Parallels Plesk 12: Supercharge Your WordPress Site

    Chris Burgess
    Chris Burgess

    This article was sponsored by Parallels. Thank you for supporting the sponsors who make SitePoint possible!

    Web management tools aren’t new, they’ve been around for many years and they all support one-click installs for common web applications. However, for the most part all this does is install the application and then you’re on your own. You don’t have visibility to manage these applications once they’ve been installed.

    If you then throw in the fact that users love to install themes and plugins, the management becomes even more fun. The solution to this usually involves third-party services to centrally manage our WordPress sites. Wouldn’t it be nice if these management features were built into our hosting control panel? Well, with the latest version of Plesk, this is now possible.

    Parallels Plesk is one of the leading hosting control panel and automation platforms on the market. If you’ve used a few hosting providers, chances are you’ve used Plesk.

    In this article I’ll walk you through how to use Plesk 12 with a focus on the features that are most relevant to WordPress professionals, mainly the WordPress Toolkit. I will also touch on some of the other areas that those who manage multiple WordPress sites will be interested in.

    First Impressions of the WordPress Toolkit in Plesk 12

    When I first logged in, it was immediately obvious that the latest version of Plesk is seriously catering to WordPress developers and administrators.

    While other web applications are supported, the WordPress-specific features are impressive. Plesk 12 has introduced what they call the ‘WordPress Toolkit‘ and it brings professional WordPress management features to a mainstream web hosting control panel. This includes the ability to detect manual installations, create new installations (with control over various configuration options), perform bulk updates, and manage plugins/themes.

    In addition to the WordPress management features, if you want to jump into a specific WordPress dashboard, there’s usually a direct link available in most places within in the Plesk interface. That said, you can easily perform routine tasks without leaving Plesk.

    Overview of features:

    • Security
    • Update Management
    • Plugin Management
    • Theme Management
    • ServerShield by CloudFlare
    • ModSecurity
    • Fail2ban
    • Outbound Antispam
    • Range of Editions

    Installing WordPress Using the WordPress Toolkit

    Installing WordPress is easy and using the WordPress Toolkit is even easier.

    To install WordPress, log into Plesk and go to the ‘Applications’ page. On this page you have two options for installing WordPress via the drop-down box in the top right. The first option is ‘Install’ and that will run a default WordPress install.

    Installing WordPress

    The second option is ‘Install (Custom)’. This option will provide you with more control over the common configuration options.

    Install WordPress with Custom Options

    With this option you will be able to select the installation path, update settings and admin access.

    Custom Options Part 1

    Further down the screen, you’ll find your standard WordPress configuration options such as your site name, administrator email address, language, and database details.

    Custom Options Part 2

    When your installation is complete, you’ll see the message shown below:

    Installing WordPress on Plesk 12 Complete


    Plesk 12 also includes best-of-breed security controls, with both WordPress-focused options and traditional web security tools.

    Check Security

    This feature will allow you to perform a security check to make sure WordPress has been configured correctly and general security measures are in place. Users would usually install plugins to achieve the same results, but now this is available natively within Plesk.

    How to Use the ‘Check Security’ Feature

    There are two ways to access this feature. The first appears when you login to Plesk. Under ‘Websites & Domains’ you’ll find a button labelled ‘Security Scan’ listed next to the WordPress installation name.

    The second way to access this feature is by clicking on the WordPress installation name and selecting ‘Check Security’ under the ‘Tools’ menu on the right-hand sidebar.

    The Security Scan Option in Plesk
    The Check Security Option in Plesk

    Selecting either ‘Security Scan’ or ‘Check Security’ will display the screen shown below. The first time you run this on a new site, you will see a few alerts letting you know that there are measures that can be taken to harden your installation. Make sure these options are selected and then click on ‘Secure’:

    WordPress Toolkit Security Check Before

    Now, if you re-run this scan or check, it will look like this:

    WordPress Toolkit Security Check Before

    You will notice that some permissions give you the option to ‘Roll Back’, which I can see turning into a real time-saver when troubleshooting.

    By following these basic steps above, you have significantly hardened your WordPress site. Too often I see security plugins being promoted as the silver bullet when it comes to security, however, following the basic best practices covered in ‘Security Check’ will offer way more protection from both known and unknown threats. It also removes the need for yet another plugin.

    Detecting WordPress Installations

    The WordPress Toolkit also includes a ‘Scan’ feature that you can use to detect WordPress sites running version 3.4 and above. This allows you to attach an installation to your WordPress Toolkit sites.

    It’s worth noting that Plesk only knows about installations created through the WordPress Toolkit using Plesk’s application installer (based on Application Packaging Standard technology) or those that have been detected during a scan. It’s recommended you periodically scan your client sites for WordPress installations so they can be managed within the WordPress Toolkit.

    Security Scan or Security Check

    Changing Your Administrator Username

    We should all know not to use the default ‘admin’ as the administrator account, however, if we’re inheriting someone else’s sites there may be an occasion when you’re dealing with the dreaded ‘admin’ username. Or you might just want to change the administrator username.

    There are a lot of ways to change your administrator username, most users will use a plugin to do this or create a new user to be the administrator and then delete the old ‘admin’ account.

    With the WordPress Toolkit, this is easily managed, simply click on ‘Manage’ as shown below:

    WordPress Toolkit Changing Admin Username Link

    This will take you to a page where you can then specify your new administrator username.

    WordPress Toolkit Changing Admin Username

    Security Core

    Security is a central theme to much of the Plesk platform. With Version 12, there are several powerful tools that have been bundled into ‘Security Core’. Here’s a few of the available tools for those who want to take extra steps to harden their sites (which should be everyone!):

    • ModSecurity
    • Fail2Ban
    • Outbound Antispam
    • ServerShield by CloudFlare

    We will cover these tools in more detail below.

    Update Management

    Keeping any web application updated is critical. With WordPress running on 47.38% of identifiable CMSs on the Internet, it’s a popular target for attackers. A key component of WordPress Toolkit is the ability to manage all of your WordPress core updates in one place.

    How To Update Multiple Sites

    Under the ‘Websites & Domains’ tab select ‘WordPress’ on the right-hand sidebar. This will then display a list of all your WordPress sites. To run either a single or bulk update, select the sites you wish to update and click on the ‘Update ‘ button, it couldn’t get any easier. During my testing, updating WordPress worked flawlessly.

    WordPress Toolkit Updates

    Once the updates have been installed and the process is complete, you’ll get an alert in the bottom right corner of your screen.

    WordPress Toolkit Update Complete

    Managing Automatic Updates

    When the WordPress team announced the move to automatic updates, most of us loved the idea. While I don’t personally ever recommend turning off automatic updates, I can understand why some people like to control updates themselves. Also, core updates such as 4.0 still require manual updating, so performing manual updates is something we all have to do.

    Even though there are a few ways to manage updating, such as editing your wp-config.php, or installing a plugin such as WP Updates Settings, once you have more than a few sites, you really need centralized management to make things easier for you.

    To turn on (or off) Automatic Updates, just toggle on the ‘Automatic Updates’ switch on your WordPress installation.

    Managing Automatic Updates

    I’m a fan of updating early and often, but if you have clients who prefer to take their time, you can at the very least easily check what versions they are running on your systems at a glance.

    Managing Plugins

    Once you have updates under control, plugins are probably one of the greatest areas of concern when supporting lots of WordPress sites.

    Issues such as performance, compatibility, and security are often linked to the choice of plugins. The WordPress Toolkit in Plesk 12 comes with a section to manage plugins. You can access this area under the ‘Websites & Domains’ tab, then select ‘WordPress’ on the right-hand sidebar followed by the ‘Plugins’ tab which will show a global list of plugins that are installed. Here’s what it looks like:

    Plesk WordPress Plugin List

    Within the Plugin section, you can perform a number of actions:

    • Activate/Deactivate
    • Install
    • Delete
    • Update
    • Search

    The ability to search all plugins across your systems is useful if you’ve discovered an incompatibility or a security issue.

    If you want to manage plugins for a particular installation, under the ‘WordPress Installations’ tab select the site and then select ‘Plugins’ in the toolbar:

    Plesk Plugin Management

    Poorly developed or configured plugins are often a cause of performance issues. With the plugin view you can disable a plugin with one click or install a better alternative.

    Another powerful feature is the ability to bulk install plugins. To manage plugins on a single site, click on the site within the ‘Websites & Domains’ tab and then select ‘Manage Plugins’ next to the site you wish to manage. You can then select the plugins that you want active or inactive.

    Bulk Install Plugins

    If you want to manage plugins across multiple sites go to ‘WordPress’ in the right hand sidebar to view the ‘WordPress Installations’ page. Then select the sites you wish to bulk install plugins on, then select ‘Plugin’ in the toolbar.

    Bulk Install Plugins

    As shown above, you might want to install a troubleshooting plugin such as P3 (Plugin Performance Profiler) on all of your sites to help your clients identify common performance problems. You’ll notice that ‘Activate after installation’ is checked, this is optional.

    Managing Themes

    Similar to the plugin management feature, you can see a list of all installed and active themes in the ‘Websites & Domains’ tab either by clicking on ‘WordPress’ on the right-hand sidebar and selecting the WordPress site:

    Plesk Theme Management

    Or by clicking on the ‘Themes’ tab:

    Plesk WordPress Theme Management

    I know many WordPress developers like to remove the default themes, but I like to leave the default themes for troubleshooting and isolating theme and theme/plugin compatibility issues. This is especially important when you have clients who like ‘experimenting’.

    As with the Plugin management section above, the ability to install, activate, and deactivate themes from within Plesk is a huge time-saver.

    Enabling ServerShield by CloudFlare

    ServerShield is the result of a partnership with Parallels and CloudFlare and is a new key feature of Plesk 12.

    People usually associate CloudFlare as ‘just a CDN’ and there’s no doubt it is definitely a world-class CDN, however there’s much more to CloudFlare than that. They also offer a range of security-related features that can further lock down your site.

    To enable ServerShield, select the link in the sidebar as shown below:

    ServerShield Link

    ServerShield offers easy CloudFlare and StopTheHacker integration for your client sites directly within your Plesk interface, enabling both services couldn’t be any easier.

    Plesk ServerShield

    ServerShield has two main components:

    • CloudFlare
    • StopTheHacker


    CloudFlare’s security platform is comprehensive and beyond the scope of this article, but here are a few of the threats CloudFlare helps protect you from:

    • Comment Spam
    • SQL Injection
    • XSS
    • Malicious and Harvesting Bots

    Plesk CloudFlare


    StopTheHacker offers daily monitoring of the reputation of your site on malware and phishing blacklists such as Google’s Safe Browsing list. It also offers suggestions on how you fix this if you ever find yourself on the list. Enabling StopTheHacker monitoring for yours or your clients sites is one click away in Core Security, as seen in the screenshot below:

    Plesk StopTheHacker


    ModSecurity is a powerful web application firewall and included in all editions of Plesk 12.

    Plesk gives you an easy interface to manage ModSecurity’s behaviour. All editions of Plesk 12 include premium ModSecurity rules from AtomiCorp. This means they’ll be updated regularly by a reputable ModSecurity rules provider to protect you from a variety of the latest threats.

    As well as AtomiCorp, Plesk’s ModSecurity also ships with the OWASP Core Rule Set (CRS) and the Comodo ModSecurity Rule Set. The OWASP rules are known to be quite restrictive and may cause issues for WordPress, so Parallels recommend using the rules from Atomic or Comodo in this case.

    Plesk ModSecurity

    There are also a few nice touches to the ModSecurity interface, like the ability to switch off rules by the ID, CVE, or regular expression. This is very useful if you’re trying to isolate a problem, as some ModSecurity rules can cause false positives.

    If you’re looking at hardening your site, ModSecurity is something you’ll want to make sure you’re using (and leaving turned on) so it’s worth spending some time to get to know it.


    Fail2Ban is a popular application that looks for any suspicious activity in your log files for various services and blocks (or ‘jails’) the IP addresses associated with that activity. This is useful for automatically blocking brute force attacks originating from an IP address or network. The Fail2Ban application can also automate changing firewall rules and send email alerts.


    To configure Fail2Ban, go to ‘Tools & Settings > IP Address Banning (Fail2Ban) (in the Security group)’ and select the ‘Enable intrusion detection checkbox’. You can then configure the ban time length, interval between attacks as well as the number of failures before an IP address is banned.

    You can also whitelist trusted IP addresses by going to ‘Tools & Settings > IP Address Banning (Fail2Ban) > Trusted IP Addresses > Add Trusted IP’. This is useful so you don’t accidentally end up blocked, or if you want to perform your own security checks on your systems.

    Outbound Antispam

    The problem of blacklisted IP addresses is something that has plagued even some of the biggest players and is a serious problem when you’re running lots of sites on a single or small range of IP addresses. With Outbound Antispam, you can protect your IP reputation by limiting your outgoing mail. This is an important feature that protects your users from getting their IP address blacklisted.

    Plesk Outbound Antispam

    Selecting the Right Edition

    Plesk comes in four flavors, catering for those hosting a few sites all the way up to professional hosting providers. The editions available are:

    • Web ADMIN Edition
    • Web APP Edition
    • Web PRO Edition
    • Web HOST Edition

    All of the editions of Plesk 12 includes the WordPress Toolkit. It comes standard in the Web PRO and Web HOST editions and as an optional extra with Web ADMIN and Web APP edition.

    Parallels has put together a handy comparison chart of the various Plesk editions to help you select the right version.


    With WordPress continuing to grow in popularity and with the volume of sites we deploy continuing to grow, any features that help us automate and streamline the management of all our sites is critical.

    There’s a lot more to Plesk than what I’ve highlighted in this article, I’ve only covered the WordPress specific goodies. Plesk 12 is taking the lead by including professional WordPress management features, they’re the best I’ve seen in any hosting control panel.

    Check out the Plesk 12 demo for yourself here. Or if you’re already using it, I’d love to hear your thoughts in the comments below.