Change admin username
It should be possible for the admin user to change his user login name. The name "admin" is not very secure, because it's easiert to hack via brute force. The hackers know, the name is "admin". If the user would be able to change his login name, it would increase the security of Plesk Panel.
Great news! The "admin" username can be changed to an arbitrary name since Plesk 18.0.57, published November 21st, 2023. Please see instructions how to do it here: https://docs.plesk.com/en-US/obsidian/administrator-guide/plesk-administration/securing-plesk/changing-the-plesk-administrator-username.80021/
You can already add additional admin users, if required, since Plesk 11.5:
Increasing server security is not the only reason to allow an alternate administrative username. How about auditing. If you have multiple people using a system you have multiple usernames to keep track of them.We are assuming there is always one administrator?
Which service are you talking about? Plesk itself locks you out for a while by default after a small number of incorrect logins as admin or root (both work by default btw). Other services managed by Plesk prohibit using admin as a username, e.g FTP. You could use admin@domain as an email login if you setup admin@ as a mailbox but it wouldn't be logical any other way.
I'm unsure if the Plesk API locks you out after a few incorrect attempts but the API is disabled by default and needs enabling by command line so when enabling it you have a great opportunity to check the admin password is strong, and the API is restricted to certain IP's. Where you have to leave it open simply enable fail2ban.
I still don't see any significant advantage to having this feature and think it's time best spent on other improvements.
Just have a look at the logs that show how the lower life forms are tying to enter your server: Username "admin" (or root depending on the service) is their way to go. I wonder why "admin" is even allowed by Plesk? Now "all there is to it" is finding a password for "admin". Not allowing "admin" will reduce the chance of entering the server with brute force by a zillion times.
I would agree that "real" system admins would tackle this themselves. But Plesk could help educate people when needed, right? Why is the default password strength set to "weak"? Let me guess: "admin" + "1234567"? (I sure hope those despicable life forms don't read this comment :-) )
Fail2Ban is not installed by default (and even if installed later it is not activated by default). And in a way this feature is an indispensable but costly/active substitute for a password-like username.
Not using "Admin" is a great free/passive safety improvement and a giant leap backwards for those pesky brute-force life forms.
O, and on the help page of this new feature ;-) you might as well add that it is best not to use your real name, your domainname, or "root" either. Even better: Treat it as a second password.
The risk can be mostly mitigated by using Fail2ban. I'm not sure how important this really is - and think it would add to confusion both for customers and support.
Really important, good idea!
i think this is good idea
seems we cannot yet change the log in which is for all users on plesk a standard log in . This is very regrettable as we believe programming this is easy and would increase security
Any update on this important feature? Nine months have passed...
Not only should this be an option, new admins should be prompted to use an alternate admin username. This will help in security.
that seem like a good idea
Yes, this is an important security feature. I once messed up my server trying to change the admin username.
Stéphan S commented
very good idea!
Is the id of admin also 0 ?
Or is there no id used to login (webgui / API)?
Anything to make it harder on them is a great win on our side.