Change admin username
It should be possible for the admin user to change his user login name. The name "admin" is not very secure, because it's easiert to hack via brute force. The hackers know, the name is "admin". If the user would be able to change his login name, it would increase the security of Plesk Panel.
We have serious doubts this function can really increase server security:
1) Plesk has built-in protection against brute-force on login – it will lock the login form. So no one can try multiple attempts
2) Arbitrary login name adds very little guess-complexity to a proper password. If you have concerns for your login brute-forced – add another 5-7 characters into your password and feel safe.
As changed login name is still very likely to be some sort of vocabulary word or derived from your other account name – this function would only give a false sense of better security. Your security strength is in complex password, not in a complex login name. If you have one good password, you don’t need to treat login as your “second password” – one good password is enough.
As for concerns that default password requirement is set in “weak”, that fail2ban module is not enabled by default or may consume extra resources, etc – they are much irrelevant here. If someone is not willing investing some time into setting better password, into changing password policy or into installing/enabling server protection – changed admin name will again be only a false sense of security. If a password is “1234567”, then login doesn’t really matter.
Dear Plesk staff,
Here's one angle to look at it from. When we secure our servers - I hope - we all disabled root login and password login, and instead give root privilege to specific users which are further secured with private/public keypairs.
When you spin up a server on the internet, almost immediately you will see bruteforce attempts on root in your fail2ban logs/alerts. As soon as you disable 'root' login, these go away. Some of us will take an extra step by changing the SSH port.
Most of the above steps are 'security by obscurity' in a sense, but they work to thwart a high number of automated attacks running through the internet.
We should enforce passphrases/longer passwords on Plesk by default before worrying about obscuring the admin login username, however the change will most definitely help. It will not be possible for bruteforcers to find the new username unless someone discovers an exploit which allows enumeration of usernames.
totally agree that people should have a strong password, but i also think just the peace of mind you can give to your customers who dont necessarily know all of the risks as Sergey L has stated are arbitrary to having an "admin" user name. i think the "peace of mind" philosophy goes further than a simple technicality.
Two-Factor, strong password, and making sure every application you are installing on your server has its own security on top of it. leave no risks and you shouldnt have a problem. But again, not everyone follows these practices and would feel better if they were able to customize their own admin names. or at least be able to disable the admin after they have added an additional administrator.
That's actually very good point about distinguishing blind brute force attack from a targeted one. Much appreciated!
Mikhail Krivoshein commented
Fail2ban is great, however it is much safer if a Plesk Console is protected by some obscure login name. This way it is easy to differentiate between brute force attacks and attacks where someone actually paid attention to you and might have stolen some of your login data through other means.
"As changed login name is still very likely to be some sort of vocabulary word or derived from your other account name "
No. A real strong username such as 8t4Xw32lp97BkaQw36VcXp
would add A LOT of security to my account.
PLEASE ALLOW ADMIN TO CHANGE USERNAME. Or at least allow another admin account to be created with such capability. Then we can delete the previous account
Magnus Alexandersson commented
This is a respond to That Guy.
Plesk creates a user called admin and uses the password you set when you installed plesk onyx via web interface. What thet should let us do is enable us to rename this user to whatever we want and disable the root user login.
The problem is that because pretty much every single piece of Unix software in existence assumes that the username 'root' exists and that it is the superuser -- mail aliases, various daemons, cron...
So for future reference do not use root when you login to plesk gui use admin :) Hope this clears this up.
Remember set a strong password for the root user in the mean time :) 25+ char long if plesk supports it :D
As Ben has said use google authentication.
or as Anonym said
Go to '' /opt/psa/admin/conf '' then name the " panel.ini.sample " - file to panel.ini and insert:
systemAdmin = false
im going to do it right now :D
I trust Plesk with our users data and if ur super paranoid dont enable ftp only let users in via gui and set a strong password for ur users. Remember its your job to keep your users data safe with the tools you have. If you dont like it dont use it.
That Guy commented
Quite shocking to see such a ignorant response from management of a company that I'm supposed to trust with my and my customers valuable data.
Your argument that it gives a "false sense of security" has no merit. The username plays a critical role in user authentication. With this being so predictable that's 50% of the guess work done, allowing an attack(er) to focus on a single element of the system to attack. Fail2Ban works on the attack(er)'s IP Address. I can quickly and easily get new public IP addresses and set up a brute force attack.
What security risk does this impose?
I fail to see how this would be difficult to implement. It looks like Plesk is just full of lazy developers with little regard to security of their product.
Furthermore Plesk only notifies that a user with "the same username" is logged in. So how am I supposed to know who's alias admin account could be compromised?
Is it going to take an attack on Plesk panels for you guys to get off your lazy aspirations and implement this? Because I'm willing to take it there, try me.
Dr. Koontz commented
Is there a way to specifically disable the Admin username?
Enable the Google Two Factor Authentication and your problem is solved.
For Linux: Go to '' /opt/psa/admin/conf '' then name the " panel.ini.sample " - file to panel.ini and insert:
systemAdmin = false
Bjoern Bendix commented
Changing the admin username is only security by obscurity
@abc Good catch about root password. If you file that as a separate request, we are likely to improve it
I somewhat disagree with the official Plesk opinion. I agree that a strong password is a must. However, to log in, an attacker needs to know both - user name and password. If the user name is already known (and maybe the password is reused somewhere else), it is much easier to log in...
Thus, please make sure to implement this feature.
In addition, disabling a login with the Unix root credentials should be standard as well (can only be disabled via panel.ini).
Chris Cooper commented
+1 for Andy's comment. The ability to change the default username from "admin" is a must for PCI compliance and is a basic rule of thumb for general security.
Andy Bird commented
it does not really matter PCI requirements state that vendor supplied default user accounts must be changed before any system can be put into production. We need to be be able to change this from admin
Of course searching for a needle (password) in a house (username) is difficult, and yes, you can make the needle smaller (longer password) to make it harder to find. But not telling the thief which house the needle is in adds an undeniable factor of complexity to the task. Don't believe me? Go find the needle, it's in one of the houses on this planet.
the username admin is a puplic known name and should be changeable!
Jan L commented
I agree with Tobi and Sergey - you always should use strong passwords and fail2ban. Additionally, I highly recommend the Google Authenticator for Second-Factor-Authentication. There is a new version coming up in the next days that allows remembering devices, so that Plesk only asks you for the access token on unknown devices or after a certain time interval.
Is this request not much better? https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/4505273-protect-plesk-gui-11-5-30-with-basic-auth-login
You want change the username, I'm here with Sergey. Make your password longer and stronger have the same effect as take another username.
But what is with security bugs in plesk gui? Bugs that give attackers access to pleski gui?
I would like to add a second protection layer. fail2ban is nice, but I get with fail2ban hundreds of fail login every day and fail2ban NOT protects for security bugs in plesk gui. With "basic auth" you can prevent attackers directly from access your plesk gui at all. THATS much better in my eyes. In plesk 11.x and 12.0 this working, but in Plesk 12.5 not anymore. I would like this as optional feature, that admins can enable.
I have very serious beliefs that this CAN INCREASE server security, ESPECIALLY IF using a double login process where only the username is accepted in the first part of the process, and then after a proper username accepted, the password. Many would be likely to miss the username to begin with, and never make it to the password. AND, I think the same would be good for ssh root login, change the name, and make it a double process, (for those using password autho).
I do use the "Restrict Administrative Access" option, and like it. But what is wrong with more stringent lines of defense? And what admin would use 1234567 as a password? That to me seems to be a null point.
I personally use login names with many accounts that I have that are much like a password, something like: juB2rxI#p0L is a secure username. One must first get my username before getting to the password option, which is just as difficult to do, (if not more so), good luck with that! SO NO, a changed login name is NOT necessarily likely to be a vocabulary word, especially if there is a notation given to admins at that time, (from the panel), to make it difficult login name. And, by the way, it is a fact that the longer a login name or password is the more difficult it is to *****.
If Plesk is not willing to invest some time into setting more stringent security defenses, why have a forum for suggestions? I think the DIRECTOR above might be a little bit lazy.