Please add ability for Plesk administrator to disable Plesk customers to change their Plesk UI password.

Message from customer:
I am working on a separate account management panel and I want the customer to log in with the same password. Can I prevent the user changing the password in Plesk.

Attacks to web servers are in increasing. All modern Linux distribution come with SELinux. SELinux is a perfect way to avoid an attacker to get privileged access to the OS. Currently, Plesk is not supporting SELinux.
Support should be added. A policy should be provided to configure SELinux to support all PLESK relevant actions on the server.

In Plesk for Linux, Plesk provides a functionality to select the SSL protocols available by running:

plesk bin server_pref -u -ssl-protocols "TLSv1.2"

Or meet with PCI compliance with the utility:

plesk sbin pcicomplianceresolver

Plesk for Windows doesn't provide such functionality, moreover, Plesk doesn't recommend to disable these protocols: https://support.plesk.com/hc/en-us/articles/115000360813

It'd be really helpful and safe that Plesk will provide officially the support of the same functionality for Windows, especially for companies that are requiring high-security standards.

There should be a Scanner for Malware by default.
"Wordpress" already has a super Tool but what about the the other Apps on Server ...

To be able to set specific security policy per subscription instead of server-wide.

A CSP Generator where you can define rules very simple.

It will be great to have the ability to receive an email notification from Modsecurity (WAF) when protection has been breached with corresponding breach information (SQL injection, Command injection, Cross-site scripting, etc.).

Support Microsoft O365 for the Social Login extension for single-sign-on (SSO).

Support the new version TLS1.3 for webserver and email. Most of the Browser already support it.

https://www.certificate-transparency.org
https://www.ssllabs.com/ssltest/analyze.html

Add the possibility to prevent/block any file or directory removal from within the File Manager in Plesk by the subscription/domain users.

An example that could be applied is the same as it can be applied already for ProFTP config files as follows:

<Directory /var/www/vhosts/*/.cagefs>
<Limit ALL>
DenyAll
</Limit>
</Directory>

<Directory /var/www/vhosts/*/.cl.selector>
<Limit ALL>
DenyAll
</Limit>
</Directory>

<Directory /var/www/vhosts/*/error_docs>
<Limit DELE>
DenyAll
</Limit>
</Directory>

<Directory /var/www/vhosts/*/httpdocs>
<Limit RMD>
DenyAll
</Limit>
</Directory>

<Directory /var/www/vhosts/*/httpdocs/*>
<Limit RMD>
AllowAll
</Limit>
</Directory>

This (https://support.plesk.com/hc/en-us/articles/115000784914-What-DDoS-protection-tools-are-available-in-Plesk) recently updated article shows that we still need paid extensions to better protect our servers against ddos attacks.

It would be great if Plesk would create a more advanced anti-ddos monitoring tool with a useful interface, alerts, and the right amount of settings to better protect our servers from ddos attacks without the need to install a third party extension with additional costs. Preferably created with "good defaults" in mind.

Please separate the mozilla tls cipher settings for web and mail.
Sometimes the old ciphers has to set only for mail and not for web.
Additionally it would be great if the setting could available on domain basis.

Please see this forum post as a reference: https://talk.plesk.com/threads/tls-versions-and-ciphers-by-mozilla-issue-with-the-last-synchronisation.358066/post-882924

Microsoft Security Essential is a free and powerful security software for windows server. I recommend make PLESK compatible with this software to have a powerful and simple security solution.

Plesk supports Authenticators for the primary admin account.

However, additional admin accounts can still log in without 2FA.

This feature would be great to abide to basic security guidelines as it still involves important client data.

Currently almost all mail clients (I used) need the server address to be in the Subject Alternative Names on the certificate, meaning if the configured address is "mail.example.com" instead of "example.com", that first subdomain is not present in the certificate, even when the option "Assign the certificate to mail domain" is selected when issuing the certificate.

At the moment the created Scheduled Tasks (Cron jobs) via Plesk GUI are not registered in the action log.

Also, according to /var/log/messages and /var/log/cron it is not clear what task was created, the name of the task and it is also difficult to understand was the cron task created or not.

I've noticed that in a default plesk installation the web server is configured to disclose php version. This could be exploited especially with a lot of websites running insecure php versions still.

I think it's not much trouble to implement this simple "security through obscurity" step to not disclose this information and help attackers detect vulnerabilities in PHP itself.