Manage and Sign Documents on your Plesk Server with cloudplan

Cloudplan file management Plesk

For secure content collaboration, cloudplan provides the software to build private clouds locally or globally. As a Plesk extension, cloudplan is integrated to allow users to host and share files directly on their server. 

Now, cloudplan has created a robust workflow and e-signature solution, and you can now use your Plesk server as private storage for documents. It focuses on the broader document management life cycle, integrating tools to collaborate on documents as well as build professional workflows for approvals, agreements and signing.

All documents that are stored on your Plesk server are available for search, analysis and further archiving. The software is designed for any size and type of business. 

Let’s take a look at the features of cloudplan:

Workflows

Workflows can be created and associated with an existing document, an individual form that is filled in during a defined process, or a webform for mobile use. You can attach new documents or files or even replace documents or users while running the workflows. Define your process steps with just a few clicks in the cloudplan portal.

Cloudplan esigning Plesk

eSigning

You can invite as many users as you want to sign documents electronically. The entire process is monitored automatically. Reminders are sent and at the end all users receive a log of every single step. Signing is possible on mobile and workplace devices. PDF, Office documents and web forms can be integrated.

 

Global Search

A powerful search engine is available to you with which you can search millions of your own documents for attributes in a split second. Regardless of which storage instance the files are on, every storage location, like your Plesk server, is included without you having to configure anything. 

 

Cloudplan Global Search Plesk

Workflow Design Without Coding

You can use the intuitive workflow designer to create templates for recurring tasks as well as team-wide sharing. It includes database fields that can be used for workflow automation and as tag sources for the global search.

 

Cloudplan esigning workflow Plesk

Common Use Cases

Purchasing

Order and approval processes, conclusion of contracts (rental, leasing, service, framework contracts) with electronic signature

Service / sales

Presentations, offers, drafting and processing contracts, tenders, visit reports, on-site documentation, maintenance protocols, repair reports, work slips, acceptance protocols, license agreements

IT

Software contracts, access authorizations and access management, work orders

 

When Can I Use eSigning?

With cloudplan, eSigning can be used out-of-the-box without any further requirements. On Windows, MacOS, and Linux, you can immediately access the feature via your web browser, and cloudplan also has a mobile app for android and iOS. Additional collaboration features and storage options can be used once you’ve installed a local client. 

 

Looking for a secure file management platform? Browse the cloudplan options on Plesk here.

 

Best Cloud Software 2021: Plesk Selected in the Top 50

G2 aware cloud software 2021 - Plesk

With innovation in web management, cloud services and eCommerce at an all-time high, it’s time to take a look at the global software front-runners. 

Over at G2 – the trusted software aggregator and review platform – users have voted on thousands of Saas, Iaas and Paas providers to unveil the best software of 2021. 

So what are the results? We are pleased to announce that here at Plesk, we have been awarded a place on G2’s Best Software list for 2021!

G2 cloud software award 2021 - Plesk

Featuring in the category of Best IT Cloud Management for 2021, the Plesk software ranked 46th in the worldwide tally. The Plesk Control Panel for easy cloud management (and more) has proved to be a winning WebOps platform. 

What makes it so great? We focus on supporting agencies, service providers and SMBs to make sure that: 

🚀 You can host in the cloud of your own choice

🚀 Servers take care of themselves like clockwork

🚀 You can charge for managed services but automate the rest 

🚀 Security and performance are built in by default 

And 2021 is just the year to be celebrating the innovative Plesk software, with brand new features aimed at online store builders and hyperscalers being released over the next few months.

You, the user, are our top priority, and your feedback helps us innovate year after year. We look forward to your votes in future, with your continued support and collaboration! So let us know your experience on our G2 profile.

Are you a web admin facing the task of scaling and running one or many websites? Then the G2 community agrees: Plesk is the place to be.




Wordfence vs Sucuri – WordPress Security Plugins Comparison

Wordfence vs Sucuri comparison - Plesk

Sucuri vs Wordfence – which plugin ensures full WordPress security? This is a question that lots of WordPress website owners find themselves pondering. In these days of state-sponsored attacks, organized crime gangs, and bedroom hacktivists, getting watertight cybersecurity for your WordPress website has never been more important. 

New and more sophisticated hacks and exploits happen every single day, around-the-clock, and after the Solar Winds breach came to light it’s apparent that even governments and multinationals are not as safe as they thought. 

So for the humble WordPress site owner, it’s important to find the most effective means of keeping malign intruders out. Any weaknesses are almost certain to be exploited by criminals (eventually), so it’s essential that you settle on the most effective security plug-in you can get your hands on to thwart nefarious actors. 

Site owners often wonder about choosing between Wordfence or Sucuri, simply because this pair is among the most well-known and prominent of plugins for comprehensive WordPress website protection, and so it’s difficult for many site owners to differentiate between the different offerings and identify the superior example. 

Sucuri or Wordfence: what do you need to consider?

Sucuri vs Wordfence is a tricky question to answer because both have the capacity to keep your WordPress site safe from data breaches, bot-net infections, and other unwanted security risks. 

Another criterion must be that it’s easy to use, because the less time you waste on activities that don’t contribute to selling your digital wares, the better. You don’t want to waste time becoming a security expert just so that you can run a plug-in that keeps your website safe. If that’s what’s required then it’s probably not worth investing in.

Sucuri vs Wordfence: user-friendliness

You shouldn’t need to know how the internal combustion engine functions just to stop your car from being stolen, so you also shouldn’t need to become an expert in cybersecurity to keep your website safe with Wordfence or Sucuri

Wordfence

After installation, you’ll need to confirm that you accept the terms and conditions, and then you’ll be asked for the email address where you want your security updates to be sent. 

The setup wizard that follows will walk you through the basics of the application, including where to find notifications and the results of scans.

Wordfence opens your web app firewall in learning mode and performs a scan in the background. This may take a while if you have a large website but it will let you know as soon as it’s finished.

Click the dialogue box when it’s got to the end and you’ll see what the scan discovered along with suggestions for what to do with any positive hits. If you’re lucky, it won’t find any threats, but it still might recommend useful security-related suggestions, like that you update to the newest version of your chosen theme.

The standard way that the firewall runs is as a WordPress plugin, which isn’t the ideal way of doing things in this instance. Wordfence will let you configure it to work under extended mode for enhanced security, but this requires manual configuration. 

Unfortunately, first-time users of the Wordfence UI will probably find it as difficult to understand as we did. It’s true that it doesn’t ask you to do very much in its basic configuration, so that may not be a problem, but beginners wishing to explore the different possibilities it offers may feel that it’s an uphill struggle. 

Sucuri

There’s no such trouble with Sucuri’s GUI. It isn’t cluttered by unnecessary notifications and your scan results will appear in the plug-in panel. It’s also worth mentioning that its website application firewall (WAF) is based in the Cloud and as a remote resource it doesn’t require any horsepower from your own server that would slow it down.

To set up your hosting server behind the firewall you’ll need to give it your API key and configure the DNS settings for your domain name. Once you’ve installed it, you’re done. It’s a case of “set it and forget it” because updates and maintenance are all taken care of. Also, when Sucuri gives you security recommendations you only need to click once to apply them all. 

The UI is certainly a step up from Wordfence’s design, but some options are still buried in the guts of it and will require some digging.

One hurdle that less technical users may find difficult to overcome when they’re configuring a Sucuri firewall is how to update a domain name server with their domain registrar. It may be helpful in this case to ask the registrar for some help.

Sucuri vs Wordfence: Web Application Firewall (WAF) 

It’s possible to run a firewall in one of two ways. You can run it as an application on your own server or use a cloud-based WAF solution. 

WAFs are useful for blocking website threats, and we believe that cloud-based ones are the superior option for reasons of efficiency and reliability. They constantly keep an eye on incoming web traffic, flagging and blocking issues as they appear. In the case of Wordfence vs Sucuri, both have this capability.

Wordfence

Wordfence features a WAF that keeps an eye on malicious web traffic. The fact that it’s application-based, running as a WordPress plugin, is something of a disadvantage because it means that WordPress needs to load before it can detect and respond to malicious activity. 

You’ll need to configure Wordfence’s firewall manually in expansion mode so that it can monitor traffic before it has a chance to get to your WordPress installation. 

Wordfence’s endpoint firewall only filters bad traffic once it’s reached the hosting server, and once it does, all of its resources will be stretched as it responds to the attack.

Sucuri

Sucuri’s firewall is a remote cloud resource. That means that it can trip up malicious traffic before it gets anywhere near your hosting server. Sucuri also has content delivery network (CDN) servers distributed across various regions, so this should also help to increase the speed of the response.

To use a firewall, you’ll need to change the DNS settings of the domain name. This will route your traffic through Sucuri’s server. 

Sucuri doesn’t have a basic or extended mode. As soon as the installation has finished, Sucuri’s WAF starts protecting your site straightaway.

When you’re choosing between Wordfence or Sucuri you might want to bear in mind that Sucuri uses highly effective machine learning algorithms to cut down on false positives, and its DDoS defences automatically block fake traffic and nefarious bot requests without slowing down bona fide traffic sources.

Security Monitoring and Notifications 

Downtime is money, so a security early warning system is essential for any website owner. To get notifications you’ll need to check that you can pick up emails from your WordPress site using SMTP. Let’s look at how well Sucuri vs Wordfence keeps you informed about attacks.

Wordfence

Wordfence does a decent job of telling you about any problems with elicit intrusions and the like. They show up both in the Control Panel and the Wordfence menu in the WordPress administration sidebar, with different highlights indicating their respective significance. Selecting each one will pull up options for how you deal with them, but you can only see them after logging into the WordPress dashboard. 

If you’d like to be alerted about security issues via email, then you can fairly easily do that in the Email Alert Preferences section on the Wordfence options page. You can also further explore them on this page too. 

Sucuri

It can be very distracting to be constantly interrupted by security alerts, so if you want to tell Sucuri to only bother you with the more serious cases, that’s easily done, and you can also tell the software to send them to your control panel as well. 

Look towards the upper right-hand part of the screen to explore the status of the main WordPress file. This includes the audit log and site status. 

To access the alert management system open the Sucuri security settings page and then the Alerts tab and enter the email address where you want to receive your notifications. 

You can tune the type of event notifications you get and also put a ceiling on their numbers. Your WAF will also send important alerts to your email address. 

Sucuri or Wordfence – Scanning for malware

Both of our contenders feature malware detection. They can also look for files that have been changed and snippets of code that may be up to no good. Out of Wordfence vs Sucuri, which will do the better job here? 

Wordfence

Wordfence’s malware scanner can be tweaked to meet your particular hosting and security needs. Scanning has default limitations to conserve resources.

Wordfence generates your analysis schedule automatically, but you are able to change this. With scanning, you only have access to some options if you’ve opted for advanced versions of the plug-in. Wordfence’s scanner can also check your themes and plug-ins in line with the appropriate repository version. 

Sucuri

Sucuri’s site check API assists the Sucuri scanner in its hunt for unwelcome code. It’s quite clever in that it uses secure browsing APIs to ensure that your WordPress site hasn’t been blacklisted. 

Sucuri has an automated way of checking that your core WordPress files haven’t been tampered with, but you can change any of your settings by clicking on the scanner tab on the security settings page.

The scanner isn’t specific to WordPress, which you’d think would make it less adept at dealing with WordPress security issues but in fact, the result is that it can scan for any kind of intruder. Another aspect in its favour is that it’s relatively lightweight and doesn’t impinge too much on your server resources. 

Cleaning Up Your Website

Getting hacked is no fun, and the cleanup operation that comes after your WordPress site has hosted unwelcome intruders is even less cause for celebration. Trojans and viruses can burrow into files, drop unwanted links, and who knows what else.

Unless you’re an expert you may find it beyond your ability to track down and eliminate every bit of damage that’s been done. Luckily, Wordfence vs Sucuri can do it for you, but which one is going to do the better job?

Wordfence

You’ll need to buy your cleaning solution separately from your Wordfence subscription because it isn’t something that they include in their free or paid packages. Once you’ve signed up though, it’s a fairly straightforward process to get your site analyzed and cleansed of bots and Trojans. Not only that, you’ll also get a compressive rundown of what was cleaned and advice on how you can limit the likelihood of this kind of intrusion occurring again in the future.

Sucuri

If you pay for a Sucuri plan then site cleaning will be included. Just open a support ticket and the service will get underway attending to blacklist removal, remedying SEO spam, cleaning the site, and WAF to avoid such occurrences in the future. 

Sucuri is pretty good at cleaning up viruses and other dodgy intrusions, spammy code injections, and backdoor access files. 

The team assisting you with the clean-up will use FTP/SSH access login details to get in, and they’ll be careful to back-up every file that they interact with to ensure that nothing is damaged or lost. 

Sucuri vs Wordfence – Who Is The Winner?

Wordfence vs Sucuri is a matchup between two seasoned and respected security heavyweights, but in our opinion, it’s Sucuri that crosses the finish line in first place. Its use of WAF in the Cloud is a definite plus point. Wordfence is a competent performer, but its server-side scanner and firewall can’t match Sucuri’s for security. 

ModSecurity Comprehensive Guide

Modsecurity guide Plesk

What is ModSecurity? It’s a toolkit designed for real-time web application monitoring, logging, and access control. If it sounds complex, don’t worry. Anyone with experience of ModSecurity will attest that it’s a flexible toolkit, with no hard and fast rules telling you how you should use it.

Generally, ModSecurity leaves you free to decide how you take advantage of the features available instead. This flexibility is a core element of ModSecurity’s identity, and complements its open source structure. In fact, you can enjoy complete access to its source code, which empowers you to customize the tool to suit your unique needs.

And that’s crucial for anyone who wants tools to enable them to achieve what they have to with minimal restrictions. Which is probably all of us, right? ModSecurity is a versatile creation ideal for numerous usage scenarios. Let’s look at some of the most important:

Security monitoring and access control for applications

ModSecurity provides you with the ability to access and inspect streams of HTTP traffic, so you can monitor application security in real-time.

ModSecurity’s persistent storage mechanism allows you to keep track of system elements and conduct event correlation over time. You can also implement blocks efficiently, if you need to, thanks to ModSecurity’s full request and response buffering.

Comprehensive logging of HTTP traffic

When logging for security reasons, web servers are generally known to do less than first-timers may expect. Actually, they tend to log little fundamentally — so you may still struggle to get all that you’re looking for even with some adjustments here and there.

But with ModSecurity, you can log whatever you need to (such as raw transaction data for forensics) and you can determine:

  • what transactions will be logged
  • which aspects of transactions will be logged
  • which elements undergo sanitization

Hardening web applications

One of the most impressive ModSecurity uses is attack surface reduction: here, you can streamline HTTP features you’re happy to accept, such as content types, request methods, etc.

ModSecurity will help you to enforce numerous similar reductions, through additional Apache modules (collaboratively or directly). This is all under the umbrella of web application hardening.

A more personal solution

ModSecurity’s immense flexibility comes to the fore when you’re faced with an unexpected problem. This could be a security issue, for example, or something entirely different.

For instance, some users utilize it as an XML web service router by blending its capabilities to parse XML and apply XPath expressions with its proxy-request abilities. That might not occur to some users, which only shows the deep flexibility at ModSecurity’s core.

Basically, it may prove helpful to you in ways you can’t predict until you start to truly explore.

Continuous passive security assessments

Traditionally, security assessment can be viewed as an active event which is scheduled in advance, involving an independent team trying to undertake a fake attack. But a continuous passive security assessment is a variation on real-time monitoring that concentrates on system behavior rather than that of outside parties.

Continuous passive security assessments serve as a form of early warning system, capable of detecting security weaknesses before attackers can take advantage.

ModSecurity’s Core Principles

ModSecurity is based on four main principles:

Passiveness

If you’re concerned about letting tools make decisions for you, particularly when conducting transactions, ModSecurity makes things a little easier for you.

Why? Because it’ll never initiate changes to transaction data without you instructing to do so first.

Of course, it’ll provide you with a wealth of information. But it’ll leave choices up to you, for your complete peace of mind.

Flexibility

As we’ve already mentioned, ModSecurity is remarkably flexible. It’s actually fairly mind-blowing in its flexibility, to be frank.

That’s because it was created by a security expert who wanted to intercept and analyze HTTP traffic for safety purposes, yet realized that everyone had to do things their own way sometimes. Not everything has to work exactly the same for each user.

So, ModSecurity offers such high flexibility by providing a rule language that enables you to achieve what you need to, along with the freedom to apply rules only where necessary.

Quality, not quantity

During the lengthy development and fine-tuning of ModSecurity, the team explored numerous ideas for what it could actually do. They chose not to act on a lot of these, and put them aside for a later time.

They did so because they knew they had fewer resources than they needed  to make those ideas a reality effectively. So, they decided to limit the functionality available to users, but to focus on making the ideas they actually implemented the best they could be.

Predictability

We all know the “perfect” tool doesn’t exist, and possibly never will. But a predictable tool could be the next best thing — and that’s where ModSecurity shines yet again.

When you’re equipped with the crucial facts, you’ll be able to understand ModSecurity’s weakest areas and find workarounds yourself.

However, let’s be clear: certain aspects of ModSecurity can be considered to be beyond the scope of these guiding principles.

For instance, ModSecurity is capable of adjusting the way in which Apache identifies itself to others, keeping the ModSecurity Apache process contained, and implementing an efficient plan to deal with that well-known XSS weakness in Adobe Reader.

It’s fair to say, though, that these features could be seen as a distraction from the core intent behind ModSecurity’s creation: to serve as a predictable tool for inspecting HTTP traffic efficiently.

Choices of Deployment

Two different deployment options are supported by ModSecurity: embedded deployment and reverse proxy deployment. But there’s no single correct or incorrect approach.

Just pick the most appropriate option based on your goals, requirements, and situation.

Let’s look at the benefits and drawbacks of each:

Embedded deployment

You can add ModSecurity to any version of Apache that’s compatible, as it’s an Apache module. At the present time, this means that a fairly recent version of Apache from the 2.0x branch should suffice (though a more up-to-date 2.2x is the typical recommendation).

Embedded deployment is terrific for users who have already established their architecture and are reluctant to make changes. It’s the only option if you want to keep a high number of web servers protected, even hundreds of them.

In a situation like this, though, it’s not practical to create a separate proxy-based security layer. Not only are new failure points not introduced with embedded deployment, but ModSecurity also offers seamless scaling to match the underlying infrastructure as it scales.

With embedded ModSecurity deployment, the primary obstacle is that server resources will be shared between ModSecurity and the web server.

Reverse proxy deployment

A reverse proxy is basically an HTTP router made to sit between a web server and its clients. Installing a Apache reverse proxy with ModSecurity added will bring you an effective network web application firewall. You can implement this to safeguard any amount of web servers all running on a shared network.

A lot of security professionals opt to initiate a separate security layer, as you’ll enjoy total isolation from those systems being protected.

In terms of performance, a standalone ModSecurity has resources dedicated to it, which enables you to get more out of it (such as utilizing rules that are more complex).

However, there’s a big potential disadvantage to consider with this deployment approach: the new point of failure. This will have to be addressed using a high-availability configuration of at least two reverse proxies.

Understanding ModSecurity and Plesk

ModSecurity is switched on by default starting from the early versions of Plesk Obsidian. In the same time, if you install Plesk using the images provided by your hoster, situation may be different.

To identify and defend web applications against attacks, ModSecurity will run checks on any request to the web server and all associated responses from the server against the set of rules.

Should checks succeed, the HTTP request will be sent to the website to retrieve the relevant content. But if checks fail instead, the appropriate predefined actions will be initiated.

Both Plesk for Windows and Linux offer support for ModSecurity. This functions as a web server (IIS or Apache) module.

How to turn on ModSecurity

To activate the web application firewall, follow these steps:

  • Navigate to Tools & Settings > Web Application Firewall (ModSecurity) (located within the Security group).

Don’t see this link? Don’t panic. Just install the ModSecurity component here: Tools & Settings > Updates > Add/Remove Components > Web hosting group.

  • Switch the web application firewall mode to either On or Detection only, to make sure all incoming HTTP requests and associated responses are checked against a rule set. When checks succeed, the HTTP request will be directed to the website to retrieve the necessary content. Alternatively, the event will be logged if checks fail. When in the Detection only mode, no additional actions will be undertaken. But in the On mode, HTTP responses will be given with a suitable error code.

Firewall modes for web applications can only be set on the server and domain levels. But the domain level mode can’t be higher than that of the mode set for the web server. So, if the firewall is running in Detection only mode on the server level, you’ll be unable to switch it to On for domains — just Off and Detection only modes will be displayed.

Choose the set of rules to be checked by the firewall engine for every HTTP request incoming, or feel free to upload your own set of rules instead. You can opt for one of these rule sets:

  • Atomic Basic ModSecurity: This is a free version of the Atomic ModSecurity rules for beginners, packaged with Plesk. It includes key security features and bug fixes are released monthly.
  • OWASP ModSecurity Core Rule Set (CRS): This gives you generic defense against unknown weaknesses that can be found in many web applications. It’s shipped free, but it’s recognized as being restrictive, so much so that additional tuning is necessary for production use. When you choose this set of rules, WordPress partly won’t work, nor will webmail and fire sharing. You can take advantage of the Comodo or Atomic rule sets instead.
  • Advanced ModSecurity Rules by Atomicorp: This is the most recent version of the rules, including all the performance improvements, bug fixes, and latest security features created by Atomicorp GotRoot every day. This commercial set of rules is supported completely and advised for production use. Plesk offers the Security Core Complete by Atomicorp extra feature, which enables you to implement this set of rules in Plesk. You can access this in multiple ways:
    • Purchase the Atomicorp Advanced ModSecurity Rules available in the Plesk Online Store
    • Have a Plesk license already? You can implement the extra feature through the Plesk Partner Central UI or the Partner API.
    • If you hold a Plesk license but you can’t access the Plesk Partner Central, please contact your provider.

    If you have an account on the Atomic website already, you’ll be able to simply enter your username and password to activate this set of rules.

    Linux users please be aware: If you choose the Atomic set of rules, follow these steps to make sure your ModSecurity performs as it should. Start by running the aum -u command on the server, and the Plesk modsecurity package will be switched for that from Atomic’s repository. Next, run these commands:

    • plesk sbin modsecurity_ctl --disable
    • plesk sbin modsecurity_ctl --enable
    • service httpd restart
  • Comodo ModSecurity Rule Set (Linux): This rules-based traffic control system is easy to use and can be tailored. It offers effective protection for your web applications and combats emerging hacking methods, through a rules database that receives regular updates. This set of rules is shipped for free, and you can activate it in Plesk by following these steps: register on the Comodo site, and once there, submit the username and password you use on this website. It’s easy.
  • Custom: You have the ability to upload custom web application firewall rule sets, such as an Atomic trial package or a Comodo free package. The following formats are supported: zip; tar.gz; tgz; tar.bz2; conf.
    • Pick the Update rule set checkbox and choose the relevant update period to update your selected set of rules automatically.
    • Choose a predefined range of parameters or specify your bespoke ModSecurity directives. The following preset parameter sets are available:
    • Fast: For when the HTTP request URI and parts of the headers undergo analysis. The least CPU is required for this mode.
    • Tradeoff: For when the HTTP request URI, headers, and request POST data will be subject to analysis. This is a solid balance between performance and quality.
    • Thorough: For when full HTTP request headers, request POST data, and HTTP response body content will be analyzed. This mode does consume the biggest range of CPU resources, though it can be an effective option for websites demanding special security protections (such as online stores facilitating card transactions).

 

Please note: Web application firewalls need a local DNS server with request caching enabled to provide the best performance. Without this, your websites will be more likely to load slowly when the firewall is in effect.

Finding Log Files on Linux Systems

ModSecurity utilizes two locations for logging on Linux systems:

  • Modsecurity audit log, which can be found in /var/log/modsec_audit.log. This is a highly-detailed option used by the entire Plesk server. An entry in the audit log file will be generated when ModSecurity recognizes that an event has taken place. You can view the ModSecurity audit log for yourself if you navigate to Tools & Settings > Web Application Firewall (ModSecurity) > click the Logs Archive link located within the ModSecurity audit log You can explore (and download) the log files and modification dates here.
  • The Apache error log for a domain, which can be found in /var/www/vhosts/DOMAIN.TLD/logs/error_log. This offers just brief details about site errors, but you can check out the error log for specific websites in the Customer Panel on the Websites & Domains > <domain_name> > Logs > choose Apache error and nginx error rather than All logs positioned on the right.

Finding Log Files on Windows Systems

ModSecurity audit logs are domain-specific on Windows. They’re found in %plesk_dir%\ModSecurity\vhosts\<domain’s GUID>\logs ( %plesk_dir% is Plesk’s default installation directory).

How to Switch Rules Off

Once you switch the web application firewall mode from Off or Detection Only to On, a website could start functioning in an unexpected way. You can check error codes (404s, 403s, 500s) in the site error log, and they’ll stop displaying once you switch the firewall mode back to Off or Detection Only.

In this event, check the ModSecurity audit log to identify the cause. You’ll be able to deactivate excessively-restrictive rules or tweak the website as required.

Follow these steps to determine why a site’s HTTP requests can’t be completed:

  • Check the audit log file for the site.

When using Plesk for Linux systems, you can take view the log through Plesk’s UI: navigate to Tools & Settings > Web Application Firewall (ModSecurity), then click on the ModSecurity Log File link to start downloading the relevant audit log. This will open in a new window in your browser.

  • To find events for a website (domain name) that may be responsible for issues, leverage the Search function (just hit Ctrl+F in the majority of browsers) — such as your_domain.tld. Your browser will then highlight certain entries, e.g. HOST: your_domain.tld. Look for a string such as –eece3116-B– in the three lines positioned above the highlighted entry. Those symbols between the hyphens show you the ID of the event which was triggered by the HTTP request.
  • Look deeper for additional entries with the identical event ID, specifically an entry featuring a H after the event ID. This carries the ID and description of the security rule that was activated while checking the relevant HTTP request. The security rule ID is an integer number positioned with quotation marks. It will begin with a 3 and will be displayed with the prefix ID in square brackets. This may look something like [id “340003”].
  • Locate a security rule ID in the event with the substring [id “3. You can use this ID when you turn rules off.

To deactivate a rule:

  • Make your way to Tools & Settings > Web Application Firewall (ModSecurity)
  • Once you’re in the Switch off security rules area, choose the security rule based on its ID (e.g. 340003), its tag (such as CVE-2013-4589), or a standard expression (e.g. XSS) and hit OK.

Final Notes for Nginx and ModSecurity

Let’s end by covering the issue of request checks with NGINX and ModSecurity, and how it connects to ModSecurity Apache issues.

ModSecurity is an Apache module on Linux systems, and it can run checks on HTTP requests reaching Apache only. But you can supplement Apache with an alternative web server, specifically nginx.

If you switch on the ‘Process PHP by NGINX option’ of the NGINX web server for dynamic website content (in a site’s Apache and NGINX settings), the web application firewall will be unable to check any HTTP requests as they’ll never actually reach Apache.

In the case of static content, HTTP requests won’t reach Apache if the ‘serve static files directly by NGINX option’ is switched on. That means ModSecurity won’t be able to check them.

We hope this detailed guide gave you a clear answer to “what is ModSecurity?” and helps you understand how it works. Because now it’s time to explore its possibilities for yourself!

ModSecurity offers a lot of advantages, so follow the tips and steps covered above to find out what ModSecurity can do for you.

Next Level Ops: Season 1 Recap

Hello Pleskians! As we approach our second season of Next Level Ops: The Official Plesk Podcast, we’re bringing you a Season 1 Recap while you get ready for more quality content. 

The podcast was created for you, Plesky reader (and listener), to give you industry insights and tips into the world of web hosting, development and management. 

So let your curiosity fly and learn through listening to these 10 curated episodes, hosted by podcast wiz Joe Casabona.

Episode 1 

20 Years of Evolution in Web Hosting

Kicking off our first ever episode of Next Level Ops, Joe meets Lukas Hertig, veteran Pleskian and fellow hosting enthusiast, to look back on 20 years of websites and hosting.

As they re-live the early years of websites and hosting (the ‘wild wild west’, in the words of Lukas), the interview unpacks the industry evolution from 2000 to today. From the first dynamic webs, to major disrupters like WordPress, the conversation ponders the growth of web hosting, and questions the future of hosting as-we-know-it. 

Looking for a trip down memory lane? Stream the episode here:

Lukas Hertig  

Lukas is the SVP Business Development & Strategic Alliances at Plesk.

Episode 2

Partnerships and High-Level Hosting Support

In this chapter, Joe interviews Pleskian Partner wizard, Francisco Pereira Carvalho, to delve into the global nature of today’s hosting market.

With more than 32 languages supported, serving 140 countries worldwide at Plesk, Francisco describes the essence of understanding what’s important for different cultures and regions. He explains that members of the Partner Program benefit from the intuitive and easy Plesk tool with the advantages of an international team.

Enticed yet? Stream the episode to find out more about the program here:

Francisco Pereira Carvalho  

Francisco is the Head of Sales at Plesk.

Episode 3

The Power of Extensions

If you’ve ever built a website, you’ve probably installed at least one or two extensions to enhance your web management. They provide extra tools and features to make your website run smoothly or to improve user experience.

In this episode of Next Level Ops, Joe talks to Jan Loeffler about Plesk’s extensions and kits that make users and admins love the Plesk experience. Some of the so-called ‘Lighthouse extensions’ – which are the most popular ones with users – are included as standard on Plesk. Others, like the SEO Toolkit, are available for download.

But what makes them so great? Let Jan and Joe tell you in Episode 3:

Jan Loeffler  

Jan is the Chief Technical Officer at Plesk.

Episode 4

How Not to Become a Security Engineer

For the fourth instalment of the series, Joe chats with security warlock Igor Antipkin about safeguarding websites. As he explains, the need to educate and be aware of potential threats is real. Web admins need to know the software they use, and share key insights with their own communities.

Alright, so now you’re getting worried. But have no fear, this episode explains how easy security can be with Plesk (and how to avoid dedicating your life to it):

Igor Antipkin  

Igor is a Security Engineer at Plesk. 

Episode 5

Finding the Right Managed Hosting for You

As WordPress continues to grow, traditional, service-free hosts could be left behind. This is what Andrey Kugaevskiy tells us in this episode of Next Level Ops, spelling out the benefits of Managed WordPress Hosting. 

In this month’s discussion with Joe, we learn how choosing a suitable WordPress host can be tricky, and you should keep WordPress-savvy people around if you’re not sure. Andrey suggests, for a smoother, easier and safer experience, take the option of host + management, any day.

Hear the full break-down of Managed WordPress options to make your life easier:

Andrey Kugaevskiy  

Andrey is a Senior Program Manager at Plesk.

Episode 6

Competing in a Hyperscale Cloud Environment

Welcoming back Lukas Hertig, episode 6 explores the world of cloud hosting, its applications in our everyday lives, and ‘hyperscaling’. In other words, companies like Netflix and Amazon that are scaling their operations thanks to shared services in the cloud.

More and more, hosting services opt for the cloud, with its flexibility and specialist managed services. So how do you compete in that environment? Are you thirsty to know how to benefit from the cloud, from experts?

Well then listen to this episode here:

Lukas Hertig  

Lukas is the SVP Business Development & Strategic Alliances at Plesk.

Episode 7

The Downtime Checklist and Web Scaling

Jan Loeffler, tech mage at Plesk, returns for this edition of Next Level Ops to discuss scalability and hosting. 

As you grow your online presence and traffic starts streaming in, Jan talks of the necessary steps for scaling. Have you considered how you’ll avoid downtime? Does your server have the capacity to grow? How long will customers have to wait for the page to load? Jan suggests a Downtime Checklist for scaling and optimization, but you’ll have to hear the full version in the episode here:

Jan Loeffler  

Jan is the Chief Technical Officer at Plesk.

Episode 8

Solving Common WordPress Problems

“The great and terrible thing about WordPress is the amount of freedom you have.” Guest-starring to discuss common issues with WordPress, product wizard Lucas Radke explains the value of a secure hosting environment. With so much margin for error, web builders, admin and users have to be proactive in preventing risks for their WordPress.

But hope is not lost. Click play to learn how powerful hosting and plugins make your life easier and avoid the most common WordPress mishaps:

Lucas Radke

Lucas is a Product Manager at Plesk

Episode 9

The World of Email Hosting Providers

Are you searching for the best email hosting provider, and don’t know where to start? Scratching your head about enterprise options? Then put on those headphones and tune in to this edition of the Plesk Official Podcast, where Joe speaks to Christian Mollekopf from Apheleia IT to clarify the features and pitfalls of email hosting.

You’ll learn about calendar options, self-hosting, spam control and more. Click play to get the full intel:

Christian Mollekopf

Christian is a Senior Software Engineer at Apheleia IT.

Episode 10

Toolkits and Tips for Web Development

For the final episode of this season of Next Level Ops, special guest Brian Richards, Creator of WPSessions, takes us listeners through the modern tools for everyday web developers

Besides imparting useful tips about coding, Brian provides a specific list of great web dev tools and learning resources, suitable for keeping any developer in-the-know. 

Intrigued? Get your coding fix by pressing the play button:

Brian Richards

Brian is the Creator of WPsessions and an independent web developer.

Did this series leave you wanting more? To make sure that you get your regular dose of tech podcasts, Season 2 is coming soon. Watch this space, or our Spotify and Apple Podcast channels to get the latest updates.

Get to Know our Season 1 Host:

Joe Casabona

Joe is a college-accredited course developer. He is the founder of Creator Courses.

SSL Certificates and Web Security – A Guide

In today’s world, web security and SSL certificates have become mandatory. When ranking websites, Google, the largest search engine on the planet, looks for SSL certificates for better rankings and prioritizing. And they have also started the initiative of “HTTPS everywhere” to make the web a more secure place and highlight the importance of web security.

This article will discuss more on what SSL certification is, what types there are, and compare two major companies that provide SSL certificates – DigiCert and Sectigo.

What are SSL Certificates?

SSL stands for Secure Socket Layer. This layer establishes a secure connection between the web server and the web browser. When a website has an SSL certificate, a small lock symbol appears at the start of the link. And HTTPS appears in the URL instead of HTTP, which means that you are browsing securely.

SSL uses cryptographic techniques to provide safety to users. The web browser attempts to connect with the webserver and sends a message to the server to identify itself. The web server sends its SSL certificates to the web browser for verification. The browser verifies the certificate and sends a connection request to the server, and the server sends back acknowledgment, and the encrypted session gets started. The data that goes back and forth between the browser and the server is therefore encrypted.

An SSL certificate provides security to the website’s data. It’s almost impossible to breach into the data with SSL, and even if there is a breach, the data is in extreme cryptography and can’t be deciphered. Customers’ information like usernames and passwords are safe and secure when the website has an SSL certification. Important transaction information like credit and debit card details and online wallet details are highly secured with SSL certification. 

Google gives top priority to secure websites and helps them rank faster. The first thing a user notices when visiting a website is the security, i.e., SSL and HTTPS, so it is essential to have a secure website to gain credibility with the customers and indirectly generate more revenue.

Types of Certificates

Depending on the capacity and purpose at which we operate our website, there are four types of SSL certificates:

N.B. Wildcards are a handy sub-type of DV or OV certificates.

Let’s look into each certification in more detail.

Extended validation certificate (EV SSL)

EV SSL is the most trusted and most used certificate by businesses around the globe. These certifications are issued under guidelines that are proposed by the CA/Browser forum. They can only be published by the subset of CAs (Certified Authorities) and require legal verification of the certificate’s requestor. This certificate uses the same encryption techniques as the other two types. EV certificates show a green browser bar, which indicates security and credibility.

Organization Validated Certificate (OV SSL)

These certificates show that an organization is valid. The owner of the business must show proof of both the physical and legal existence of the company. The users will see a lock at the start of the address bar, which indicates that the site is secure and safe from hackers.

Domain Validated Certificate (DV SSL)

These are some of the most commonly used certificates. The verification process for DV only verifies the domain of the website (business). This verification is to check whether the requestor is the owner of the domain or not.

Wildcard Certificate (Wildcard SSL)

A useful type of certificate that secures all subdomains at once, along with the main one. It’s therefore not necessary to issue a new certificate if a new subdomain is changed or created. Only available on DV or OV certificate types, for security reasons.

Where to get SSL Certificates

There are many SSL certificate providers across the globe. This article will discuss two of the top companies that provide the certification, and those are Digicert and Sectigo.

SSL Certificate using DigiCert

DigiCert.Inc is an American based digital company that provides users with digital security. They help users across the globe to get the validation required for SSL certificates through Public Key Infrastructure. DigiCert is the world’s largest certificate authority, representing 60% of the EV certificates and 96% of the OV certificates globally.

Among its extensive range, it offers three major certifications, namely DigiCert Basic, DigiCert secure site, and DigiCert secure site pro. According to the security level users need on their website, they choose from the given options. The basic variation is cheaper, and as secure features are added, the cost also increases.

SSL Certificate using Sectigo

Formerly known as Comodo CA limited (Rebranded as Sectigo in November 2018), Sectigo company holds the authority for issuing SSL certificates. The company offers digital security to both organizations and independent consumers. With more than 20 years of experience under their belt and hundreds of thousands of customers worldwide, Sectigo is one of the leading companies that provide web security with SSL certifications.

Sectigo broadly offers six types of certificates for the customers who want their website secured from malware. They include DV SSL, OV SSL, EV SSL, WILDCARD SSL, MULTIDOMAIN SSL, and SINGLE CERTIFICATES. They are also an award-winning innovation company with excellent customer support.

DigiCert vs Sectigo – feature comparison

Now, let’s take a closer look at each metric and compare them.

 

Key size and encryption strength

The key size determines the number of combinations it takes to break an encryption algorithm. Both DigiCert and Sectigo offer 2048 Bit keys so their encryption is very hard to break. The encryption strength is also the same for both, which is 256-Bit.

Root Domain Support

Sectigo and Digicert now secure and cover domains both with and without www.

Validation level

Both Digicert and Sectigo support all the validation certificate types, including domain validated certifications. However, Digicert brand does not offer DV SSL – the most basic and common type – except under its sub-brands. So, Digicert itself serves more enterprise-level needs whereas many users search for DV SSL with Sectigo.

Multiple Domains and Sub-Domains

If we want to cover multiple or sub-domains with SSL certification, both Sectigo and DigiCert provide multi-domain certificates called SAN certificates. We can add up to 250 Multi-domain SANs with DigiCert and 100 SANs with Sectigo.

Issuing Authority

Comodo Ca is a well-reputed brand with more than 20 years of experience. They rebranded themselves in fall 2018 to Sectigo, but they still have the largest market share of CAs. DigiCert, formerly known as Symantec, has also been around the block for many years and has vast industry experience.

Certificate Costs

With so many free SSL certificates available in the market, it sounds like a feasible idea to settle for one. But with premium certifications, you get both customer support and value for money. On top of that, OV and EV SSLs provide a further layer of customer trust as the certificate itself lists the business or registered organization. They can’t be issued to individuals.

Both DigiCert and Sectigo offer premium customer support and services. 

Final Words

We have now seen what SSL certification is and what benefits it provides to website owners. And also, we have seen different types of SSL certificates based on usage and capacity. 

Looking at the two top SSL providers, with their powerful encryption and multiple validation options, the choice is tough. Both will secure your site robustly. Both have long-held authority and experience. The only thing to consider is whether their specific certificate types match your site. 

Looking for domain protection for your blog? DV SSL with Sectigo will be great. Maintaining a high-traffic site with multiple sub-domains? Both brands can get you a top Wildcard version of the OV SSL certificate. Know your site, think security and trust, and you’ll know what certificate works best for you.

Secure your domain now

At Plesk, safety and credibility are provided by powerful Sectigo plugins for you and your customers. Through the SSL It! extension, DV and DV Wildcard releases are among the many certificates you can easily install to secure your domain.

The next screenshot shows how SSL It!’s page looks like for a domain without a configured certificate but when the Sectigo extension is already installed:

Let’s click “Buy Now”. Purchasing a PositiveSSL certificate via store.plesk.com:

After purchasing, Sectigo (Certification Authority, CA) verifies a domain and issues a certificate. When the certificate is issued, the extension automatically installs and secures the website in Plesk. As you can see, SSL Labs rated the website secured with a Sectigo certificate on A grade.

Just four easy steps, and your site is protected. 

Want to learn more about web security? Our podcast reveals all. 

Best WordPress Caching Plugins Comparison

WordPress Caching Plugins Plesk

WordPress caching plugins is a complex topic for many people (especially newcomers), and there’s a lot to cover in any guide. A comprehensive exploration of WordPress caching might even demand a whole book — which we obviously don’t have the space or time to create here. But we can make the essentials of WordPress caching easier to understand, and that’s exactly what we’ll do below.

First, let’s start by looking at caching it as if it were a fairly straightforward math problem to be solved. Most of you reading this would have no problem multiplying, say, eight by eight to get 64. That’s a simple sum countless children learn in school every year. And they — and you — know the answer because you’ve memorized it. You might run a brief calculation in your head, but it should seem as if you can pull the solution out of your memory as naturally as recalling your own name. So, this form of memorization can be compared to website caching, even though it is a major simplification of the process. This example helps to visualize caching and illustrates why WordPress caching plugins are so important for a quality user experience.

Your website is required to present the same (or similar) content again and again, no matter how many visitors you receive per day. Even if you only attract a few dozen people, your site is still bringing the same content up repeatedly over weeks and months. Wouldn’t it be fantastic if the server was able to remember the necessary files required to present your website as it needs to every single time more efficiently, as you can when solving simple calculations?

Explaining the Caching Process

Basically, any page a visitor navigates to on your website requires a server request, and processing by that same server (along with database queries). Next, a final result will be sent from the server to the visitor’s browser, which enables them to view your website with all the elements and files essential for forming its complete design. These include menus, blog posts, images, videos, etc.

As the server is expected to process each of these requests, and to do so as quickly as possible, delivering a full web page to users can be a surprisingly time-consuming process. Particularly for bigger websites or those best described as “clunky”.

But this is where WordPress caching plugins prove helpful. The caching plugin is designed to tell the server to keep some of the files stored to RAM or disk (based on your specific configuration). That means the server can remember content it’s served in the past and duplicate it for the user. Web pages will load far faster from the cache directly, and the amount of work needed to generate a pageview is reduced significantly.

That’s the power of caching.

When You Need WordPress Caching Plugins

We’ve already covered how caching can increase the speed of web pages, but is it always essential to install WordPress caching plugins? And are there any other advantages to caching you should know about? For anyone responsible for managing their own servers or using shared hosting, caching plugins are generally a fantastic idea.

But there are times when you won’t actually need a caching plugin. If you were to work with a trustworthy managed WordPress host, for example, they would handle the caching on your behalf. This would be performed at server-level and much quicker, in a lot of cases. Server-level caching demands no knowledge, expertise, or time-intensive configuration to achieve the best speeds. It will be fast all the time — that’s it.

Often, top managed WordPress hosts don’t utilize caching plugins on their platforms as they may affect performance quality. Some things can go awry if you don’t know what you’re doing with plugins, which is where a little expert management can be a big help.

Why Some Caching Is Always Necessary

No matter if you choose server-level caching or opt for a plugin instead, you’ll always find some type of caching necessary. Here are some of the main benefits of caching to consider:

  • Deliver a faster browsing experience for users — we’ve already addressed how WordPress caching plugins can boost your site’s speed, but it’s a core advantage so deserves to be on this list!
  • Provide a better user experience overall — as your website will run more quickly, users will be more likely to stay and explore. Faster sites are known to have lower bounce rates, reducing the risk of people becoming frustrated and clicking away after waiting for more than 10 seconds or so for pages to load.
  • Servers rely on fewer resources — fewer resources contribute to a quicker website, and place less strain on servers. This is crucial for highly-dynamic websites (e.g. membership sites) and for determining what can or can’t be served from cache.
  • Potential SEO improvement — a faster speed and better user experience can inspire search engines to recognize that your website is worthy of a higher ranking. This makes caching a helpful addition to your search engine optimization strategy.
  • Lower time to first byte (TTFB) — using WordPress caching plugins is one of the simplest ways to reduce your TTFB, by as much as 90 percent in some cases.

How Does Caching Compare Against No Caching?

To show you how much difference caching versus no caching makes, we decided to run a few simple server-level caching speed tests.

First, we ran five Pingdom tests with no caching activated and measured the average, and then did the same with caching enabled. The average load time without caching was 677 ms, and the average with caching was 521 ms!

So, caching decreased our page load time by more than 23 percent, with no additional work required. We used a fairly well-optimized site for the speed tests, which means websites with less optimization will run even more quickly.

TTFB with no caching

Remember when we discussed how caching can affect your TTFB above? Well, we ran some more tests to identify how well caching can reduce TTFB.

We found that TTFB with no caching was more than 200 ms, but this dropped to under 40 ms when we enabled caching. That’s a huge difference.

It’s clear, then, that enabling WordPress caching plugins can decrease your TTFB substantially. And, again, that means better performance overall.

What Are the Best WordPress Caching Plugins Available?

Below, we’ll explore the best WordPress caching plugins to try if you plan to manage your own server or use shared hosting. While some may be more intuitive, they’ve all earned fantastic reviews from users. A lot of posts published online will attempt to compare caching plugin speeds and sell you the one they consider the best. But this is almost impossible, as plugins will perform differently depending on your choice of server, resources, configuration, and location.

Yes, we find speed tests as helpful as anyone else, but dubbing one plugin “the quickest” is frankly unfair. Why? Because what works brilliantly for one user might not be so effective for another. And that’s not to mention that there hundreds of different settings may be available to enable or disable.

With all this in mind, we feel it’s best that you always test WordPress caching plugins yourself to determine which work best for you.

We’ve collated a concise list of the top WordPress caching plugins to help you make an informed decision. You’ll find more detailed insights for each one further down, covering pricing, benefits, and more.

Our list:

We’ve found that it’s ideal to experiment with a minimum of two or three WordPress caching plugins before committing to any one option. You might find that you love the user interface and design in some caching plugins, but find others much easier to use overall.

Another recommendation from our experts is to run a speed test with a dedicated tool, such as GTMetrix or Pingdom, once you’ve implemented each plugin. This will enable you to check the impact the plugin has on your site’s performance.

But be sure to run a number of speed tests to make sure plugins are serving from cache. When you clear your WordPress website’s cache, it needs to rebuild. Helpfully, some plugins include an option to preload (or “warm”) the cache once it’s been cleared.

Be aware, though, that caching plugins can lead to issues while they’re helping your website run faster. There’s a particular error to watch out for when using caching plugins: “No update required. Your WordPress database is already up to date”. Keep that in mind, though it certainly shouldn’t put you off!

So, onto our in-depth look at the top WordPress caching plugins for your site!

WP Rocket

This is a premium WordPress caching plugin, offering three payment plans. You can pay a one-time fee, but if you keep your payments running, support and updates will be included. WP Rocket lists caching for a single website as $39, while support for three sites is just $99. For $199, you can get caching for an unlimited number of websites. Free plugins are available, but these rates are impressive considering WP Rocket is one of the market’s most feature-rich WordPress caching plugins.

There’s no free version or free trial for the WordPress caching WP Rocket plugin, but WP Rocket’s developers provide a 14-day money-back guarantee to ensure your satisfaction.

One of the main advantages of WP Rocket is its user-friendly interface and fast, hassle-free setup. This is a caching plugin for WordPress with the power to help your website run much faster, and yet any newcomer would find it easy to grasp the majority of the settings from the start.

Another top reason for WP Rocket to be worth a consideration is that it’s designed to run nicely on eCommerce sites. That’s ideal as, most often, those require better caching speed the most.

On the whole, you might ask why you should pay any cash for a WordPress caching plugin at all when there are some competitors giving theirs away for free. Well, that’s because WP Rocket offers a wealth of solid features and is simpler to use overall.

For example, WP Super Cache provides users with page caching, yet browser caching is unavailable. WP Rocket, on the other hand, delivers both.

And Hyper Cache is missing lazyload, whereas that’s just another part of the WP Rocket package.

We could go on and on like this, comparing WP Rocket with the competition, but the main point to remember is that $39 is a modest rate to pay for the sheer variety of features included.

Reasons this is one of the top WordPress caching plugins

  • WP Rocket delivers a developer-friendly package, with a great dashboard to help newcomers feel at ease. Developers rarely have so much to experiment with in caching plugins, and others can make it far too complex for first-timers too.
  • The setup process is highly accessible for users of all experience and skill levels.
  • You can use the included database optimization to clean up your WordPress database, as well as decreasing the amount of resources used.
  • You can use WP Rocket to lazyload media, so that images don’t load on your site until a user actually scrolls over them. That means the server won’t need to do the work until it’s absolutely necessary.
  • You can increase your website’s speed even more with WP Rocket’s CloudFlare compatibility.
  • Multisite compatibility is also available through this plugin.
  • You can preload your cache.
  • Tools for minification and concatenation are included.
  • One of the most distinctive features is the Google Fonts optimization. I haven’t seen this included as part of another caching plugin so far.
  • Support available for object caching.

Take a look at the official WP Rocket documentation for help when configuring and experimenting with this plugin on your WordPress website.

Cache Enabler

Cache Enabler is an open-source, free caching plugin from KeyCDN (known for powering the Kinsta CDN). The disk caching engine’s performance is quick and dependable, while the multisite support is a benefit for users operating networks of sites.

The WordPress caching Cache Enabler plugin is a quality option without a hefty price tag: you may not be receiving the comprehensive range of features you would in WP Rocket, but Cache Enabler is still a terrific alternative if you’re on a tighter budget.

Cache Enabler’s big claim to fame is that it was the first WordPress plugin designed to help you serve WebP images with no need to use JavaScript. Sounds like senseless technical jargon to you? All you need to know is that while JavaScript is an important coding language, it can disrupt website speed in some cases.

Combining Cache Enabler with ShortPixel, EWWW, or Optimus plugin enables you to utilize this more recent image format properly. That’s a fantastic option for anyone running an online business, as most websites include dozens or hundreds of images, such as eCommerce sites or blogs.

Finally, Cache Enabler’s settings are simple and concise. They ask for such things as caching behavior preferences and cache expiry behind the scenes, the settings page offers explanations, and the number of settings is fairly low overall. As a result, most people will find this a confusion-free zone.

Reasons this is one of the top WordPress caching plugins

  • Cache Enabler provides a unique way to serve WebP images: you can convert pictures to WebP format via ShortPixel, Optimus, or EWWW Cloud (the cloud version is recommended for its solid performance).
  • Cache Enabler WordPress caching plugins include a user-friendly, streamlined interface for maximum convenience. This is one of the simplest plugins to set up, and users at all levels of experience should find it a pleasure to handle.
  • Actual cache size is presented on the dashboard, to help you understand the amount of space the cache consumes. This is a fast, efficient caching program, offering manual and automated clearing options.
  • Minification for inline JavaScript and HTML is available.
  • This combines with the Autoptimize plugin to bring you additional features, such as injecting CSS into page heads.

Take a look at the official Cache Enabler documentation for help when you configure and test this plugin on your website.

WP Super Cache

WP Super Cache is a terrific example of an open-source WordPress caching plugin boasting installation numbers in the millions. When you search for caching plugins, WP Super Cache and W3 Total Cache (see below) will appear high on the list most of the time.

While it’s unfortunate that these plugins have such similar names, they are very different. It’s best to install both and try them separately to identify the right one for your site. You might prefer to install WP Super Cache first purely because it’s the work of the Automattic team, but both are worth considering.

Regardless, WP Super Cache is an open-source, free plugin with zero upgrades required once you’ve installed it. This performs efficiency by building static HTML files and serving these instead of the weighty WordPress PHP scripts.

Three caching modes are available, which is one of the WordPress caching WP Super Cache plugin’s most appealing features. One is titled Simple Mode: the average WordPress user would choose this as it poses the least risk. But another of the modes, Expert Mode, enables you to super cache files with various modifications to the .htaccess file. This is great for seasoned developers who prefer greater control over their site’s caching process.

The Simpler mode makes WP Super Cache simple to set up (as the name suggests!). This enables you to compress pages, and offers easy caching, CDN support, as well as cache rebuilding. On top of all this, you can identify known users and choose to not cache pages for them if necessary.

Additional homepage checks can be helpful too, when you want to make sure your site’s primary page is as optimized as it can be.

One of the core advantages of WP Super Cache is its garbage collecting: your cache directory fills up and can leave your site running slowly over time. WP Super Cache runs automated garbage collections regularly to clean older files out and maintain your site’s optimization.

Reasons this is one of the top WordPress caching plugins

  • WP Super Cache boasts a positive reputation and track record, so you can expect its caching services for one or more of your sites to be of a high standard (no matter how big they may be).
  • This is an open-source, free product from Automattic — this means updates are regular and WP Super Cache is unlikely to disappear without warning.
  • In WP Super Cache’s backend interface, a lot of the settings you require are already filled in. As a result, it’s fairly easy to understand and put to work, even if you’re a total novice.
  • WP Super Cache utilizes a garbage collection process, clearing your older files out of the cache to prevent slowdown. This helps your site run faster and more smoothly.
  • This is integrated with a unique CDN setup, distributing your files better.
  • You can select from three caching modes, including Simple and Super Caching. This makes WP Super Cache a top option for diverse skill levels: the Simple cache option is great for the average user, while the Super Cache mode enables more advanced users to boost their site’s speed substantially.
  • WP Super Cache includes a unique feature known as Cache Rebuilding. Your blog’s cache won’t be cleared whenever a visitor posts a comment: the cache will be rebuilt and the old page will be served to other users instead.

While WP Super Cache has no official documentation online, the repository page carries a wealth of information.

 

Comet Cache

Comet Cache has one of the coolest names of all the WordPress caching plugins, and it has a solid reputation too. You can choose from a free or paid version.

The paid version is available from $39 to $139, as a one-time charge. However, you can opt to pay extra fees if you would prefer more extensive customer support with the WordPress caching Comet Cache plugin.

Comet Cache includes similar features to the caching plugins we’ve explored above, but it stands out for its incredible documentation. Even the regular WordPress plugin page offers lots of FAQs and links to help you learn about caching.

The Comet Cache website is home to a complete knowledge base and insightful blog. There’s plenty of information on the free and premium versions, with comparisons to help you choose.

A key reason for upgrading is Comet Cache’s automation: you can set this up and forget about it while the plugin does the majority of the work on your behalf.

The free version is capable of accomplishing many of the same tasks, but you will need to complete them yourself manually at times.

The client-side browser caching is helpful, too, as you’re basically double caching: the server is on your end and the browser is on the user’s. Crucially, it’s fairly simple to install the Comet Cache plugin and the dashboard is easy to navigate.

Reasons this is one of the top WordPress caching plugins

  • With Comet Cache, you can take advantage of a quick setup and decent backend, so configuring the cache takes a matter of minutes.
  • You can cache on pages, posts, categories, and tags.
  • With the paid version of Comet Cache, you can try intelligent and automatic cache clearing. This allows you to establish caching preferences when you install it and forget about them for a while.
  • You can cache RSS feeds to avoid delays in your content syndication.
  • The plugin gives most of its main features away free, so you might not need to upgrade.
  • The paid version is similar to what you would receive from WP Rocket, so we’d advise that you test both to see which suits your goals best.

Browse the Comet Cache official documentation and community forum for help when configuring or testing this plugin on your website.

Hyper Cache

The WordPress caching Hyper Cache plugin runs on PHP only, so it’s simple to set up with no complicated configurations to worry about. This is also compatible with WordPress blogs of any kind.

A main benefit of Hyper Cache is that it’s aware of mobile environments. As a result, the caching continues to run when a user visits your site on their smartphone or tablet. This ensures your website remains fast and performs smoothly across devices, for total user convenience.

As Hyper Cache is open-source, there’s no need to pay or stress about future upgrades either. If you want to support the developer and compensate them for their work, though, you can make a donation.

The installation process for Hyper Cache is quick and easy. That’s ideal for newcomers and unskilled users of WordPress who might feel overwhelmed by extensive caching settings.

Furthermore, the compression caching optimizes bandwidth and boosts page speed brilliantly. This plugin is also intended to work with bbPress well, so if you want to run a forum, Hyper Cache is a fantastic option for caching its pages.

Perhaps Hyper Cache’s biggest advantage is its simple configuration. You can almost set it up and forget about it, with no reason to worry about its function following installation.

Admittedly, some of the settings have been assigned unexpected names or can seem somewhat tricky at first. But they generally include recommendations to help you understand what to enable and how they work.

Reasons this is one of the top WordPress caching plugins

  • There are no payment plans for Hyper Cache: this is a free, open-source plugin, and all features are included with initial download.
  • Hyper Cache is mobile-aware, so caching runs on mobile devices too.
  • This plugin includes CDN support, enabling you to tap into larger networks of servers and increase your website’s speed further.
  • Hyper Cache provides options for serving cached pages to visitors writing comments on your blog. You can cultivate more discussions on your posts without worrying about them affecting its speed.
  • Compression will be managed via the Hyper Cache plugin, for non-cached pages too.
  • Hyper Cache is designed to detect if a site’s theme has changed to its mobile version, for a better user experience.
  • This plugin will relocate the cache folder beyond your blog, and the cache folder won’t be included in your website backups. That means you can make smaller backup files while saving space.

Take a look at the official Hyper Cache documentation and visit the community forum to learn more when setting this plugin up on your site.

WP Fastest Cache

WP Fastest Cache’s name is obviously similar to some of the other WordPress caching plugins on this list, but don’t be fooled: this has a number of features that make it stand out.

You can get started with a free version of the WordPress caching WP Fastest Cache plugin, though a premium one is available for purchase through the settings module if you want to upgrade.

With the premium version of WP Fastest Cache, the fee is one-time only, and you’ll get access to a varied selection of tools that are unavailable in the free version. But generally, the majority of websites will be satisfied with the free plugin, as it features desktop caching, combination options for CSS and JavaScript, as well as HTML minification.

You’ll also have access to GZIP tools and browser caching in the free WP Fastest Cache plugin. Overall, this plugin can help to make websites’ performance much faster and smoother compared to sites using no caching plugin whatsoever.

The settings basically consist of a checkbox list, which makes it one of the simpler settings pages to explore. Information boxes are also included, offering clear explanations to guide your choices. You can switch between tabs for managing key items, such as imagine optimization, the CDN, and the cache timeouts.

Reasons this is one of the top WordPress caching plugins

  • The free version of WP Fastest Cache can prove useful for the majority of sites, and it appears to serve sites more quickly than a lot of the competitors.
  • The settings comprise a list of checkboxes alongside easy-to-follow information points, so it’s simple to use.
  • You can upgrade from the free to the premium version in the WordPress dashboard for maximum convenience. You don’t have to download a plugin from the developer’s site.
  • CSS and JavaScript can be combined and minified.
  • You can integrate CDN without too much configuration required.
  • Optimization of images is performed separately from the caching process, so you can see the amount of space saved with one of your biggest resource-consumers.
  • A feature is included for creating a cache for a mobile theme specifically. You can also opt to not serve a cached version for the desktop to your mobile users.

While WP Fastest Cache has no official documentation in one place, you can still find a wealth of tutorials on configuring WP Fastest Cache on your WordPress website on their blog.

W3 Total Cache

You might be aware of W3 Total Cache, as it’s one of the most popular WordPress plugins available. The WordPress caching W3 Total Cache plugin is a decent free, open-source solution, though we can’t pretend that it’s the ideal option for any website.

One of its main disadvantages is that its backend settings can be extensive and, sadly, hard to grasp. The development team can complete the proper settings for you efficiently, though newcomers may still feel confused.

Despite this issue, W3 Total Cache has managed to achieve millions of installations. It can be integrated with a CDN, and works for mobile and desktop websites nicely. It’s also recommended as a helpful companion for sites holding SSL certificates, which means eCommerce websites in particular might benefit from installing it.

The free version of the W3 Total Cache plugin includes all the features, and there are no prompts designed to push you into upgrading. The plugin can also help you make savings on bandwidth, thanks to HTTP compression, feed optimization, and minifications.

Yes, it doesn’t have the best backend configuration we’ve ever seen, but that could be down to our personal taste. Nevertheless, W3 Total Cache is still sure to help your website’s performance improve and, in turn, increase conversions.

Reasons this is one of the top WordPress caching plugins

  • W3 Total Cache is free, and most of the caching plugins you’ll need to boost your site’s speed and optimization are included.
  • Popularity can be considered an indication of a plugin’s quality,thanks to its millions of installations, though we don’t recommend you base your decisions on that alone. Take the time to browse the many positive reviews to learn more about W3 Total Cache before you commit.
  • W3 Total Cache is compatible with various hosting options, including shared hosting, clusters, and dedicated servers.
  • You can use caching for any mobile environment, so that when a user visits your site on a smartphone, they’ll still benefit from caching as they would on their computer.
  • W3 Total Cache provides SSL support, to help your online store run more quickly and efficiently. That can improve the customer experience overall.
  • As the CDN works with the media library, you can check the quality of your images’ optimization easily.
  • You’ll have access to compression and minification, as well as caching of databases, objects on your disk, and posts.
  • Object caching is supported with W3 Total Cache.

You can get started with help from the in-depth documentation for W3 Total Cache available

Alternative Approach To Caching

Instead of using caching solutions on web app level you may think about NGINX – it can proxy requests to other web servers or apps. The outcome here – performance increase for serving static files.  Another important feature – NGINX can sit ‘in front’ of web servers where it acts as a gateway to other applications or servers. Additionally, it can also cache the results of requests proxied to FastCGI and uWSGI processes, as well as to other HTTP servers.

NGINX is fully supported by Plesk and can be configured/tuned up easily via Plesk interface. And if you consider to user NGINX with Plesk for caching – think also about WordPress Toolkit, which will help you a lot to manage WordPress routine tasks.

Conclusion

We hope we’ve helped you understand why website caching is so important, but the functions that make caching work can be incredibly difficult for the average WordPress user to understand initially. That’s why you might struggle to determine which settings in a caching plugin will be right for you at first.

Again, if you choose managed WordPress hosting, you won’t need to organize your own plugins. The host will do that for you, and caching will take place on the server. But caching plugins are essential if you’re using shared or self-managed hosting.

Now that you’ve reached the end of this guide, we hope you’ll find picking the best plugins for your WordPress website easier. Focus on learning as much as you can about any of the WordPress plugins that appeal to you most, to help yourself make the most well-informed decision.

Holiday Stories with Jens Meggers, our New WebPros CEO

Happy holiday season to all Plesky people around the world! The year 2020 has brought us all manner of things. And sadly, some of them haven’t been exactly what we wished for. The global pandemic has left many businesses uncertain about their future. And at Plesk, we had to re-route our roadmap to focus on helping our customers stay open and connected during these unprecedented times.

Although this year’s been quite a difficult one, we’ve still managed to celebrate all sorts of events while staying indoors. For example, Plesk has had its 20th anniversary, released new products such as Plesk Premium Email, powered by Kolab and SolusIO, and launched the Next Level Ops Podcast. And, on top of that, 2020 has brought a new CEO for the WebPros Group (in case you missed this info, WebPros is the leading website hosting automation software global provider that comprises cPanel, Plesk, SolusIO, WHMCS, and XOVI).

To wrap up the year, we want to celebrate this fresh arrival together with our wide community and share the bliss and the jolliness of this holiday season. So, here’s this year’s episode of the Plesk Holiday Stories. This time featuring Jens Meggers, our new WebPros CEO.

The Life of a CEO During the Holiday Season

Welcome to the family, Jens. To warm-up, why don’t you tell us (and our readers) a bit about yourself?

I have a large family with five kids and a dog. After spending time at work and with my family, there is little time left. But that doesn’t stop me from enjoying my hobbies. These are gaming, coding, kite surfing, and triathlon.

I grew up in Germany but relocated to California in my early 30th. When I got my first computer as a teenager, I fell in love with creating software. And that has not changed as of today.

What’s a typical day for Jens Meggers during the holiday season? Any advice on how to cheer up the mood?

I take it slow. Run, swim, and bike in the morning. And then stay indoors in the afternoon. My advice for this year is to ramp up the geek level – Watch as many new movies as you can, play as many new games as you want, and get a VR system.

What would be your jolly, memorable holiday story to share? 

Starting a few years back, most tech companies started to close operations during the core holiday days. Most people protested, but it was a real game-changer with almost zero emails and messages for almost ten days. It was epic!

Which are your favorite dish, drink, and city in winter?

I love the taste and the warmth of German Gluehwein, also known as spiced wine or mulled wine, at the Christmas markets. But unfortunately, nothing like this is really available here in California, where I live.

As the CEO of WebPros, you must find yourself very busy. Do you follow any routine to keep your energy levels high and increase productivity? Any tips you’d like to share with the Plesky community?

I always try to balance screen time with outdoor activities. There’s always something to do. I pick activities that don’t take too long. A 5k run after work only takes 25 minutes, or a 2k swim can be done in 45 minutes. Make sure to get 6-7 hours of sleep. And of course, always secure access to good coffee!

How about offering a sneak peek of what 2021 holds for Plesk and its users?

We have tons of great things coming. I’m super excited about 2021 and the innovative products we are going to launch. Stay tuned! 

Holiday Greetings from Plesk!

Thank you, Jens, for sharing such great advice! We’ll surely take you seriously if we want a productive mind and an active body for 2021. And good luck with your sporty activities, we’ll cheer for you!

So… another year has gone by. And we want to thank our readers for being such an important part of Plesk. We wish you all a happy holiday! 

Keep your eyes open if you want to read more articles like the one from Jens Meggers in the new year. Do you want to share your holiday stories or memories with us? Let us know in the comments below. See you next year!

An Overview of PHP Vulnerabilities – WordPress Perspective

You probably already know that WordPress websites are vulnerable to brute force attacks, called so because they just try over and over again to guess your username and password combination. But in the never-ending arms race between hackers and site owners there is also the problem of much more sophisticated bots that will try to worm their way into weaknesses in your website’s PHP code, too. Both of these hacks are popular ways of testing your defenses and they both underline the need for constant vigilance on the part of site owners and admins. To that end, you need to consistently upgrade your WordPress so that it’s always one step ahead of potential PHP vulnerabilities and you also need to make sure that you only use the most up-to-date versions of your plugins and themes.

If you didn’t already know, your WordPress website, themes, plug-ins, and apps such as PhpMyAdmin rely on a language called PHP to work properly. Now, the developers who write all of that stuff are not lazy and they aren’t deliberately leaving doors open for hackers to slip in through. The truth is, it’s hard for developers to write code that anticipates every single way that a bad actor might choose to attack. They do their best, release the software, and then it’s often only through everyday use that any holes in the defenses become apparent. Users’ experiences with attacks help to inform the process making everything secure. It’s a case of building it as best you can and testing it ‘in the wild’, responding to each new security alert as fast as possible, and then bracing for the next. It will become clear as you read that the majority of the PHP vulnerabilities shown here come about because of unsafe user input, meaning that someone has fed malevolent code to the web app or moved it to a section of the app in such a way that a vulnerability is created. This highlights why it’s important to pay special attention to all situations where user input can either deliberately or inadvertently introduce dangerous code to the system. These are always the leakiest parts of any WordPress ship.

There are a few different classifications of PHP vulnerabilities. We’ve include a few of the most frequently encountered ones with a basic explanation for each of them, but we haven’t included any PHP code as we’re aiming this to be an overview for people like admins rather than an exhaustive report for developers.

RCE – Remote Code Execution

Remote Code Execution (RCE) is just like it sounds. It happens when someone attacks and manages to upload code to your website and then runs it. A problem with a PHP application might let a user enter code which it then treats as PHP code, which might subsequently make it possible for the hacker to do various things. It could allow them to create a new file containing code that gives them full access to your website, for instance. This opportunity to remotely run malicious code is referred to as an RCE vulnerability. As you can imagine, the ability to do whatever they want with your website makes remote code execution an extremely dangerous kind of attack.

SQL Injection or SQLi

SQL Injection is similar, it’s when the hacker can get your database to run their own instructions. Anytime a PHP developer invites data input from a website visitor they should only pass it to the database after they’ve checked it to make sure that it isn’t trying to sneak in any dangerous code. SQL Injection gives a hacker free rein with the data on your website, which means they could create new data in your database including links to spammy or equally undesirable URLs. Hackers might also want to create their own admin level user account, to give themselves full access to and control of your website. It’s easily done with SQL injection. It’s another very serious security vulnerability because again, it hands the hacker the keys to your site.

Authentication Bypass

Sometimes a PHP developer might believe that they are properly validating that a site visitor has the right access level before performing an action, but they’ll actually be checking the wrong thing.
This problem can insinuate itself into WordPress apps via a mistake that WordPress developers frequently make where they use the ‘is_admin()’ function when trying to confirm that someone is indeed an admin. The problem is that this function only tells you if someone is viewing an admin page, but it doesn’t prove that a site visitor is actually an administrator. If a developer inadvertently uses this function, then they are handing admin level features to users who aren’t really admins.
There are other examples in the same vein, and they occur most often when a developer doesn’t check to make sure that the user is permitted this kind of access before they allow a function to be executed.

PHP Object Injection

A PHP object Injection attack is more sophisticated because a PHP app passes input from the user to a function called ‘unserialize()’. This takes a stored object and puts it in memory. Although this seems complex, the main thing to remember with PHP object Injection is that it happens when a developer doesn’t do the right kind of gatekeeping and allows unsafe input from the user to enter a PHP application.

Cross-Site Scripting (XSS)

This is when a hacker causes a website visitor’s browser to load and run dangerous code, which might then (for example) grab their cookies and hand administrator-level access to the intruder, meaning that Bell once again be able to do whatever they like.
Cross-Site Scripting comes in two flavors – Stored and Reflected. A Stored Cross-Site Scripting vulnerability is one where the hacker tricks the website into allowing in dangerous code which later gets sent to and run in a visitor’s web browser. This kind of thing often happens when a comment is posted on your WordPress website that contains dangerous code. It then steals user cookies and passes them on to the hacker.
Reflected Cross-Site Scripting happens when a hacker puts dangerous code in a link. If it then gets loaded into a browser, the website serves it up along with the content. This code then runs in the visitor’s browser and it can steal cookies or perform other nefarious tasks. One example of a Reflected Cross-Site Scripting attack is a WordPress search results page that includes the search query included in the URL and is not cleaned properly. The page then serves up the search results as well as the initial query, which could be dangerous code that runs within the visitor’s browser. Hackers could use Reflected Cross-Site Scripting to compromise a website by creating a link to a page of search results with dangerous code in it, and they could then send that to the site administrator to steal their cookies.

Cross-Site Request Forgery – CSRF

A Cross-Site Request Forgery (CSRF) refers to when someone creates a link and manages to get a site admin (or in fact anybody with high-level access) to follow it, and this causes the site to perform an action. So, for instance, if somebody built a link that creates a new admin with a known password when a site admin clicks on it, this would be an example of a Cross-Site Request Forgery attack. It’s not all plain sailing though. The difficult part for the hacker is finding a way to convince the site admin to follow the link, and then set up the new admin with one of the currently used passwords which the bad guys hope to steal. WordPress does already have a way of protecting itself from this kind of approach. It uses a security token (just a number) known as a “nonce” which is granted to the admin each time they log in, and this number is included every time the WordPress site admin does something of the sensitive nature. If a hacker takes the approach we’ve described, trying to use a link in a Cross-Site Request Forgery attack, they also need to know the nonce to send with it. Since this number changes every day, successfully executing a Cross-Site Request Forgery attack becomes much more difficult, if not impossible. With that in mind, it should be the case that every developer knows not to build themes and plug-ins that don’t use nonces for request verification, but not everyone is as diligent as they should be. But they can put it right after the fact, and for an easy remedy they just need to use code to access WordPress’s native nonce feature.

Remote File Inclusion (RFI) and Local File Inclusion (LFI)

Remote File Inclusion or RFI happens when a PHP app passes user input to a function that loads a file. If the file turns out to be a URL, the function would then load PHP code from the hacker’s specially built website to attack your website. Including a remote file in a URL is called Remote File Inclusion or RFI. If the file a hacker passes is a local file, the application might send its contents to the screen. This is an approach frequently used by hackers to help them break into a WordPress website’s wp-config.php file. This approach is known as Local File Inclusion or LFI. Functions vulnerable to RFI and LFI in PHP are: include, include_once, fopen, file_get_contents, require and require_once.
All of these functions load PHP code or content from a place that the developer decides on. If they don’t configure the website’s PHP installation in the safest way, a hacker can then load a dangerous file as PHP code or content and use it give them access to your site. The majority of PHP installations keep you safe from RFI attacks which load remote URLs by restricting where files can be included from. But it’s not uncommon for PHP developers to inadvertently produce code that lets a hacker access a local file like wp-config.php. This helps to explain why Remote File Inclusion vulnerabilities happen less often than Local File Inclusion vulnerabilities.

Conclusion

We hope this overview of frequently seen PHP vulnerabilities and their creation has helped you in your role as a WordPress administrator. You might have seen a few of them on your security updates. We hope that the insights that we’ve shared about what they do will help you to stay vigilant and deal with them more effectively. This knowledge should make you better able to ask questions of developers and better able to see how vulnerabilities work before you deal with them.

Most Widely Used Plesk Extensions and Toolkits This ‘HoliDeals’ Season (Part 2)

If you enjoyed the first HoliDeals announcement, this blog post will definitely perk you up. The world is running on Cloud today. Especially businesses that have to host their websites. Plesk has emerged as a great web hosting control panel that can make things way too easy for you. And you can make your Plesk control panel even more efficient with the right extensions, feature-rich packs, and toolkits. This way you not only increase productivity but reduce operating costs too.

But don’t worry – we got you sorted. As they say, ’tis the season to be jolly. And we want to make your holidays even more special with our Plesk HoliDeals Calendar. For 24 days, starting from December 1st, 2020, you’ll get exclusive discounts on top Plesk extensions, feature packs, toolkits, and licenses to make your toolbox jingle all the way!

So, enough chitchat – Let’s reveal the next 12 extensions and discuss their major benefits and features!

#13 Teamspeak Interface

It’s Tea(m) Time! This extension is a multifunctional web interface that allows you to install Teamspeak Interface and add-on modules with just a single click. With this extension, you can manage TeaSpeak and Teamspeak 3 Voice Server and other existing instances.

It provides you with an extensive set of user management options and roles, customized according to your customer needs or the co-administrators’ needs.

Teamspeak Interface extension is an ideal solution that enables you to control TeaSpeak and Teamspeak 3 servers through the web. There are two available license packages with Teamspeak Interface – Basic Starter and Pro Starter.

The Basic Starter pack comes with:

  • 100 additional user accounts.
  • Manage up to 3 voice server instances.
  • Includes extensions like Server File Management and Icons, Server Group Management, Channel Group Management, Client and Permission Management, TS Bots, and API.

The Pro Starter pack comes with:

  • 300 additional user accounts.
  • Manage up to 10 voice server instances.
  • Includes extensions like Reseller Management, Server File Management and Icons, Server Group Management, Channel Group Management, Client and Permission Management, TS Bots, and API.

We are offering an exclusive discount on this extension through HoliDeals. Make sure you grab the opportunity before it’s too late.

#14 Joomla! Toolkit

Joomla! Toolkit is a powerful toolkit for Joomla! users that allows them to secure and mass manage Joomla templates, extensions, and instances running on the Plesk server. The toolkit comes with a single dashboard for easy management, safety, and creation of Joomla instances.

All it takes is a single click to download, initialize, and configure the toolkit for hassle-free operation. We have created Joomla! Toolkit to enhance the security aspects of your content management system. There is no security expertise requires – the toolkit hardens your website by default, and with its security scanner, you can ward off any potential threats.

It is an all-inclusive toolkit for Joomla! as you can update templates, extensions, and instances from a single place. Also, you can monitor the performance of your Joomla websites from a single dashboard.

#15 KernelCare

Those who have Linux servers installed always experience system vulnerabilities and security flaws. To cope with this issue, we have launched the KernelCare extension that protects your Linux server against critical issues and downtime.

It is a paid extension and is probably one of the best security and server tools. During the HoliDeals, you have the opportunity to purchase the subscription at the best value.

The extension installs kernel updates within a matter of minutes without needing to reboot your Linux server. In this updated version of KernelCare, we have fortified the extension with the following benefits:

  •   Displays the server uptime.
  •   Enables roll back changes.
  •   Support automatic and manual updates.
  •   Check for updates every four hours.

#16 Cloudplan

You can use Cloudplan on your Plesk server to host folders and files, synchronize them between all your devices and share them on the go. We have designed Cloudplan to be a PCaaS (Private Cloud as a Service) solution that you can install on all on-premise servers, cloud servers, and even hybrid clouds.

The primary objective of Cloudplan is to provide users with a complete private cloud solution with full control over data. With this extension, you can connect all the possible nodes available, including cloud and on-premise servers, mobile devices, PCs, and laptops, among others.

They all can be connected automatically with end-to-end encryption. You will be provided with a centralized web portal to control and monitor the whole private cloud network.

#17 Sitejet

Sitejet is a web design platform for agencies that allows you to collaborate with your team and customers with ease and create, manage, and launch quality websites. It comes with a high-performance content management system (CMS), which you can use to create responsive websites.

It is designed and developed by a team of experienced web designers looking at cost-effective results for web developers. With Sitejet, you can streamline your web development process.

The extension comes with intelligent workflow automation, file management system, time tracking, to-do, and a ticket to make the design process less complicated and less time-consuming. Some of its salient features include:

  •   Customer collaboration.
  •   Whitelabel platform.
  •   Multi-user and permissions.
  •   Scale your agency.
  •   Manage customers efficiently.
  •   More time for creativity.
  •   Complete design flexibility.
  •   Save management and design time.

#18 Virusdie

Virusdie is a Plesk website antivirus extension for Windows and Linux servers that lets you keep your websites free from viruses with just a single click. The extension comes with features like email alerts, patch management for plugins and CMS, an in-built file editor with malicious code highlighting, automatic malicious code deletion, and an accurate threat scanner.

The best part is that we have designed Virusdie to be compatible with a selection of content management systems, including PrestaShop, DLE, Drupal, Joomla, and WordPress, among other popular methods.

We are offering Virusdie services for both free and paid. In the free version, you get features like:

  •   Email notifications
  •   Automatic antivirus database updates every 6 hours
  •   Full description of viruses
  •   Automatic site scans for vulnerabilities.

In the premium version, you get:

  •   Scheduled scans – daily and weekly
  •   Vulnerability manager
  •   Malicious code highlighting
  •   Safe and accurate malicious code deletion
  •   Scheduled scans – daily and weekly
  •   Vulnerability manager
  •   Malicious code highlighting
  •   Safe and accurate malicious code deletion

#19 Smart Updates for WordPress Toolkit

If you have a WordPress content management system that you want to keep updated and secure all the time, then you should download our Smart Updates for WordPress Toolkit. We have designed this extension to help you determine the required updates to keep your websites up-to-date.

We are offering a one-month free trial of Smart Updates for WordPress Toolkit, in which you get smart, automated tests, and you will always remain in charge of the operations.

Make use of the free trial to understand how the extension might be helpful, and if you like it, you can always purchase it. As we are currently in the middle of the Plesk HoliDeals Calendar, there is a high chance that you might get a good deal on Smart Updates for WordPress Toolkit.

The prominent features that will make you install this extension are:

  •   Smart Updates available for WordPress themes, plugins, and core.
  •   Production website is not affected during both manual and automatic updates.
  •   Smart Updates service determines the changes, analyzes the update, and concludes whether the update needs to be performed on the production site.
  •   Automatic and manual updates are available.
  •   We are providing Smart Updates for WordPress Toolkit on a per-site basis.

#20 Statistics and Usage Manager

This is an extension for Plesk that enables you to manage and view disk usage and traffic of your Linux OS subscriptions. The best part is that Statistics and Usage Manager allows you to do this all in real-time.

With Statistics and Usage Manager, you can sort your subscriptions by disk space statistics or traffic. You are also provided with a custom button to manage and view the statistics of all your subscriptions. As an admin, you can disable or enable this function.

This is an excellent extension for web managers looking to gain insight into how their websites are performing. You can use the Plesk HoliDeals currently available to grab this extension at the best possible price.

#21 Google PageSpeed Insights

Google PageSpeed Insights provides you with increased visibility in search engines by suggesting specific improvements and providing you with tools to design and develop fast and fully optimized websites.

The extension allows you to analyze your website content and its performance to determine what can be improved. With Google PageSpeed Insights, you can:

  • Analyze the performance of your website.
  • Rate the website based on its desktop and mobile performance.
  • Make use of the suggestions to optimize your website.
  • Access extension UI like mod_pagespeed Apache module to enhance website performance.
  • Reduce the size of static files.

#22 Bitninja

Bitninja is a Plesk extension designed for companies who are looking to bulletproof their server security. This extension provides a proactive and unified system that prevents 99% of all types of malicious attacks, safeguarding your company from reputation loss.

It comes with nine defense modules, namely:

  • Port Honeypot.
  • IP Reputation.
  • DoS Mitigation.
  • Web Application Firewall.
  • Log Analysis.
  • Web Honeypot.
  • Malware Detection.
  • Outbound WAF.
  • SSL Terminating.

These defense modules save you at least 12 hours of troubleshooting every day.

#23 Additional Language Pack

Plesk includes language packs for the translation of UI into different languages. While all the supported languages are installed during Plesk installation, you can download the Additional Language Pack extension if you want additional languages.

The number of languages you can install and download will depend on the Plesk license you have bought.

Suppose your site operates globally, and you want to reach out to the local community by offering your website in their native language. In that case, you can do so with Additional Language Pack.

#24 Web Host VPS or dedicated

Finally, here’s our last but not least HoliDeals offer. The growing need for customer self-administration can be quickly taken care of by Web Host VPS or dedicated. This Plesk edition proves to be an optimal solution that can fully customize your business, allowing you to increase profit and service offerings. 

When you install Web Host VPS or dedicated, you get several benefits, such as:

  •   Improved supportability.
  •   Turnkey application storefront for resale of services and applications.
  •   Instant high-end website creation and design.
  •   Improved audience focus for agencies, content teams, and website developers.
  •   Customize your service offering.

Don’t Miss a Gift!

Did you know you can add your daily reminders to your personal calendar? Or you can also subscribe now to receive fresh updates to your mailbox. Check here if you want to know more!

So… these above are some super hot extensions that you would want to install to boost your Plesk server performance. So, you would want to make use of the Plesk HoliDeals Calendar

Based on their popularity, we have managed to list these 24 Plesk extensions and toolkits. If you think that you need offers on some other Plesk products and services, let us know in the comments. Happy HoliDeals!