I suggest you ...

Change admin username

It should be possible for the admin user to change his user login name. The name "admin" is not very secure, because it's easiert to hack via brute force. The hackers know, the name is "admin". If the user would be able to change his login name, it would increase the security of Plesk Panel.

345 votes
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)

We’ll send you updates on this idea

TIIUNDER shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

We have serious doubts this function can really increase server security:
1) Plesk has built-in protection against brute-force on login – it will lock the login form. So no one can try multiple attempts
2) Arbitrary login name adds very little guess-complexity to a proper password. If you have concerns for your login brute-forced – add another 5-7 characters into your password and feel safe.

As changed login name is still very likely to be some sort of vocabulary word or derived from your other account name – this function would only give a false sense of better security. Your security strength is in complex password, not in a complex login name. If you have one good password, you don’t need to treat login as your “second password” – one good password is enough.

As for concerns that default password requirement is set in “weak”, that fail2ban module is not enabled by default or may consume extra resources, etc – they are much irrelevant here. If someone is not willing investing some time into setting better password, into changing password policy or into installing/enabling server protection – changed admin name will again be only a false sense of security. If a password is “1234567”, then login doesn’t really matter.

43 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...
  • Dimitris commented  ·   ·  Flag as inappropriate

    The usual suspect admin user names (admin/sa/root etc) are a common attack vector (especially for distributed attacks) and every half competent admin ought to restrict, disable or delete them. Even better, they present a wonderful opportunity to flag malicious people and direct them to some separate functionality that acts like a black hole to let them spin their wheels without endangering the server in any way.

  • MAKE ADMIN USERNAME CHANGEABLE!!! commented  ·   ·  Flag as inappropriate

    @Sergey L, в вашей компании всё в порядке с клиентоориентированностью? Вам КЛИЕНТ говорит, хочу иметь возможность сменить юзернейм по умолчанию, а вы ему - "We have serious doubts.."? Серьёзно? Нет уж, если введение этой фичи потребует чересчур больших ресурсов, то так и скажите, чего булки мять-то? А если не требует - так почему бы не запланировать в релиз. 328 голосов вам мало? Ну тогда я перестаю думать, что Плеск панель подходящий выбор для хостеров и вебмастеров.

    Но это не имеет никакого значения, ведь Plesk International GmbH не волнует мнение даже 328-ми КЛИЕНТОВ, не то что какого-то одного юзера. :)

    P.S. Интересно, что бы сделали в подобном случае в CPanel?

  • Abdullah commented  ·   ·  Flag as inappropriate

    Dear Plesk staff,

    Here's one angle to look at it from. When we secure our servers - I hope - we all disabled root login and password login, and instead give root privilege to specific users which are further secured with private/public keypairs.
    When you spin up a server on the internet, almost immediately you will see bruteforce attempts on root in your fail2ban logs/alerts. As soon as you disable 'root' login, these go away. Some of us will take an extra step by changing the SSH port.

    Most of the above steps are 'security by obscurity' in a sense, but they work to thwart a high number of automated attacks running through the internet.

    We should enforce passphrases/longer passwords on Plesk by default before worrying about obscuring the admin login username, however the change will most definitely help. It will not be possible for bruteforcers to find the new username unless someone discovers an exploit which allows enumeration of usernames.

    Best wishes!

  • Anonymous commented  ·   ·  Flag as inappropriate

    totally agree that people should have a strong password, but i also think just the peace of mind you can give to your customers who dont necessarily know all of the risks as Sergey L has stated are arbitrary to having an "admin" user name. i think the "peace of mind" philosophy goes further than a simple technicality.

    Two-Factor, strong password, and making sure every application you are installing on your server has its own security on top of it. leave no risks and you shouldnt have a problem. But again, not everyone follows these practices and would feel better if they were able to customize their own admin names. or at least be able to disable the admin after they have added an additional administrator.

  • Mikhail Krivoshein commented  ·   ·  Flag as inappropriate

    Fail2ban is great, however it is much safer if a Plesk Console is protected by some obscure login name. This way it is easy to differentiate between brute force attacks and attacks where someone actually paid attention to you and might have stolen some of your login data through other means.

  • Scott commented  ·   ·  Flag as inappropriate

    "As changed login name is still very likely to be some sort of vocabulary word or derived from your other account name "

    No. A real strong username such as 8t4Xw32lp97BkaQw36VcXp
    would add A LOT of security to my account.

    PLEASE ALLOW ADMIN TO CHANGE USERNAME. Or at least allow another admin account to be created with such capability. Then we can delete the previous account

  • Magnus Alexandersson commented  ·   ·  Flag as inappropriate

    This is a respond to That Guy.

    Plesk creates a user called admin and uses the password you set when you installed plesk onyx via web interface. What thet should let us do is enable us to rename this user to whatever we want and disable the root user login.

    The problem is that because pretty much every single piece of Unix software in existence assumes that the username 'root' exists and that it is the superuser -- mail aliases, various daemons, cron...

    So for future reference do not use root when you login to plesk gui use admin :) Hope this clears this up.

    Remember set a strong password for the root user in the mean time :) 25+ char long if plesk supports it :D

    As Ben has said use google authentication.

    or as Anonym said

    Go to '' /opt/psa/admin/conf '' then name the " panel.ini.sample " - file to panel.ini and insert:

    [login]
    systemAdmin = false

    im going to do it right now :D

    I trust Plesk with our users data and if ur super paranoid dont enable ftp only let users in via gui and set a strong password for ur users. Remember its your job to keep your users data safe with the tools you have. If you dont like it dont use it.

  • That Guy commented  ·   ·  Flag as inappropriate

    Quite shocking to see such a ignorant response from management of a company that I'm supposed to trust with my and my customers valuable data.

    Your argument that it gives a "false sense of security" has no merit. The username plays a critical role in user authentication. With this being so predictable that's 50% of the guess work done, allowing an attack(er) to focus on a single element of the system to attack. Fail2Ban works on the attack(er)'s IP Address. I can quickly and easily get new public IP addresses and set up a brute force attack.

    What security risk does this impose?

    I fail to see how this would be difficult to implement. It looks like Plesk is just full of lazy developers with little regard to security of their product.

    Furthermore Plesk only notifies that a user with "the same username" is logged in. So how am I supposed to know who's alias admin account could be compromised?

    Is it going to take an attack on Plesk panels for you guys to get off your lazy aspirations and implement this? Because I'm willing to take it there, try me.

  • Ben commented  ·   ·  Flag as inappropriate

    Enable the Google Two Factor Authentication and your problem is solved.

  • Anonymous commented  ·   ·  Flag as inappropriate

    For Linux: Go to '' /opt/psa/admin/conf '' then name the " panel.ini.sample " - file to panel.ini and insert:

    [login]
    systemAdmin = false

  • Anonymous commented  ·   ·  Flag as inappropriate

    I somewhat disagree with the official Plesk opinion. I agree that a strong password is a must. However, to log in, an attacker needs to know both - user name and password. If the user name is already known (and maybe the password is reused somewhere else), it is much easier to log in...
    Thus, please make sure to implement this feature.
    In addition, disabling a login with the Unix root credentials should be standard as well (can only be disabled via panel.ini).

  • Chris Cooper commented  ·   ·  Flag as inappropriate

    +1 for Andy's comment. The ability to change the default username from "admin" is a must for PCI compliance and is a basic rule of thumb for general security.

  • Andy Bird commented  ·   ·  Flag as inappropriate

    it does not really matter PCI requirements state that vendor supplied default user accounts must be changed before any system can be put into production. We need to be be able to change this from admin

  • Sego commented  ·   ·  Flag as inappropriate

    Of course searching for a needle (password) in a house (username) is difficult, and yes, you can make the needle smaller (longer password) to make it harder to find. But not telling the thief which house the needle is in adds an undeniable factor of complexity to the task. Don't believe me? Go find the needle, it's in one of the houses on this planet.

  • fino commented  ·   ·  Flag as inappropriate

    the username admin is a puplic known name and should be changeable!

← Previous 1 3

Feedback and Knowledge Base