WordPress
Article

Parallels Plesk 12: Harden Up and Supercharge Your WordPress Site

By Chris Burgess

This article was sponsored by Parallels. Thank you for supporting the sponsors who make SitePoint possible!

Web management tools aren’t new, they’ve been around for many years and they all support one-click installs for common web applications. However, for the most part all this does is install the application and then you’re on your own. You don’t have visibility to manage these applications once they’ve been installed.

If you then throw in the fact that users love to install themes and plugins, the management becomes even more fun. The solution to this usually involves third-party services to centrally manage our WordPress sites. Wouldn’t it be nice if these management features were built into our hosting control panel? Well, with the latest version of Plesk, this is now possible.

Parallels Plesk is one of the leading hosting control panel and automation platforms on the market. If you’ve used a few hosting providers, chances are you’ve used Plesk.

In this article I’ll walk you through how to use Plesk 12 with a focus on the features that are most relevant to WordPress professionals, mainly the WordPress Toolkit. I will also touch on some of the other areas that those who manage multiple WordPress sites will be interested in.

First Impressions of the WordPress Toolkit in Plesk 12

When I first logged in, it was immediately obvious that the latest version of Plesk is seriously catering to WordPress developers and administrators.

While other web applications are supported, the WordPress-specific features are impressive. Plesk 12 has introduced what they call the ‘WordPress Toolkit‘ and it brings professional WordPress management features to a mainstream web hosting control panel. This includes the ability to detect manual installations, create new installations (with control over various configuration options), perform bulk updates, and manage plugins/themes.

In addition to the WordPress management features, if you want to jump into a specific WordPress dashboard, there’s usually a direct link available in most places within in the Plesk interface. That said, you can easily perform routine tasks without leaving Plesk.

Overview of features:

  • Security
  • Update Management
  • Plugin Management
  • Theme Management
  • ServerShield by CloudFlare
  • ModSecurity
  • Fail2ban
  • Outbound Antispam
  • Range of Editions

Installing WordPress Using the WordPress Toolkit

Installing WordPress is easy and using the WordPress Toolkit is even easier.

To install WordPress, log into Plesk and go to the ‘Applications’ page. On this page you have two options for installing WordPress via the drop-down box in the top right. The first option is ‘Install’ and that will run a default WordPress install.

Installing WordPress

The second option is ‘Install (Custom)’. This option will provide you with more control over the common configuration options.

Install WordPress with Custom Options

With this option you will be able to select the installation path, update settings and admin access.

Custom Options Part 1

Further down the screen, you’ll find your standard WordPress configuration options such as your site name, administrator email address, language, and database details.

Custom Options Part 2

When your installation is complete, you’ll see the message shown below:

Installing WordPress on Plesk 12 Complete

Security

Plesk 12 also includes best-of-breed security controls, with both WordPress-focused options and traditional web security tools.

Check Security

This feature will allow you to perform a security check to make sure WordPress has been configured correctly and general security measures are in place. Users would usually install plugins to achieve the same results, but now this is available natively within Plesk.

How to Use the ‘Check Security’ Feature

There are two ways to access this feature. The first appears when you login to Plesk. Under ‘Websites & Domains’ you’ll find a button labelled ‘Security Scan’ listed next to the WordPress installation name.

The second way to access this feature is by clicking on the WordPress installation name and selecting ‘Check Security’ under the ‘Tools’ menu on the right-hand sidebar.

The Security Scan Option in Plesk

The Check Security Option in Plesk

Selecting either ‘Security Scan’ or ‘Check Security’ will display the screen shown below. The first time you run this on a new site, you will see a few alerts letting you know that there are measures that can be taken to harden your installation. Make sure these options are selected and then click on ‘Secure’:

WordPress Toolkit Security Check Before

Now, if you re-run this scan or check, it will look like this:

WordPress Toolkit Security Check Before

You will notice that some permissions give you the option to ‘Roll Back’, which I can see turning into a real time-saver when troubleshooting.

By following these basic steps above, you have significantly hardened your WordPress site. Too often I see security plugins being promoted as the silver bullet when it comes to security, however, following the basic best practices covered in ‘Security Check’ will offer way more protection from both known and unknown threats. It also removes the need for yet another plugin.

Detecting WordPress Installations

The WordPress Toolkit also includes a ‘Scan’ feature that you can use to detect WordPress sites running version 3.4 and above. This allows you to attach an installation to your WordPress Toolkit sites.

It’s worth noting that Plesk only knows about installations created through the WordPress Toolkit using Plesk’s application installer (based on Application Packaging Standard technology) or those that have been detected during a scan. It’s recommended you periodically scan your client sites for WordPress installations so they can be managed within the WordPress Toolkit.

Security Scan or Security Check

Changing Your Administrator Username

We should all know not to use the default ‘admin’ as the administrator account, however, if we’re inheriting someone else’s sites there may be an occasion when you’re dealing with the dreaded ‘admin’ username. Or you might just want to change the administrator username.

There are a lot of ways to change your administrator username, most users will use a plugin to do this or create a new user to be the administrator and then delete the old ‘admin’ account.

With the WordPress Toolkit, this is easily managed, simply click on ‘Manage’ as shown below:

WordPress Toolkit Changing Admin Username Link

This will take you to a page where you can then specify your new administrator username.

WordPress Toolkit Changing Admin Username

Security Core

Security is a central theme to much of the Plesk platform. With Version 12, there are several powerful tools that have been bundled into ‘Security Core’. Here’s a few of the available tools for those who want to take extra steps to harden their sites (which should be everyone!):

  • ModSecurity
  • Fail2Ban
  • Outbound Antispam
  • ServerShield by CloudFlare

We will cover these tools in more detail below.

Update Management

Keeping any web application updated is critical. With WordPress running on 47.38% of identifiable CMSs on the Internet, it’s a popular target for attackers. A key component of WordPress Toolkit is the ability to manage all of your WordPress core updates in one place.

How To Update Multiple Sites

Under the ‘Websites & Domains’ tab select ‘WordPress’ on the right-hand sidebar. This will then display a list of all your WordPress sites. To run either a single or bulk update, select the sites you wish to update and click on the ‘Update ‘ button, it couldn’t get any easier. During my testing, updating WordPress worked flawlessly.

WordPress Toolkit Updates

Once the updates have been installed and the process is complete, you’ll get an alert in the bottom right corner of your screen.

WordPress Toolkit Update Complete

Managing Automatic Updates

When the WordPress team announced the move to automatic updates, most of us loved the idea. While I don’t personally ever recommend turning off automatic updates, I can understand why some people like to control updates themselves. Also, core updates such as 4.0 still require manual updating, so performing manual updates is something we all have to do.

Even though there are a few ways to manage updating, such as editing your wp-config.php, or installing a plugin such as WP Updates Settings, once you have more than a few sites, you really need centralized management to make things easier for you.

To turn on (or off) Automatic Updates, just toggle on the ‘Automatic Updates’ switch on your WordPress installation.

Managing Automatic Updates

I’m a fan of updating early and often, but if you have clients who prefer to take their time, you can at the very least easily check what versions they are running on your systems at a glance.

Managing Plugins

Once you have updates under control, plugins are probably one of the greatest areas of concern when supporting lots of WordPress sites.

Issues such as performance, compatibility, and security are often linked to the choice of plugins. The WordPress Toolkit in Plesk 12 comes with a section to manage plugins. You can access this area under the ‘Websites & Domains’ tab, then select ‘WordPress’ on the right-hand sidebar followed by the ‘Plugins’ tab which will show a global list of plugins that are installed. Here’s what it looks like:

Plesk WordPress Plugin List

Within the Plugin section, you can perform a number of actions:

  • Activate/Deactivate
  • Install
  • Delete
  • Update
  • Search

The ability to search all plugins across your systems is useful if you’ve discovered an incompatibility or a security issue.

If you want to manage plugins for a particular installation, under the ‘WordPress Installations’ tab select the site and then select ‘Plugins’ in the toolbar:

Plesk Plugin Management

Poorly developed or configured plugins are often a cause of performance issues. With the plugin view you can disable a plugin with one click or install a better alternative.

Another powerful feature is the ability to bulk install plugins. To manage plugins on a single site, click on the site within the ‘Websites & Domains’ tab and then select ‘Manage Plugins’ next to the site you wish to manage. You can then select the plugins that you want active or inactive.

Bulk Install Plugins

If you want to manage plugins across multiple sites go to ‘WordPress’ in the right hand sidebar to view the ‘WordPress Installations’ page. Then select the sites you wish to bulk install plugins on, then select ‘Plugin’ in the toolbar.

Bulk Install Plugins

As shown above, you might want to install a troubleshooting plugin such as P3 (Plugin Performance Profiler) on all of your sites to help your clients identify common performance problems. You’ll notice that ‘Activate after installation’ is checked, this is optional.

Managing Themes

Similar to the plugin management feature, you can see a list of all installed and active themes in the ‘Websites & Domains’ tab either by clicking on ‘WordPress’ on the right-hand sidebar and selecting the WordPress site:

Plesk Theme Management

Or by clicking on the ‘Themes’ tab:

Plesk WordPress Theme Management

I know many WordPress developers like to remove the default themes, but I like to leave the default themes for troubleshooting and isolating theme and theme/plugin compatibility issues. This is especially important when you have clients who like ‘experimenting’.

As with the Plugin management section above, the ability to install, activate, and deactivate themes from within Plesk is a huge time-saver.

Enabling ServerShield by CloudFlare

ServerShield is the result of a partnership with Parallels and CloudFlare and is a new key feature of Plesk 12.

People usually associate CloudFlare as ‘just a CDN’ and there’s no doubt it is definitely a world-class CDN, however there’s much more to CloudFlare than that. They also offer a range of security-related features that can further lock down your site.

To enable ServerShield, select the link in the sidebar as shown below:

ServerShield Link

ServerShield offers easy CloudFlare and StopTheHacker integration for your client sites directly within your Plesk interface, enabling both services couldn’t be any easier.

Plesk ServerShield

ServerShield has two main components:

  • CloudFlare
  • StopTheHacker

CloudFlare

CloudFlare’s security platform is comprehensive and beyond the scope of this article, but here are a few of the threats CloudFlare helps protect you from:

  • Comment Spam
  • SQL Injection
  • XSS
  • Malicious and Harvesting Bots

Plesk CloudFlare

StopTheHacker

StopTheHacker offers daily monitoring of the reputation of your site on malware and phishing blacklists such as Google’s Safe Browsing list. It also offers suggestions on how you fix this if you ever find yourself on the list. Enabling StopTheHacker monitoring for yours or your clients sites is one click away in Core Security, as seen in the screenshot below:

Plesk StopTheHacker

ModSecurity

ModSecurity is a powerful web application firewall and included in all editions of Plesk 12.

Plesk gives you an easy interface to manage ModSecurity’s behaviour. All editions of Plesk 12 include premium ModSecurity rules from AtomiCorp. This means they’ll be updated regularly by a reputable ModSecurity rules provider to protect you from a variety of the latest threats.

As well as AtomiCorp, Plesk’s ModSecurity also ships with the OWASP Core Rule Set (CRS) and the Comodo ModSecurity Rule Set. The OWASP rules are known to be quite restrictive and may cause issues for WordPress, so Parallels recommend using the rules from Atomic or Comodo in this case.

Plesk ModSecurity

There are also a few nice touches to the ModSecurity interface, like the ability to switch off rules by the ID, CVE, or regular expression. This is very useful if you’re trying to isolate a problem, as some ModSecurity rules can cause false positives.

If you’re looking at hardening your site, ModSecurity is something you’ll want to make sure you’re using (and leaving turned on) so it’s worth spending some time to get to know it.

Fail2Ban

Fail2Ban is a popular application that looks for any suspicious activity in your log files for various services and blocks (or ‘jails’) the IP addresses associated with that activity. This is useful for automatically blocking brute force attacks originating from an IP address or network. The Fail2Ban application can also automate changing firewall rules and send email alerts.

Fail2Ban

To configure Fail2Ban, go to ‘Tools & Settings > IP Address Banning (Fail2Ban) (in the Security group)’ and select the ‘Enable intrusion detection checkbox’. You can then configure the ban time length, interval between attacks as well as the number of failures before an IP address is banned.

You can also whitelist trusted IP addresses by going to ‘Tools & Settings > IP Address Banning (Fail2Ban) > Trusted IP Addresses > Add Trusted IP’. This is useful so you don’t accidentally end up blocked, or if you want to perform your own security checks on your systems.

Outbound Antispam

The problem of blacklisted IP addresses is something that has plagued even some of the biggest players and is a serious problem when you’re running lots of sites on a single or small range of IP addresses. With Outbound Antispam, you can protect your IP reputation by limiting your outgoing mail. This is an important feature that protects your users from getting their IP address blacklisted.

Plesk Outbound Antispam

Selecting the Right Edition

Plesk comes in four flavors, catering for those hosting a few sites all the way up to professional hosting providers. The editions available are:

  • Web ADMIN Edition
  • Web APP Edition
  • Web PRO Edition
  • Web HOST Edition

All of the editions of Plesk 12 includes the WordPress Toolkit. It comes standard in the Web PRO and Web HOST editions and as an optional extra with Web ADMIN and Web APP edition.

Parallels has put together a handy comparison chart of the various Plesk editions to help you select the right version.

Summary

With WordPress continuing to grow in popularity and with the volume of sites we deploy continuing to grow, any features that help us automate and streamline the management of all our sites is critical.

There’s a lot more to Plesk than what I’ve highlighted in this article, I’ve only covered the WordPress specific goodies. Plesk 12 is taking the lead by including professional WordPress management features, they’re the best I’ve seen in any hosting control panel.

Check out the Plesk 12 demo for yourself here. Or if you’re already using it, I’d love to hear your thoughts in the comments below.

  • Anthony

    Do they still store passwords in plain text in the database?

    • Michael Fountain

      Hi Anthony – Only if you haven’t upgraded since 2011. :) That was an issue in an early release Plesk 10 many years ago. It was well documented and patched back then. It was a focal turning point for all future versions and as you can see with the enhanced Security Core in Plesk 12, our Engineering team has dedicated a lot of time and resources to making sure the latest release is the most secure release to date. Happy to help connect you with our security team if you would like to dig deeper. :)

      • Anthony

        OK. I was using it (not through choice) with two different hosts in the UK, with two different versions, approximately 2 years ago (including one brand new install at the time). All servers (we had numerous with each host) had a database with clear text passwords. I’ve avoided Plesk like the plague ever since

        • Michael Fountain

          Yes, that would have scared me as well. A lot has changed since then. :)

  • http://petermeadit.com/ Peter Mead

    I guess a lot has changed with Plesk. I have used it for several clients over the years. I have always preferred cPanel, simply because of the way it is organised and easy to manage. That being said for a VPS and the like, I do hear a customized Plesk is the way to go.

    • Michael Fountain

      Exactly what we were thinking too with Plesk 12. :)

      • http://petermeadit.com/ Peter Mead

        Yeah I used to use Plesk a lot, maybe time to fire it up again…

  • terminal27

    Do you know why the admin username have been changed to root (I am not longer able to log as Admin) and how to revert that?

  • James

    Has anybody found a way to bulk update non-repository wordpress plugins via the Plesk Manager? Backup tools like Backupbuddy would be really handy to bulk update these!

  • http://www.findalondonoffice.co.uk Ben Neale

    I upgraded to Plesk 12 a few months ago. My sites are exclusively WordPress, so the WP Toolkit was of interest to me. Unfortunately I have renamed the wp-content folder on all installations for security reasons, so the Toolkit doesn’t recognise them. Is there anyway to alter this – so that it will scan for my custom directory name?

Recommended
Sponsors
Because We Like You
Free Ebooks!

Grab SitePoint's top 10 web dev and design ebooks, completely free!

Get the latest in WordPress, once a week, for free.