In Plesk for Linux, Plesk provides a functionality to select the SSL protocols available by running:

plesk bin server_pref -u -ssl-protocols "TLSv1.2"

Or meet with PCI compliance with the utility:

plesk sbin pcicomplianceresolver

Plesk for Windows doesn't provide such functionality, moreover, Plesk doesn't recommend to disable these protocols: https://support.plesk.com/hc/en-us/articles/115000360813

It'd be really helpful and safe that Plesk will provide officially the support of the same functionality for Windows, especially for companies that are requiring high-security standards.

A CSP Generator where you can define rules very simple.

Support the new version TLS1.3 for webserver and email. Most of the Browser already support it.

https://www.certificate-transparency.org
https://www.ssllabs.com/ssltest/analyze.html

sms verifying on login

Add the possibility to prevent/block any file or directory removal from within the File Manager in Plesk by the subscription/domain users.

An example that could be applied is the same as it can be applied already for ProFTP config files as follows:

<Directory /var/www/vhosts/*/.cagefs>
<Limit ALL>
DenyAll
</Limit>
</Directory>

<Directory /var/www/vhosts/*/.cl.selector>
<Limit ALL>
DenyAll
</Limit>
</Directory>

<Directory /var/www/vhosts/*/error_docs>
<Limit DELE>
DenyAll
</Limit>
</Directory>

<Directory /var/www/vhosts/*/httpdocs>
<Limit RMD>
DenyAll
</Limit>
</Directory>

<Directory /var/www/vhosts/*/httpdocs/*>
<Limit RMD>
AllowAll
</Limit>
</Directory>

It will be great to have the ability to receive an email notification from Modsecurity (WAF) when protection has been breached with corresponding breach information (SQL injection, Command injection, Cross-site scripting, etc.).

Support Microsoft O365 for the Social Login extension for single-sign-on (SSO).

Microsoft Security Essential is a free and powerful security software for windows server. I recommend make PLESK compatible with this software to have a powerful and simple security solution.

This (https://support.plesk.com/hc/en-us/articles/115000784914-What-DDoS-protection-tools-are-available-in-Plesk) recently updated article shows that we still need paid extensions to better protect our servers against ddos attacks.

It would be great if Plesk would create a more advanced anti-ddos monitoring tool with a useful interface, alerts, and the right amount of settings to better protect our servers from ddos attacks without the need to install a third party extension with additional costs. Preferably created with "good defaults" in mind.

Please separate the mozilla tls cipher settings for web and mail.
Sometimes the old ciphers has to set only for mail and not for web.
Additionally it would be great if the setting could available on domain basis.

Please see this forum post as a reference: https://talk.plesk.com/threads/tls-versions-and-ciphers-by-mozilla-issue-with-the-last-synchronisation.358066/post-882924

Currently almost all mail clients (I used) need the server address to be in the Subject Alternative Names on the certificate, meaning if the configured address is "mail.example.com" instead of "example.com", that first subdomain is not present in the certificate, even when the option "Assign the certificate to mail domain" is selected when issuing the certificate.

In Plesk for Windows, add options to forbid executing .exe, .bat and other executable files in order to prevent starting of malicious scripts.
It should be added to domain and server-wide levels.

Often large Companies with lot's of Workstation are getting blocked because 1 Client in their Office is trying to log in with wrong Password (imap/pop/smtp) - then the whole Office of them is getting blocked and the search which PC/which User is causing the block.starts ...
It would help big times if one got a reference which Login Name / Username caused the block as additional Info next to the IP ...
Won't help on Brute Force Attacks where the Username changes ... but on this Scenario it would be a big Timesaver ...
Andreas Schnederle-Wagner

I recommend to don't show any information about the version of Plesk or other software before the user logged in.

Recognising the increasing challenges in these times, would welcome the implementation of the Edwards-curve Digital Signature Algorithm (EdDSA) type ed448 for security and to keep ahead of the curve (sic.) on the cryptographic front...

interesting tool here too for those interested in checking out where they're up to with browser support (and to know the differences between the different algorithms): https://ed448.no/

Plesk supports Authenticators for the primary admin account.

However, additional admin accounts can still log in without 2FA.

This feature would be great to abide to basic security guidelines as it still involves important client data.