Create daily md5-hashes of the web-content of a domain, to quickly identify tampering or hacking.
Let Plesk on every night optionally create/compare md5-hashes from all files in the domains storage-space (web,httpdoc,ftp) and update this in a simple list (database), sortable by date of last change, size, number of changes. Indicating "changed files in the last xx days" to have a time-window to drill down.
In addition, accumulate all vhosts together into a seperate "Admin-View", where ALL domains are put together alphabetically.
Add an additional button "snapshot", so one could create a list of all webfiles on request. For example, when an incident has been cleaned, then click "snapshot" and then wait some time to see if the changes come back within a short time.
This would allow the customer and the Admins to quickly see, which files an when have been updated/changed lately or tampered with (hacked/defaced homepages). And the admins can spot such repeated activities or attacks which span over multiple domains (produced by Botnets and such) on his server.
Marco Marsala commented
There are free alternatives too, like BinaryCanary. Don't implement this or you will get too many false positives.
Stephen Shaw commented
I was hacked with DrupalGeddon, this would have saved me because I thought I had patched in time < 7 Hrs - I did'nt patch in time and did not realize I was vulnerable until 6 months later when they activated the hack.
These are remote services, so they can only scan webpage output. They are defacement monitors.
The feature here is filesystem based, so it would identify new unknown files, or backend changes to files that may not cause any change to generated HTML)