Parallels Plesk 12: Harden Up and Supercharge Your WordPress Site
This article was sponsored by Parallels. Thank you for supporting the sponsors who make SitePoint possible!
Web management tools aren’t new, they’ve been around for many years and they all support one-click installs for common web applications. However, for the most part all this does is install the application and then you’re on your own. You don’t have visibility to manage these applications once they’ve been installed.
If you then throw in the fact that users love to install themes and plugins, the management becomes even more fun. The solution to this usually involves third-party services to centrally manage our WordPress sites. Wouldn’t it be nice if these management features were built into our hosting control panel? Well, with the latest version of Plesk, this is now possible.
Parallels Plesk is one of the leading hosting control panel and automation platforms on the market. If you’ve used a few hosting providers, chances are you’ve used Plesk.
In this article I’ll walk you through how to use Plesk 12 with a focus on the features that are most relevant to WordPress professionals, mainly the WordPress Toolkit. I will also touch on some of the other areas that those who manage multiple WordPress sites will be interested in.
First Impressions of the WordPress Toolkit in Plesk 12
When I first logged in, it was immediately obvious that the latest version of Plesk is seriously catering to WordPress developers and administrators.
While other web applications are supported, the WordPress-specific features are impressive. Plesk 12 has introduced what they call the ‘WordPress Toolkit‘ and it brings professional WordPress management features to a mainstream web hosting control panel. This includes the ability to detect manual installations, create new installations (with control over various configuration options), perform bulk updates, and manage plugins/themes.
In addition to the WordPress management features, if you want to jump into a specific WordPress dashboard, there’s usually a direct link available in most places within in the Plesk interface. That said, you can easily perform routine tasks without leaving Plesk.
Overview of features:
- Update Management
- Plugin Management
- Theme Management
- ServerShield by CloudFlare
- Outbound Antispam
- Range of Editions
Installing WordPress Using the WordPress Toolkit
Installing WordPress is easy and using the WordPress Toolkit is even easier.
To install WordPress, log into Plesk and go to the ‘Applications’ page. On this page you have two options for installing WordPress via the drop-down box in the top right. The first option is ‘Install’ and that will run a default WordPress install.
The second option is ‘Install (Custom)’. This option will provide you with more control over the common configuration options.
With this option you will be able to select the installation path, update settings and admin access.
Further down the screen, you’ll find your standard WordPress configuration options such as your site name, administrator email address, language, and database details.
When your installation is complete, you’ll see the message shown below:
Plesk 12 also includes best-of-breed security controls, with both WordPress-focused options and traditional web security tools.
This feature will allow you to perform a security check to make sure WordPress has been configured correctly and general security measures are in place. Users would usually install plugins to achieve the same results, but now this is available natively within Plesk.
How to Use the ‘Check Security’ Feature
There are two ways to access this feature. The first appears when you login to Plesk. Under ‘Websites & Domains’ you’ll find a button labelled ‘Security Scan’ listed next to the WordPress installation name.
The second way to access this feature is by clicking on the WordPress installation name and selecting ‘Check Security’ under the ‘Tools’ menu on the right-hand sidebar.
Selecting either ‘Security Scan’ or ‘Check Security’ will display the screen shown below. The first time you run this on a new site, you will see a few alerts letting you know that there are measures that can be taken to harden your installation. Make sure these options are selected and then click on ‘Secure’:
Now, if you re-run this scan or check, it will look like this:
You will notice that some permissions give you the option to ‘Roll Back’, which I can see turning into a real time-saver when troubleshooting.
By following these basic steps above, you have significantly hardened your WordPress site. Too often I see security plugins being promoted as the silver bullet when it comes to security, however, following the basic best practices covered in ‘Security Check’ will offer way more protection from both known and unknown threats. It also removes the need for yet another plugin.
Detecting WordPress Installations
The WordPress Toolkit also includes a ‘Scan’ feature that you can use to detect WordPress sites running version 3.4 and above. This allows you to attach an installation to your WordPress Toolkit sites.
It’s worth noting that Plesk only knows about installations created through the WordPress Toolkit using Plesk’s application installer (based on Application Packaging Standard technology) or those that have been detected during a scan. It’s recommended you periodically scan your client sites for WordPress installations so they can be managed within the WordPress Toolkit.
Changing Your Administrator Username
We should all know not to use the default ‘admin’ as the administrator account, however, if we’re inheriting someone else’s sites there may be an occasion when you’re dealing with the dreaded ‘admin’ username. Or you might just want to change the administrator username.
There are a lot of ways to change your administrator username, most users will use a plugin to do this or create a new user to be the administrator and then delete the old ‘admin’ account.
With the WordPress Toolkit, this is easily managed, simply click on ‘Manage’ as shown below:
This will take you to a page where you can then specify your new administrator username.
Security is a central theme to much of the Plesk platform. With Version 12, there are several powerful tools that have been bundled into ‘Security Core’. Here’s a few of the available tools for those who want to take extra steps to harden their sites (which should be everyone!):
- Outbound Antispam
- ServerShield by CloudFlare
We will cover these tools in more detail below.
Keeping any web application updated is critical. With WordPress running on 47.38% of identifiable CMSs on the Internet, it’s a popular target for attackers. A key component of WordPress Toolkit is the ability to manage all of your WordPress core updates in one place.
How To Update Multiple Sites
Under the ‘Websites & Domains’ tab select ‘WordPress’ on the right-hand sidebar. This will then display a list of all your WordPress sites. To run either a single or bulk update, select the sites you wish to update and click on the ‘Update ‘ button, it couldn’t get any easier. During my testing, updating WordPress worked flawlessly.
Once the updates have been installed and the process is complete, you’ll get an alert in the bottom right corner of your screen.
Managing Automatic Updates
When the WordPress team announced the move to automatic updates, most of us loved the idea. While I don’t personally ever recommend turning off automatic updates, I can understand why some people like to control updates themselves. Also, core updates such as 4.0 still require manual updating, so performing manual updates is something we all have to do.
Even though there are a few ways to manage updating, such as editing your
wp-config.php, or installing a plugin such as WP Updates Settings, once you have more than a few sites, you really need centralized management to make things easier for you.
To turn on (or off) Automatic Updates, just toggle on the ‘Automatic Updates’ switch on your WordPress installation.
I’m a fan of updating early and often, but if you have clients who prefer to take their time, you can at the very least easily check what versions they are running on your systems at a glance.
Once you have updates under control, plugins are probably one of the greatest areas of concern when supporting lots of WordPress sites.
Issues such as performance, compatibility, and security are often linked to the choice of plugins. The WordPress Toolkit in Plesk 12 comes with a section to manage plugins. You can access this area under the ‘Websites & Domains’ tab, then select ‘WordPress’ on the right-hand sidebar followed by the ‘Plugins’ tab which will show a global list of plugins that are installed. Here’s what it looks like:
Within the Plugin section, you can perform a number of actions:
The ability to search all plugins across your systems is useful if you’ve discovered an incompatibility or a security issue.
If you want to manage plugins for a particular installation, under the ‘WordPress Installations’ tab select the site and then select ‘Plugins’ in the toolbar:
Poorly developed or configured plugins are often a cause of performance issues. With the plugin view you can disable a plugin with one click or install a better alternative.
Another powerful feature is the ability to bulk install plugins. To manage plugins on a single site, click on the site within the ‘Websites & Domains’ tab and then select ‘Manage Plugins’ next to the site you wish to manage. You can then select the plugins that you want active or inactive.
If you want to manage plugins across multiple sites go to ‘WordPress’ in the right hand sidebar to view the ‘WordPress Installations’ page. Then select the sites you wish to bulk install plugins on, then select ‘Plugin’ in the toolbar.
As shown above, you might want to install a troubleshooting plugin such as P3 (Plugin Performance Profiler) on all of your sites to help your clients identify common performance problems. You’ll notice that ‘Activate after installation’ is checked, this is optional.
Similar to the plugin management feature, you can see a list of all installed and active themes in the ‘Websites & Domains’ tab either by clicking on ‘WordPress’ on the right-hand sidebar and selecting the WordPress site:
Or by clicking on the ‘Themes’ tab:
I know many WordPress developers like to remove the default themes, but I like to leave the default themes for troubleshooting and isolating theme and theme/plugin compatibility issues. This is especially important when you have clients who like ‘experimenting’.
As with the Plugin management section above, the ability to install, activate, and deactivate themes from within Plesk is a huge time-saver.
Enabling ServerShield by CloudFlare
ServerShield is the result of a partnership with Parallels and CloudFlare and is a new key feature of Plesk 12.
People usually associate CloudFlare as ‘just a CDN’ and there’s no doubt it is definitely a world-class CDN, however there’s much more to CloudFlare than that. They also offer a range of security-related features that can further lock down your site.
To enable ServerShield, select the link in the sidebar as shown below:
ServerShield offers easy CloudFlare and StopTheHacker integration for your client sites directly within your Plesk interface, enabling both services couldn’t be any easier.
ServerShield has two main components:
CloudFlare’s security platform is comprehensive and beyond the scope of this article, but here are a few of the threats CloudFlare helps protect you from:
- Comment Spam
- SQL Injection
- Malicious and Harvesting Bots
StopTheHacker offers daily monitoring of the reputation of your site on malware and phishing blacklists such as Google’s Safe Browsing list. It also offers suggestions on how you fix this if you ever find yourself on the list. Enabling StopTheHacker monitoring for yours or your clients sites is one click away in Core Security, as seen in the screenshot below:
ModSecurity is a powerful web application firewall and included in all editions of Plesk 12.
Plesk gives you an easy interface to manage ModSecurity’s behaviour. All editions of Plesk 12 include premium ModSecurity rules from AtomiCorp. This means they’ll be updated regularly by a reputable ModSecurity rules provider to protect you from a variety of the latest threats.
As well as AtomiCorp, Plesk’s ModSecurity also ships with the OWASP Core Rule Set (CRS) and the Comodo ModSecurity Rule Set. The OWASP rules are known to be quite restrictive and may cause issues for WordPress, so Parallels recommend using the rules from Atomic or Comodo in this case.
There are also a few nice touches to the ModSecurity interface, like the ability to switch off rules by the ID, CVE, or regular expression. This is very useful if you’re trying to isolate a problem, as some ModSecurity rules can cause false positives.
If you’re looking at hardening your site, ModSecurity is something you’ll want to make sure you’re using (and leaving turned on) so it’s worth spending some time to get to know it.
Fail2Ban is a popular application that looks for any suspicious activity in your log files for various services and blocks (or ‘jails’) the IP addresses associated with that activity. This is useful for automatically blocking brute force attacks originating from an IP address or network. The Fail2Ban application can also automate changing firewall rules and send email alerts.
To configure Fail2Ban, go to ‘Tools & Settings > IP Address Banning (Fail2Ban) (in the Security group)’ and select the ‘Enable intrusion detection checkbox’. You can then configure the ban time length, interval between attacks as well as the number of failures before an IP address is banned.
You can also whitelist trusted IP addresses by going to ‘Tools & Settings > IP Address Banning (Fail2Ban) > Trusted IP Addresses > Add Trusted IP’. This is useful so you don’t accidentally end up blocked, or if you want to perform your own security checks on your systems.
The problem of blacklisted IP addresses is something that has plagued even some of the biggest players and is a serious problem when you’re running lots of sites on a single or small range of IP addresses. With Outbound Antispam, you can protect your IP reputation by limiting your outgoing mail. This is an important feature that protects your users from getting their IP address blacklisted.
Selecting the Right Edition
Plesk comes in four flavors, catering for those hosting a few sites all the way up to professional hosting providers. The editions available are:
- Web ADMIN Edition
- Web APP Edition
- Web PRO Edition
- Web HOST Edition
All of the editions of Plesk 12 includes the WordPress Toolkit. It comes standard in the Web PRO and Web HOST editions and as an optional extra with Web ADMIN and Web APP edition.
Parallels has put together a handy comparison chart of the various Plesk editions to help you select the right version.
With WordPress continuing to grow in popularity and with the volume of sites we deploy continuing to grow, any features that help us automate and streamline the management of all our sites is critical.
There’s a lot more to Plesk than what I’ve highlighted in this article, I’ve only covered the WordPress specific goodies. Plesk 12 is taking the lead by including professional WordPress management features, they’re the best I’ve seen in any hosting control panel.
Check out the Plesk 12 demo for yourself here. Or if you’re already using it, I’d love to hear your thoughts in the comments below.