Feature Suggestions
Please provide here your suggestion for new functionality for Plesk. We encourage you to review and vote for suggestions of others. The top-ranked suggestions are likely to be included in the next versions of Plesk.
Please write in English so that voters from all over the world can read and support your request.
For technical assistance, contact Plesk support
For questions, bug reports, discussions and free assistance, check our Forum and Facebook page
For additional information, see Documentation, Knowledge Base and Blog
Follow us on Twitter for more news on Plesk development
Off-topic posts will be removed from here
-
5 votes
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
— AY
-
Make PLESK compatible with "Microsoft Security Essential" for Windows servers
Microsoft Security Essential is a free and powerful security software for windows server. I recommend make PLESK compatible with this software to have a powerful and simple security solution.
5 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
— SU -
Don't show version on the login mask.
I recommend to don't show any information about the version of Plesk or other software before the user logged in.
5 votesopen discussion ·AdminSergey L (Director of Program Management, Plesk International GmbH) responded
You wouldn’t need to worry too much on version exposure:
1) should there be any vulnerability discovered, we will fix it for each and every supported version. Just stay up2date
2) hiding version gives only false sense of security – attacker can still apply all known vulnerabilities disregarding your actual version. There were just few vulnerabilities about Plesk and it is easy to run them all (though it won’t give an impact as all of them are addressed already). It is even easier than capturing a version from a file.If you remain heavily concerned, we can recommend applying Two-Factor authentication via Clef or Google Auth extensions at http://ext.plesk.com or maybe restricting Plesk control panel access to certain IPs only and only enter it via VPN. The last option is the least convenient and the most secure.
-
fail2ban notification
Make Fail2Ban send notifications when the server is under attack
4 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
We would ask you to describe in more detail, what are your expectations. For example, what kind of notifications — email or panel, configurations options, etc. This information can help us create the feature best suited to your needs.
Everyone, please continue voting for this feature if you consider it important.
—AS
-
block bad bots by default
There are many bots that can actually DoS a server using Plesk. Since there's no way to limit their connections they can overload a server really easily. Currently the only way to block them is by reading the logs and implementing blocks in nginx or .htaccess rules.
It would be great if there could be some security by default. The community has created very comprehensive lists that could be used and auto updated / maintained by cron jobs.
Here's an example for Apache
https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/tree/master/Apache_2.4
And here's for Nginx
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
It could help mitigate attacks and vulnerability scans as well a…
4 votesThank you for your input. We will consider this functionality in upcoming releases, if it will be popular.
Everyone, please continue voting for this feature if you consider it important.BTW, we have following solution for Plesk – https://talk.plesk.com/resources/blocking-extra-bots-using-nginx.6/
—
IG -
check passwords against Pwned Passwords API
Plesk should check user typed passwords against Pwned Passwords API
https://haveibeenpwned.com/API/v2
that way you could further improve systems running Plesk against Brute-Force attacks - and Dictionary attacks
WordFence plugin for WordPress is already offering this, checking WordPress administrator passwords against https://haveibeenpwned.com/API/v2
it shouldn't be too much work to compare Plesk password hash between Plesk and https://haveibeenpwned.com/API/
I would like to use this feature for all services (FTP, E-Mail, Plesk, WordPress, etc.)
It makes a lot of sense to do this, there are no drawbacks
it should be option that users can enable/disable
if you don't need it, you can disable…4 votesThank you for your input. We will consider this functionality in upcoming releases, if it will be popular.
Everyone, please continue voting for this feature if you consider it important.—
IG -
Import and export buttons to allow fail2ban Trusted IP or Banned IP Addresses
Button that can import or export the Fail2ban Trusted or Banned IP lists. At the moment you can only add one by one.
4 votes -
Implement client SSL certificates for authentication into mail
There is an option in Outlook, mail.app and other clients "authenticate using certificate". HOwever Plesk does not allow to use this client based method of authentication.
4 votes -
sms verifying on login
sms verifying on login
4 votes -
nftables support (firewall)
Since 2014, with Linux kernel 3.13 and later, a new system for providing filtering and classification of network packets, datagrams and frames was introduced: nftables
It is stateful and more modular than iptables and does support IPv6.
As there are already packages for Archlinux or RHEL and so for CentOS and you can install on your own (of course), it would be great if in an upcoming (major) release iptables is replaced by nftables. Or a switch is implemented to use either the one or the other.
More information on:
https://wiki.nftables.org
http://netfilter.org/projects/nftables/
https://wiki.archlinux.org/index.php/nftables4 votes -
Add Nginx Jails to Fail2Ban
Plesk has - praise be - increasingly better supported Nginx, now with the option to use only Nginx, which is great.
That being so, now we need the next logical step: The Fail2Ban Jails for Apache are available, but will have no effect, as Apache is not used at all any more. So we need some Jails for Nginx.
This is not exactly rocket science, there are plenty of examples to be found on the web, the Fail2Ban distribution has some, and here's an article on digitalocean:
https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04Search for: fail2ban nginx 404
E.g. https://nichteinschalten.de/apache-nginx-404-fail2ban-regex/
Note The 404 code is…3 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IG -
Adding google recaptcha to plesk login area, or any captcha validation
Adding google recaptcha to plesk login area, or any captcha validation
3 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IG -
Email notifications/alerts for Modsecurity (WAF)
It will be great to have the ability to receive an email notification from Modsecurity (WAF) when protection has been breached with corresponding breach information (SQL injection, Command injection, Cross-site scripting, etc.).
3 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IG -
Enable OCSP stapling ans HSTS for Plesk panel
OSCP stapling and HSTS can now be enabled for domains using SSL It! estension.
However these settings cannot be enabled while securing Plesk panel.
So it will be really appreciated if such functionality is included in future Plesk updates.3 votesThank you for your input! We will consider this functionality for the upcoming releases if it becomes popular enough.
Everyone, please continue voting for this feature if you consider it important.
—
IG -
Social Login SSO - Microsoft O365 Support
Support Microsoft O365 for the Social Login extension for single-sign-on (SSO).
3 votes -
Add ability to use the one Let's encrypt account Id for the whole server
Add ability to use the one Let's encrypt account Id for the whole server
After this, it will be possible to request Let's Encrypt Rate Limit Adjustment for the whole server.
https://docs.google.com/forms/d/e/1FAIpQLSetFLqcyPrnnrom2Kw802ZjukDVex67dOM2g4O8jEbfWFs3dA/viewform3 votesThank you for your input. We will consider this functionality in upcoming releases, if it will be popular.
Everyone, please continue voting for this feature if you consider it important.—
IG -
Add the option to forbid execution of files in Plesk for Windows
In Plesk for Windows, add options to forbid executing .exe, .bat and other executable files in order to prevent starting of malicious scripts.
It should be added to domain and server-wide levels.3 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IG -
Enable SSH Key Generate via Plesk Control Panel
With the SSH Manager inside Plesk Onyx, it is extremely easy to add a new key to a subscription. The problem is, most users don't understand how to generate a key with tools like PuTTYgen and explaining it to them leaves them very confused. It would be very handy if, inside the SSH manager there was a way to request a new key pair be generated and added to a subscription automatically, so users don't have to go through the hassle of generating a key.
3 votesThank you for your input! We will consider this functionality in upcoming releases, if it will be popular.
Everyone, please continue voting for this feature if you consider it important.—
IG -
deny access to .git folder by default
I think it would be great if you could prevent access to .git folders that are usually left exposed by users in the server when building the vhost templates .
It's very common that users forget to remove credentials and other sensitive information out of their repositories so by leaving the folder exposed it's possible for an attacker to gain access to this sensitive information.
Currently we manually protect those folders when we spot them but it would be nice if this was implemented from the start.
For example in nginx the following rule could be used.
location ~ /.git…
3 votes -
3 votes
- Don't see your idea?