I suggest you ...

Change admin username

It should be possible for the admin user to change his user login name. The name "admin" is not very secure, because it's easiert to hack via brute force. The hackers know, the name is "admin". If the user would be able to change his login name, it would increase the security of Plesk Panel.

299 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    TIIUNDER shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    We have serious doubts this function can really increase server security:
    1) Plesk has built-in protection against brute-force on login – it will lock the login form. So no one can try multiple attempts
    2) Arbitrary login name adds very little guess-complexity to a proper password. If you have concerns for your login brute-forced – add another 5-7 characters into your password and feel safe.

    As changed login name is still very likely to be some sort of vocabulary word or derived from your other account name – this function would only give a false sense of better security. Your security strength is in complex password, not in a complex login name. If you have one good password, you don’t need to treat login as your “second password” – one good password is enough.

    As for concerns that default password requirement is set in “weak”, that fail2ban module is not enabled by default or may consume extra resources, etc – they are much irrelevant here. If someone is not willing investing some time into setting better password, into changing password policy or into installing/enabling server protection – changed admin name will again be only a false sense of security. If a password is “1234567”, then login doesn’t really matter.

    35 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Magnus Alexandersson commented  ·   ·  Flag as inappropriate

        This is a respond to That Guy.

        Plesk creates a user called admin and uses the password you set when you installed plesk onyx via web interface. What thet should let us do is enable us to rename this user to whatever we want and disable the root user login.

        The problem is that because pretty much every single piece of Unix software in existence assumes that the username 'root' exists and that it is the superuser -- mail aliases, various daemons, cron...

        So for future reference do not use root when you login to plesk gui use admin :) Hope this clears this up.

        Remember set a strong password for the root user in the mean time :) 25+ char long if plesk supports it :D

        As Ben has said use google authentication.

        or as Anonym said

        Go to '' /opt/psa/admin/conf '' then name the " panel.ini.sample " - file to panel.ini and insert:

        [login]
        systemAdmin = false

        im going to do it right now :D

        I trust Plesk with our users data and if ur super paranoid dont enable ftp only let users in via gui and set a strong password for ur users. Remember its your job to keep your users data safe with the tools you have. If you dont like it dont use it.

      • That Guy commented  ·   ·  Flag as inappropriate

        Quite shocking to see such a ignorant response from management of a company that I'm supposed to trust with my and my customers valuable data.

        Your argument that it gives a "false sense of security" has no merit. The username plays a critical role in user authentication. With this being so predictable that's 50% of the guess work done, allowing an attack(er) to focus on a single element of the system to attack. Fail2Ban works on the attack(er)'s IP Address. I can quickly and easily get new public IP addresses and set up a brute force attack.

        What security risk does this impose?

        I fail to see how this would be difficult to implement. It looks like Plesk is just full of lazy developers with little regard to security of their product.

        Furthermore Plesk only notifies that a user with "the same username" is logged in. So how am I supposed to know who's alias admin account could be compromised?

        Is it going to take an attack on Plesk panels for you guys to get off your lazy aspirations and implement this? Because I'm willing to take it there, try me.

      • Ben commented  ·   ·  Flag as inappropriate

        Enable the Google Two Factor Authentication and your problem is solved.

      • Anonymous commented  ·   ·  Flag as inappropriate

        For Linux: Go to '' /opt/psa/admin/conf '' then name the " panel.ini.sample " - file to panel.ini and insert:

        [login]
        systemAdmin = false

      • Anonymous commented  ·   ·  Flag as inappropriate

        I somewhat disagree with the official Plesk opinion. I agree that a strong password is a must. However, to log in, an attacker needs to know both - user name and password. If the user name is already known (and maybe the password is reused somewhere else), it is much easier to log in...
        Thus, please make sure to implement this feature.
        In addition, disabling a login with the Unix root credentials should be standard as well (can only be disabled via panel.ini).

      • Chris Cooper commented  ·   ·  Flag as inappropriate

        +1 for Andy's comment. The ability to change the default username from "admin" is a must for PCI compliance and is a basic rule of thumb for general security.

      • Andy Bird commented  ·   ·  Flag as inappropriate

        it does not really matter PCI requirements state that vendor supplied default user accounts must be changed before any system can be put into production. We need to be be able to change this from admin

      • Sego commented  ·   ·  Flag as inappropriate

        Of course searching for a needle (password) in a house (username) is difficult, and yes, you can make the needle smaller (longer password) to make it harder to find. But not telling the thief which house the needle is in adds an undeniable factor of complexity to the task. Don't believe me? Go find the needle, it's in one of the houses on this planet.

      • fino commented  ·   ·  Flag as inappropriate

        the username admin is a puplic known name and should be changeable!

      • Jan L commented  ·   ·  Flag as inappropriate

        I agree with Tobi and Sergey - you always should use strong passwords and fail2ban. Additionally, I highly recommend the Google Authenticator for Second-Factor-Authentication. There is a new version coming up in the next days that allows remembering devices, so that Plesk only asks you for the access token on unknown devices or after a certain time interval.

      • Tobi commented  ·   ·  Flag as inappropriate

        Is this request not much better? https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/4505273-protect-plesk-gui-11-5-30-with-basic-auth-login

        You want change the username, I'm here with Sergey. Make your password longer and stronger have the same effect as take another username.

        But what is with security bugs in plesk gui? Bugs that give attackers access to pleski gui?

        I would like to add a second protection layer. fail2ban is nice, but I get with fail2ban hundreds of fail login every day and fail2ban NOT protects for security bugs in plesk gui. With "basic auth" you can prevent attackers directly from access your plesk gui at all. THATS much better in my eyes. In plesk 11.x and 12.0 this working, but in Plesk 12.5 not anymore. I would like this as optional feature, that admins can enable.

      • Jon commented  ·   ·  Flag as inappropriate

        I have very serious beliefs that this CAN INCREASE server security, ESPECIALLY IF using a double login process where only the username is accepted in the first part of the process, and then after a proper username accepted, the password. Many would be likely to miss the username to begin with, and never make it to the password. AND, I think the same would be good for ssh root login, change the name, and make it a double process, (for those using password autho).

        I do use the "Restrict Administrative Access" option, and like it. But what is wrong with more stringent lines of defense? And what admin would use 1234567 as a password? That to me seems to be a null point.

        I personally use login names with many accounts that I have that are much like a password, something like: juB2rxI#p0L is a secure username. One must first get my username before getting to the password option, which is just as difficult to do, (if not more so), good luck with that! SO NO, a changed login name is NOT necessarily likely to be a vocabulary word, especially if there is a notation given to admins at that time, (from the panel), to make it difficult login name. And, by the way, it is a fact that the longer a login name or password is the more difficult it is to *****.

        If Plesk is not willing to invest some time into setting more stringent security defenses, why have a forum for suggestions? I think the DIRECTOR above might be a little bit lazy.

      • Amin Taheri commented  ·   ·  Flag as inappropriate

        Agree - +1
        We cant use Fail2Ban (It tanks our server due to # of domains/customers) and being able to change the username would be great since it takes the guess work out of brute force attacks.

        it also seems like a very easy thing to allow for - even if it does (in your opinion) only make people feel better, if people are asking for it, perhaps its better business to give it to them than to argue with them about why they think they want it?

      • David Venancio commented  ·   ·  Flag as inappropriate

        I am very sorry, but I have to disagree totally.
        If we can change the "admin" username, of course it will add more complexity to brute force attacks.
        Statistically can even change the fact that Joomla will be less targeted than it is now.

      • AdminSergey L (Director of Program Management, Plesk International GmbH) commented  ·   ·  Flag as inappropriate

        Curtis,

        I am afraid you are misinformed about locking admin or perhaps have much outdated information.

        In case someone is trying to bruteforce your password, you remain safe:

        - Plesk won't lock you if someone will try to bruteforce your password. Instead Plesk will add small delay on every false attempt, which doesn't make much difference for legitimate user (you), but makes any bruteforce nearly impossible as it would take too long.

        - The Fail2ban module will lock a particular IP. So intruder will be locked, but you will be able to login safely. Except (of course), when intruder works from the same computer as you are, which could be the case when you decide to test your Plesk for bruteforce resistance (so you were the "intruder"). But in the real world it is much unlikely scenario

        Some may also complain that bruteforcing itself can be considered DDoS attack, however different login name doesn't help here either - whether login is "admin" or not, the system will consume roughly the same resources on validating the attempt.

        So the summary is:
        - alternative login just cannot add more security than password already does. Adding extra symbol in password is equally effective as adding extra symbol in login name.
        - intruders cannot lock you from logging in. They can only lock themselves

        I can understand the fear when people see their servers are scanned, however looks like many people are looking for a false cure - scans won't disappear just because of the login changed. It doesn't take too much effort to try different login names in those bruteforce scripts.

        Many internet services would use emails as login names. As those emails are often publicly known it should have been considered as a huge security threat, but of course everyone recognizes that it is not a weak login that compromises security - but a weak password does.

        If you don't feel safe about your server, make sure you
        1) have fail2ban module fully enabled. it will lock any bruteforce intruder quickly
        2) have 2-factor auth extension installed. i.e. Clef. Here is an overview of available solutions: http://devblog.plesk.com/2015/02/passwords-in-plesk-just-say-no/
        3) enable strong passwords in settings or just make sure your password is strong enough - not a dictionary word, not derived from a dictionary word, and includes digits and special characters.
        Those things really improve security.

        Hope it helps

      ← Previous 1

      Feedback and Knowledge Base