If the Plesk administrator password is compromised, a third party can access Plesk and damage the server and the hosted websites. You can enhance security and reduce the chances of unauthorized access to Plesk by restricting administrative access.
In Plesk, you can either prevent administrative access from specific IP address or addresses, or restrict administrative access to specific IP address or addresses. Anyone trying to log in to Plesk as an administrator from a disallowed IP address will see an error message. Restricting administrative access to Plesk does not prevent resellers or customers from logging in to Plesk, even from disallowed IP addresses.
Note: Restricting administrative access from a specific IP address does not block incoming connections to the server. It does not prevent, for example, attempts to connect via SSH or RDP. Make sure that the Plesk administrator password does not match the server's 'root' or 'administrator' user password.
The first option is more permissive. If you notice suspicious activity originating from a specific IP address (for example, by reviewing Fail2Ban logs), you can prevent anyone using that IP address from having administrative access to Plesk.
To prevent administrative access to Plesk from specific IP addresses:
Now, administrative access to Plesk is possible from all IP addresses except for those that you have explicitly disallowed.
The second option is more restrictive. It minimizes the chances of unauthorized access to Plesk, but may make it difficult to access Plesk from an unusual location (for example, if you need to access Plesk while traveling). Limiting administrative access to specific IP addresses is also likely to disrupt your ability to manage Plesk via Plesk Mobile, as mobile phones usually do not have static IP addresses.
To limit administrative access to Plesk to specific IP addresses:
Now, administrative access to Plesk is possible only from the IP address or addresses you have explicitly allowed.
When you limit administrative access to Plesk, you can accidentally disallow administrative access from your own IP address:
To prevent such mistakes, Plesk informs you that you will not be able to log in to Plesk with administrator's rights from your IP address with the following error message:
If you have locked yourself out of Plesk, follow the steps in the following KB article to regain access.
If desired, you can edit or remove IP addresses you have added to restrict administrative access. To edit an IP address, click it, change the IP address value, and click OK. To remove an IP address, select its checkbox, click Remove, and then click Yes to confirm the removal.