Feature Suggestions
Please provide here your suggestion for new functionality for Plesk. We encourage you to review and vote for suggestions of others. The top-ranked suggestions are likely to be included in the next versions of Plesk.
Please write in English so that voters from all over the world can read and support your request.
Off-topic posts will be removed from here
128 results found
-
Allow to register all let's encrypt certificates with a freely configurable ACME ID
Customer has around 2000 domains and hitting the weekly limit for the new certificates. All domains have different ACME IDs
Customer reached Let's Encrypt support and they agreed to increase limits but require to provide "his own dedicated ACME ID". This feature is required to get such dedicated id.
This is useful when a lot of domains were migrated to another server and it is required to secure them quickly without reaching limits.
4 votesThank you for your input. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
—
IG -
Add ability to use the one Let's encrypt account Id for the whole server
Add ability to use the one Let's encrypt account Id for the whole server
After this, it will be possible to request Let's Encrypt Rate Limit Adjustment for the whole server.
https://docs.google.com/forms/d/e/1FAIpQLSetFLqcyPrnnrom2Kw802ZjukDVex67dOM2g4O8jEbfWFs3dA/viewform4 votesThank you for your input. We will consider this functionality in upcoming releases, if it will be popular.
Everyone, please continue voting for this feature if you consider it important.—
IG -
control-panel-access - add ddns support
Please add DDNS Support for "control-panel-access" (Limit Admin Login) - Would be very helpful to restrict Admin Logins if no static IP Address is available ...
4 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IG -
Set right ciphers by default on Windows
There is a documentation how to do it manually: https://docs.plesk.com/en-US/onyx/administrator-guide/plesk-administration/securing-plesk/pci-dss-compliance/tune-plesk-to-meet-pci-dss-on-windows.78901/
but there is no tool to do it automatically (and by default during the installation).
4 votesAFAIU, the request is about right ciphers for SSL configuration. We have a documentation how to do it manually: https://docs.plesk.com/en-US/onyx/administrator-guide/plesk-administration/securing-plesk/pci-dss-compliance/tune-plesk-to-meet-pci-dss-on-windows.78901/ but have no tool to do it automatically, so, this is a valid request, we’ll look into it.
There is no ETA at the moment, but we would really appreciate you voting for this request so that we can accurately assess its popularity relative to other features. Thanks in advance!
— rk
-
Bypass MFA requests from IP ranges feature for MFA extension
Develop a feature for MFA extension to bypass MFA requests for certain IP addresses ranges. It's justified by having some users access Plesk from internal network which is considered trusted and thus do no require MFA.
3 votesThank you for your input! We will consider this functionality in upcoming releases if it becomes popular.
Everyone, please continue voting for this feature if you consider it important.
-- SH
-
Modify Wordpress integrity checker for security optimisations
So if I create a new Wordpress installation and then I make certain minor security adjustments that are highly recommended in cybersecurity forums, then I will get errors that it is broken through Plesk. I will then forever more be warned that it is broken in Plesk (not in Wordpress) on account of absence of those files, which (as I say) is a deliberate choice I made).
Ideally this would be modified in the install process (e.g. question: "Would you like to remove the readme and license files after installation?" (then explain why it is important to in a hover…
3 votesThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
-- PD
-
DKIM Weekly Rotation of key, with new 'selector' where previous selector is removed the next week
As in:
https://proton.me/blog/dkim-replay-attack-breakdownRotating DKIM is highly important.
Currently, it' **** easy to rotate the DKIM key on Plesk, not to talk of updating DNS and running Route 53 update.
This is asked to be implmented, where a second key is added, and new mails use it.
Old key would be depreciated a week later, as previous emails are still in the progress.
Rotate your DKIM keys regularly – Rotating our DKIM keys allowed us to quickly stop the attack and buy time for the permanent solution. Although tedious and risky to do manually, Proton’s DKIM key management system(new window)…
3 votesThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
-- PD
-
Iptables: Allow Rules via the shell
Our Intrusion prevention system CrowdSec adds one rule having a blacklist to Ipables.
If you manipulate the rules in the UI, Plesk rewrites all rules. Therefore manually added rules are no more available.
This could be fixed very simple by having an additional script, which will be called after saving the rules by the UI.
3 votes -
Add possibility in ModSecurity to configure real-time file scan when files are uploaded
It would be great to add possibility in ModSecurity to configure real-time file scan when files are uploaded: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#files_tmpnames
Such feature will allow the Plesk administrator to configure some Perl scripts to analize all the files uploaded by the users.
3 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular. Everyone, please continue voting for this feature if you consider it important.
—
IG -
Have a "call-in PIN" (support phone password) field in each user account
I think a call in pin would be nice. Something that the user can change, but it is kept hidden unless they are logged in and click on it to see it. This will allow for end users to request help securely.
3 votesThank you for your input. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
—
IG -
Let pci_compliance_resolver --enable postfix also set FORWARD SECURITY and go dor TLSv1.3
Even though server supports TLS 1.2, the cipher suite configuration is suboptimal. It is recommend to configure the server so that the cipher suites providing forward secrecy (ECDHE or DHE in the name, in this order of preference) and authenticated encryption (GCM or CHACHA20 in the name) are at the top. The server must also be configured to select the best-available suite!
also there is TLSv3 https://tools.ietf.org/html/rfc8446
(and draft is used already a long time by many;)http://www.postfix.org/TLS_README.html
And while Playing on Mailserver think about MTA Strict Transport Security (Draft standard) and Email DANE / TLSA.
THX
3 votesThis is a valid request, so we’ll look into it. There is no ETA at the moment, but we would really appreciate you voting for this request so that we can accurately assess its popularity relative to other features. Thanks in advance!
— rk
-
Anonymize IP in logs instead of disabling them completely
It would be great to have an option to anonymize IP addresses, not to disable it completely to get rid of issues with statistics displaying. For example as it is for Plesk on Linux.
Currently, Plesk for Windows has an option to completely disable IP addresses logging In Tools & Settings > Server Settings which affects web statistics.
3 votesThank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
IB
-
Adjust the Website Log Checker to not show errors related to blocked xmlrpc.php requests by ModSecurity
Currently, Website Log Checker flags rejectred access to xmlrpc.php as issues of "Modsecurity: access denied with access code 403" kinds of errors. Additionally, the requests to xmlrpc.php is being blocked by WP Toolkit security measure "restrict access to xmlrpc.php"
ModSecurity protects website by detecting and blocking dangerous requests. If ModSecurity rules are disabled, the extra layer of protection is lost.
Relying only on WP Toolkit to block access is risky. If I forget to set it up, my site could be left vulnerable. ModSecurity is reliable, and I woouldn’t remove it just to clean up logs.
My Suggestion: Adjust the…
2 votes -
Secure one way encrypted password storage (no mail_auth_view for gdpr, pci-dss, nis2)
Mail password are encrypted but not hashed.
Clear text password are available using the utility
/usr/local/psa/admin/bin/mailauthviewThis is just symmetric everyone not the good practice. See OWASP :
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.htmlIt does not meet many regulations (often referring to good practices or OWASP) and it's an unnecessary security risk of password exposure.
Please add an option to have mail user password hashed one way.
Thanks.
2 votesThank you for your input. We are already working on storing only password hashes, rather than actual passwords. I cannot provide any ETA at this moment.
-- SH
-
add time-expiring fail2ban whitelist entries
Please add the ability to add IP addresses to a temporary whitelist with an expiration option. Occasionally, customers may need to troubleshoot issues (e.g., verifying their mail account credentials) after being banned by Fail2Ban. To prevent them from being immediately banned again, we whitelist them temporarily. However, over time, if you forget to remove them, the whitelist grows indefinitely. It would be beneficial if these entries could automatically expire and remove themselves after a set period.
2 votesThank you for your input! We will consider this functionality in upcoming releases if it becomes popular.
Everyone, please continue voting for this feature if you consider it important.
-- SH
-
plesk advisor score functionality needs enhancement
The Plesk advisor complains about not having installed the Plesk firewall, but it doesn't check iptables rules. I have setup my own iptables rules deriven and enhanced from the Plesk firewall. My setup also supports ipset rules which Plesk doesn't.
Thus, the advisor score mechanism should check if iptables rules are present and setup sophisticatedly.
Please refer to: https://talk.plesk.com/threads/plesk-firewall-2-1-5-412-still-has-problems.371747/page-22 votesThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
-- PD
-
Automatic/option for hiding of Plesk, PHP, Apache, Nginx, Wordpress, Drupal, etc. 'reveals'
It would be so useful to accommodate one hardening feature, and that would be to switch on/off the server reveal options for Nginx/Apache (Lightspeed, whatever), the expose_php attribute for the version number in PHP (and equivalent in Perl, etc.), the Wordpress/Drupal (and Joomla, etc.), reveal of their presence and version numbers. See this article for the cybersecurity relevance of that (there's a lot more on the 'securityheaders.com' website and free checkers for all of this there too), but I pick this as an illustration of what I'm referring to with php:
https://serverhealers.com/blog/hide-php-version-x-powered
All of these things are simple, and just…
2 votesThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
Here I'd like to add, though, that in the real world attackers simply test a website against all known vulnerabilities, regardless what webserver, PHP or other software version they detect. Actually, such version information are of no interest, they simply drive tests against all known flaws. So adding the feature will probably not help against hacking attempts.
-- PD
-
Oversign Emails' DKIM From, To, and CC headers
As in:
https://proton.me/blog/dkim-replay-attack-breakdownOversign From, To, and CC headers – Most DKIM implementations always sign the From, To, and CC headers if they are present in an email, preventing them from being modified if the message is resent. However, if these headers are missing, they are often unsigned, opening the door to replay attacks with forged headers that make the fraudulent emails seem legitimate. Oversigning mitigates these attacks by signing these sensitive headers in all cases, even if they are blank. If you use Proton to send your email, this oversigning is done for you automatically by our mail servers.
2 votesThank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
-- PD
-
Ability to disable aum automatic updates in mod security and apply it manually
Provide the ability to disable aum
automatic updates in mod security and apply it manually2 votes -
Add option to mitigate known vulnerabilities by default during installation of WordPress
There is an option in WP Toolkit to mitigate the Unauth. Blind SSRF vulnerability. However, this may only be applied only once WordPress has already been installed. Please add possibility to secure the instance in this regard (and any other vulnerabilities that might be found later, if such option is added to WP Toolkit) directly when installing WordPress.
2 votes
- Don't see your idea?