers that are vulnerable in seconds, e.g. find web servers or PHP versions that are problematic.I ask for options in the GUI for ON / OFF, although someone at Plesk should first explain to me why these version numbers of vo, web server Nginx…
12 votesThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
-- PD
-
Automatic/option for hiding of Plesk, PHP, Apache, Nginx, Wordpress, Drupal, etc. 'reveals'
It would be so useful to accommodate one hardening feature, and that would be to switch on/off the server reveal options for Nginx/Apache (Lightspeed, whatever), the expose_php attribute for the version number in PHP (and equivalent in Perl, etc.), the Wordpress/Drupal (and Joomla, etc.), reveal of their presence and version numbers. See this article for the cybersecurity relevance of that (there's a lot more on the 'securityheaders.com' website and free checkers for all of this there too), but I pick this as an illustration of what I'm referring to with php:
https://serverhealers.com/blog/hide-php-version-x-powered
All of these things are simple, and just…
1 voteThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
Here I'd like to add, though, that in the real world attackers simply test a website against all known vulnerabilities, regardless what webserver, PHP or other software version they detect. Actually, such version information are of no interest, they simply drive tests against all known flaws. So adding the feature will probably not help against hacking attempts.
-- PD
-
Modify Wordpress integrity checker for security optimisations
So if I create a new Wordpress installation and then I make certain minor security adjustments that are highly recommended in cybersecurity forums, then I will get errors that it is broken through Plesk. I will then forever more be warned that it is broken in Plesk (not in Wordpress) on account of absence of those files, which (as I say) is a deliberate choice I made).
Ideally this would be modified in the install process (e.g. question: "Would you like to remove the readme and license files after installation?" (then explain why it is important to in a hover…
3 votesThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
-- PD
-
add sshd to services list for restart or enabling on demand
Sometimes it's usefuil to be able to restart the sshd service, especially if the service is not reachable anymore. For increased security it could also be usefull to enable sshd only if needed other the panel.
1 voteThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
-- PD
-
DKIM Weekly Rotation of key, with new 'selector' where previous selector is removed the next week
As in:
https://proton.me/blog/dkim-replay-attack-breakdownRotating DKIM is highly important.
Currently, it' **** easy to rotate the DKIM key on Plesk, not to talk of updating DNS and running Route 53 update.
This is asked to be implmented, where a second key is added, and new mails use it.
Old key would be depreciated a week later, as previous emails are still in the progress.
Rotate your DKIM keys regularly – Rotating our DKIM keys allowed us to quickly stop the attack and buy time for the permanent solution. Although tedious and risky to do manually, Proton’s DKIM key management system(new window)…
2 votesThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
-- PD
-
Oversign Emails' DKIM From, To, and CC headers
As in:
https://proton.me/blog/dkim-replay-attack-breakdownOversign From, To, and CC headers – Most DKIM implementations always sign the From, To, and CC headers if they are present in an email, preventing them from being modified if the message is resent. However, if these headers are missing, they are often unsigned, opening the door to replay attacks with forged headers that make the fraudulent emails seem legitimate. Oversigning mitigates these attacks by signing these sensitive headers in all cases, even if they are blank. If you use Proton to send your email, this oversigning is done for you automatically by our mail servers.
2 votesThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
-- PD
-
Plesk Admin Login - Enable IP Address Locking. In other words, like a firewall, specify the IP address source
Plesk Admin Login - Enable IP Address Locking. In other words, like a firewall, specify the IP address source.
This simply eliminates concerns about password hacking as a Dedicated IP (source location) can be specified just like Remote Desktop.
1 voteThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
-- PD
-
change ALL "http"- to "https"-connections for Plesk-updates and -upgrades
Change ALL "http"- to "https"-connections for Plesk-updates and -upgrades:
http://autoinstall.plesk.com
http://archive.ubuntu.com
etc…This is an unforgiveable severe security bug!
2 votesThank you for your idea! We will consider this functionality in upcoming releases.
-- PD
-
Deprecate clear domain names as home directory
Since plesk is storing each vhost as clear domain name, every user wit shell access is able to see which domains/customers are on this host, eg. with > getenv passwd
We know we can chroot the user but chroot is NOT a security feature and makes trouble with applications the user might expect (or the environment these applications expect) - and there is still a way to break out from the environment or new ways get discovered. Much afford for nothing in the end.
We do not want to put customers in containers, jails whatsoever to restrict the user access…
1 voteThis is a valid request, so we'll look into it. There is no ETA at the moment, but we would really appreciate you voting for this request so that we can accurately assess its popularity relative to other features.
Thanks in advance!
--
IG
-
Firewall, Remote Adress(es): input a lot of remote adresses at once.
In the Firewall settings, to input remote adress(es) to block or allow, it would be usefull, to input a lot of remote adresses, just to block or allow a whole company at once (after getting their adresses from ipinfo.io, for example).
Actually I get spam, check remote IP (at dnslytics.com for example) and block that IP, if wanted.
After getting a lot of these mails from IP adresses of the same company, I get the IP adresses from that company and block all the known IP ranges...one by one.
That could be 100s or more and take too much time.…2 votesThis is a valid request, so we'll look into it. There is no ETA at the moment, but we would really appreciate you voting for this request so that we can accurately assess its popularity relative to other features.
Thanks in advance!
--
IG
-
Ability to monitor clients uploads via FTP or File Manager
It would be nice to have the ability to detect customer uploads via FTP or File Manager. So it will be possible to check files afterwards.
2 votesThis is a valid request, so we'll look into it. There is no ETA at the moment, but we would really appreciate you voting for this request so that we can accurately assess its popularity relative to other features.
Thanks in advance!
--
IG
-
Create security.txt
Help admins and customers to create a security.txt file when creating a site in Plesk Panel, see https://securitytxt.org/
No details yet.1 vote -
Add support to Atomicorp rulesets for ModSecurity 3.0 (nginx)
At the moment you can only choose the OWASP ruleset in the Plesk UI for ModSecurity 3 (nginx). Please add support to Atomicorp rulesets as well.
2 votesThank you for your input! We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
--
IG
- Don't see your idea?