Your Automatic Server Update to Plesk 17.8

Automatic Plesk updates for 17.8

Starting from April 22, we’ll roll out auto-updates from Plesk 17.0 to Plesk 17.8 which will focus on server security and feature fixes. You’ll receive your update notification in the next days and can choose to update manually, turn off automatic updates or simply wait for us to handle the Plesk 17.8 update for you. However we strongly advise you to have an up-to-date server for the following reasons.

Why are you getting this server security update?

Official server security stats from Structure Research 2019 say 90k websites are hacked every day, with 43%+ attacks targeting small businesses. Fileless attacks are also quickly on the rise going from 29% in 2017 to 35% in 2018. So we have to be more efficient with security fixes.

What’s slowing us down is developing, shipping backport bus fixes and features from upstream for 17.0, 17.5 and Plesk 17.8. Thus, having less resources to address your uservoice requests. And even though Plesk 12.x has been EOLed since Jan 1, 2019, it still requires highly-critical server security fixes. Even if the issue is not in Plesk, but in the third-parties that Plesk uses.

The result is that we ship bugs fixes faster for the latest supported Plesk Onyx 17.8, than for the others. For example, in May 2018, we had Plesk 17.5 and 17.8 fully-supporting GDPR. Meanwhile, Plesk 17.0 and Plesk 12.x had limitations to satisfy formal aspects.

How we’re rolling the Plesk 17.8 Auto-update for Admins

First, we will update servers for Plesk Onyx 17.0 and then 17.5 users, who purchased a license directly from Plesk Online Store. This should be quick and painless. Most customers who updated from 17.5 to 17.8 said that during the upgrade, each server took just five minutes to update.

Plesk 17.8 auto-update

When will we upgrade your server?

You’ll first receive a pop-up notification on your Plesk panel, then by email, with clarification of the Plesk 17.8 update process. Giving you time to update at your own convenience, or wait until the auto-update takes effect. Plesk 17.0 will be first, starting from April 22, followed by 17.5 from April 29.

Then, if you’re a Plesk 17.0 admin, you’ll see a permanent notification until you update your server. The notification will count down the days until the auto-update. Two weeks after the notification, the server updates will start in small, controllable chunks.

We don’t recommend you opt-out of this automatic update. But if you’re absolutely sure you want to stay on the current version, you can go to Tools & Settings > Update and Upgrade Settings and turn off automatic Plesk updates.

Your Plesk 17.8 auto-update notification

If you’ve received no such notification, it most likely means we’re updating your servers a little bit later. However, it could also be because you haven’t bought your Plesk license directly from our online store. Or, you may be using components deprecated in the latest version of Plesk.

In such cases, your server won’t get an automatic upgrade to the latest version. Please note that servers with Tomcat installed, or servers connected to Multi Server won’t get updates either since their configuration is incompatible with Plesk 17.8.

Why you should enable automatic Plesk updates

What’s great about updating to Plesk Onyx 17.8 is that you also get all the new features, APIs and CLIs. Whereas only a critical subset of new features is back-ported to the previous versions.

Plesk version usage analysis

You can see that 50% of our servers are already on the latest Plesk Onyx 17.8. Every 24 hours, your server already automatically updates installed Plesk extensions and Plesk WordPress Toolkit automatically updates WordPress core and its plugins. Then, every week, you get a bunch of Plesk service updates automatically installing, and these usually contain bug fixes and feature improvements.

This year, starting from the next major Plesk release, we plan to roll out automatic Plesk updates on a monthly basis. The releases will include new features and bugs fixes and there will be no option to opt-out of a server update.

How does the auto-update affect partners?

We understand that some of our partners offer managed hosting and have many customizations on their servers. To avoid impact on their business, we’ll have exceptions for their servers to spread out rolling of updates over time. You’ll receive direct contact or email before we start any auto-update process for partners. Check the dedicated blog post for the process of how such updates will work for partners.

Can you backup before the Plesk 17.8 auto-update?

There is no trigger to do the backup right before Plesk update happens, but you can configure daily backups, and/or backup and update manually before the auto-update happens.

Set up automatic update installation in Plesk - Plesk 17.8 auto-update

Plesk updates within one major version (for example, 17.x) are quite safe. But if you have concerns, please create the backup manually or set up automatic backups right now.

Got any questions about Plesk 17.8?

Ask us directly in our forum or contact support, and we’ll be quick to help. Meanwhile we would love for your feedback on the auto-update process so that we can make future auto-updates more convenient for you.

Best practices to strengthen Plesk server security

Best practices to Strengthen Plesk server securty - Ples

Server security is the core of server management for any web hoster and server admin. Any online business should take server security seriously. Here we’ll explore the most important aspects at hardening Plesk servers and monitoring them for security vulnerabilities.

Plesk server security hardening

Plesk Server Security Hardening – Generic Steps

Latest Plesk has enhanced level of security right after the installation. Recently, Plesk launched Advisor, which unifies the best possible security practices and performance tune-up of the server and hosted websites. At the same time, it’s a good idea to ensure the following routine steps:

  • Insure regular Plesk updates
  • Change password strength to Strong
  • Use two step verification by installing Google Authenticator
  • Use SSL/TLS to secure mail server
  • Set sFTP connection
  • Limit administrative access to the system
  • Limit remote access via XML API
  • Actively use Web Application Firewall
  • Actively use WordPress Toolkit Security Check
  • Set automatic updates for WordPress instances
  • Insure outdated web applications are not used or update them on regular basis. The failure to comply this rule may result unexpected security vulnerabilities
  • Use VirusTotal Website Check to check existing websites

Block all ports which are not in use with the help of firewall.

server security tips for Plesk under Linux

Server Security Tips for Plesk under Linux

  • Use keyfile to allow SSH access
  • Use custom port to establish SSH connections
  • No SSH authentication for root user
  • Turn off Perl/Python for the website if these languages are not used as well as do no use mod_perl/mod_python
  • Use Opsani vulnerability scanner
  • Set Fail2Ban to prevent hacking attempts
  • Avoid PHP handler served as Apache module – not a secure practice
  • Ensure automatic updates of system packages are on
Server Security Tips for Plesk under Windows

Server Security Tips for Plesk under Windows

  • Custom port usage for RDP connections is a must
  • Get rid of unused programming languages
  • Make sure you install the latest Windows updates
  • Restrict users from overriding  handlers via web.config files
  • Keep DDoS protection enabled
What to do if server security is compromised - Plesk

What to do if server security is compromised

What we suggest here is migration to the new server. With a successful attack, intruders raise their privileges to root level – meaning they can do anything with the server. And just because you find malware/rootkits during investigation and clean it, doesn’t guarantee no others inside your system. It’s possible to load malware directly into RAM. There can be backdoors enabled or even common cronjobs for wget to download rootkits from already infected servers.

Try to restore the server using a previous snapshot doesn’t mean no server problems. Because in many cases, it’s not clear when exactly the server was hacked and rootkits  uploaded to the server.

How to identify the source of the problem

How to identify the source of the problem

While using security solutions dedicated to scanning for rootkits/malware you need to understand the following – these solutions use only already known patterns to identify the presence of malware and can be completely useless for new malicious software. To be 100% sure on how the server was hacked please contact security audit company which specializes on such cases. Please do not change anything before investigation to avoid the loss of traces.