Change admin username
It should be possible for the admin user to change his user login name. The name "admin" is not very secure, because it's easiert to hack via brute force. The hackers know, the name is "admin". If the user would be able to change his login name, it would increase the security of Plesk Panel.
Great news! The "admin" username can be changed to an arbitrary name since Plesk 18.0.57, published November 21st, 2023. Please see instructions how to do it here: https://docs.plesk.com/en-US/obsidian/administrator-guide/plesk-administration/securing-plesk/changing-the-plesk-administrator-username.80021/
MAKE ADMIN USERNAME CHANGEABLE!!! commented
Wooooww, I can't believe it! 😁 hahaha, took you guys a while, isn't it? Good job, still.
Wow, only 10 years after this recommendation has been made, this was implemented by Plesk. Not exactly the speed that one expects for a paid application where the price is increased every year.
Bludau IT Services commented
>> Install 18.0.57 is working as expected.
Robin Labadie commented
Thank you Plesk team, that's the kind of news we are looking for!
Interesting that PCI requires changing default usernames, yet Plesk considers it not worthy of spending time on. Of course they also have been requested to offer a better two factor option than totp, and haven't done that either in nine years.
Wow, changing loginname is security 101. Security is all about layers and you just give someone a layer for free. Its like giving someone your address, because it doesnt matter because if you have a good lock on the door, they wont get in. Or just get a security guard.
Like they don't care, like the Windows DNSSEC still not implemented
Klaus-Uwe Mitterer commented
Even if you don't believe it is a security feature (which I would definitely argue it is!), it is still a very desirable convenience feature – allowing administrators to use the usernames they are used to.
Robin Labadie commented
"We have serious doubts this function can really increase server security"
Well, I have serious doubts about Plesk's conception of security regarding logins.
With or without anti bruteforce, having a different username than default is always a security improvement.
Kris H commented
I guess it is just a matter of time waiting for that zero-day attack where the only thing that could possibly mitigate an easily scriptable/deployable attack was the uniqueness of the primary administrator's user name.
Atrocious this is still not possible in 2022, next year it will be 10 years since it was first requested! Disgusting!
Christian Farioli commented
cannot believe that is still not implemented.
major security flaw
okey sign commented
Please impliment admin login username update feature in plesk, sometime fintech leader use plesk, and according to PCI, there is not any value which is vendor provided , so we have to update username of admin too...
Karl May commented
It is not necessary to rename "admin" system-wide. It would be enough to introduce a new database field where you can specify the login name. Many websites have this, where you log in with a customer number oder name instead of e-mail-address or your name. The default login name is "admin" and anyone can customize it. Adding something like this should be a matter of minutes, since it doesn't change the account "admin" and "admin" as name for the system itself.
Simon Watson commented
Hello – whatever you say about brute force login, having to hack a username and a password is infinitely safer than just having a password. So please listen to your users and allow the default "admin" username to be changed. Thank you.
Bludau IT Services commented
Has Plesk a Build-In bruteforce detection for the plesk web login?
A. Great commented
It's hard to believe the admin username cannot be changed. Not using admin as a username is system admin 101 and is recommended by Datadog, Cloudflare, Wordfence, GCP, AWS, and multiple other security sources. Although my firewall and authenticator are doing their job, "admin" is the top choice that blackhats use for brute force attempts on my server.
Ido Cohen commented
So many votes and yet nothing changed :(
Perhaps Plesk can make it that you can login by e-mailadres instead of a username. After all, the e-mailadress is already required.
Please @Pleskteam consider this feature as a top-priority request, it is obvious that in 2020 we should totally be able to customize the 'admin' username in order to make it more difficult for any badly-intentioned person to access to the admin panel.
Adrian Finschow commented
Well the Problem is, even if Plesk has a brute-force protection when someone really want to get in the Account he will do everything till he is in the account :/
Fabio Perri commented
I disagree with the considerations of "Sergey L" and let me explain better:
1) Anyone know that Plesk's Administrator default username is "admin";
2) Use a complex and long (or even longer) password like this one for example LK "45VXwe1WC, uH2 $ I =] @ 0 & _y'0O3 \ Iz it is good practice;
3) So considering points 1 and 2 above change and disable the default Plesk Administrator user name "admin" that everyone knows with a username like this (or even loger and complex) for example jZ.5JUH)ftR8P7Jc;c~b<0%Rb/q9/2aa in this specific case it would greatly improve and increase security.
Having more security is always better than having less.
Thanks in advance for the support.