My Plesk Update Delivers Multi-Server Management and More

Since the start of 2020, Plesk customers have enjoyed a dedicated portal to manage their Plesk licenses, personal information and subscriptions: My Plesk.

The innovative interface has, since release, created a personal self-care space where you can adapt your profile and have full control over purchases. The functionality simplifies billing and subscriptions, while providing a channel to keep track of the status of your products. There, you can update, renew and upgrade subscriptions and purchases directly.

The full capabilities of the My Plesk portal can be found here.
But the really great news is that as of March 2021, you can do even more with your My Plesk account!

What’s new for My Plesk

Server Inventory

Along with the already-existing ‘Licenses’ tab, there is now in the newest version of My Plesk a tab dedicated to managing servers as well (currently available in beta stage).

In this new open beta program, users of My Plesk can now:

  • Add multiple Plesk servers to the Inventory list, easily
  • Login to the Plesk interface directly from the Server Inventory with a single click
  • Access the availability status of your servers
  • View and browse the aggregated list of domains hosted by your server(s)

Using this unique tool, our community has access to the major, fundamental elements of their hosting management business is one place. This streamlines the hosting experience, and complements the existing License Management and Plesk interface itself.

Server inventory My Plesk blog

Licence Reactivation

As part of the My Plesk License Management module, this update also includes a key new feature to help web professionals: License Reactivation.

With this release, users of My Plesk can reactivate subscriptions that have become inactive, completing the potential life-cycle of any Plesk license and usage. The function gives flexibility and power to our customers, supporting them in their business journey at every stage.

My Plesk portal blog

Other Improvements

The existing features of My Plesk provide ample personalization opportunities. Features from the previous version are still available and under constant improvement processes to really give back the best experience to you, our community. For example, you can continue to enjoy your own personal profile with easy access to your License Activation Keys and Extensions.

Have you signed up to the My Plesk portal yet? If you have even one Plesk or extension License, you are eligible to create your profile and manage your account with this process:

  1. Go to My Plesk > Sign up
  2. Enter the email address you used to purchase the license and create a password > Sign Up
  3. Receive an email from [email protected] with subject ‘Welcome to My Plesk service!’ > make sure to verify your email address by clicking on the link in the email
  4. Now you can log into My Plesk

Please note that to access the invoices feature, please follow instructions from this article. If you want to change your billing details, you can find a guide for that here.

The Plesk WordPress Toolkit 5.1 Release – Backup Limits, Localization Support, and More

We’re proud to announce that the Plesk WordPress Toolkit v5.1 is now publicly available. So, let’s see what this release brings to the masses.

Discover the WordPress Toolkit 5.1

Backup Limits

Backup functionality was introduced back in WordPress Toolkit v4.10. And we have already received quite a lot of feedback about it. The most popular request was about limiting the number of available backups to prevent end-users from subtly eating up all their storage space. We’ve added the limit to Plesk Service Plans under the Resources tab:

The limit is enforced on a per-site basis for the whole subscription. So, each site on a subscription gets to create the allowed number of backups. If you set the limit to 0, the backup feature becomes unavailable to end-users. Which is handy for those admins who want to fully restrict access to the new backup feature.

cPanel changes

A month ago we released WordPress Toolkit for cPanel. And we’re striking the iron whilst it’s hot. That means we’re implementing a lot of changes specific to cPanel. Let’s quickly go through them:

Database User Management

The Database User Management feature was already available in Plesk before. Unfortunately, though, it didn’t fit into the WordPress Toolkit 5.0 schedule. Since we want WordPress Toolkit to be as identical as possible on both Plesk and cPanel, we’ve added this ability in WordPress Toolkit 5.1:

New Security Measure

The “Block directory browsing” security measure was missing in the initial release of WordPress Toolkit 4 for cPanel. This was due to certain technical issues we didn’t have the time to properly resolve back then. Now, we’ve fixed everything that needed fixing. So we’re introducing this security measure on cPanel:

Localization Support

WordPress Toolkit v5.1 now supports multiple different languages on cPanel. Whenever you change your language in WHM or cPanel, WordPress Toolkit will also switch to this language. This change affects both WHM (with server-wide locale setting) and cPanel (with user-specific language setting).

Changelog

WordPress Toolkit changelog isn’t the easiest thing to find, especially for cPanel customers. To remedy this, we’ve added the ability to view product changelog from the global WordPress Toolkit settings:

WordPress Toolkit has a single unified changelog for both Plesk and cPanel, since it’s the same product, just on different platforms. Filtering out information about the platform you need isn’t particularly easy. We’re looking into improving the changelog UI and UX in the future.

Improvements, Bugfixes, and Future Plans

Speaking of changelog, it clearly shows that WordPress Toolkit 5.1 includes more bugfixes than usual. But don’t worry – This is not caused by the sloppiness of the WordPress Toolkit dev team. We’re simply putting more focus on the stability and robustness of the product, which means fixing more bugs 🙂 

Besides improving site list performance on cPanel, we’re also planning to implement several internal enhancements. That hopefully will make WordPress Toolkit more stable and robust, leading to fewer bugs down the road. We’re also going to address a couple of other hot topics. Like adding sets for resellers by the end of 2020 – but we’ll get back to you with it when it’s fully developed. 

One of the upcoming WordPress Toolkit releases will focus heavily on addressing issues related to cloning, which should also improve Smart Updates’ performance.

…As you see, we have a lot of things in store for the future. So stay tuned for the upcoming WordPress Toolkit releases. And drop us a line in the comment section if you’d like to share your experience with us. Thank you for your attention and see you next time!

Warning: Fileless attacks are on the rise

Fileless attacks are on the rise!

Ever heard of fileless attacks? This is malicious code gets a foothold on your server. Not through a certain file or a document, but by infiltrating the server RAM. Thus, exploiting various processes and vulnerabilities of the server software. They can do this via vulnerable web applications, specially formed requests, and so on.

The idea behind fileless attack

The harm that a fileless attack inflicts leaves no trace since its malware does not write any files to the hard drive. Instead, it performs all malicious activities directly in RAM. After the system reboots, the malicious code disappears – but the damage has already been done to your server. This type of threat is commonly referred to as an Advanced Volatile Threat (AVT).

Some types of malicious code harm system files, some set up malicious code for other types of attacks, and others open entry points for hackers to use other server’s vulnerabilities. Both users and security solutions, like McAfee Endpoint Security, Virsec Security Platform, and others, are not tuned for Fileless attacks. Thus, making them hard to detect.

Fileless Malware Found On Various Operating Systems

On Windows servers, hackers actively use the pre-installed system Powershell to download and run malicious code. Or they can also use BAT and VBS scripts. These techniques are now widespread since you can execute them in frameworks like Powershell Empire, Powersploit, and Metasploit Framework.

As for Linux, most installed distributions like CentOS, Ubuntu, and Debian, have pre-installed software. This usually has programming languages interpreters: Python, Perl, and С compiler – a bad practice of installing an operating system on servers. Lots of hosting servers also have PHP installed because of its huge popularity. So Fileless attacks use these interpreters.

How Fileless Malware Survives on Linux

On Linux, the easiest way to run malicious code in RAM by way of fileless malware is to use shared memory. Hence, a block of RAM shared and pre-mounted in the file system. By placing an executable file in /dev/shm or/run/shm, it’s possible to run the file directly in RAM. Remember that these directories are nothing but shared memory.

However, the content of these directories can be viewed with the ls command, which works for any other directory. Moreover, these directories are usually mounted with the noexec flag and only root can run programs in them. Therefore, more intricate types of fileless malware use, for example, the memfd_create system call (in case of the C programming language).

Interpreted languages, such as Perl and Python, which are widely used in web hosting, also offer the ability to use syscall(). PHP, which is even more popular, does not have built-in techniques to use syscall. However, there are old tricks that allow using required system calls even in PHP.

Fileless Attacks Are Increasing

Fileless attacks increase

According to research carried out by Ponemon Institute in 2018, we should expect fileless attacks to grow and make up 35% of all cyberattacks worldwide. Consequently, there will also be a decrease of regular file-based attacks.

Fileless vs file-based attacks

Fileless attacks are particularly dangerous in the corporate world since. Because Fileless malware becomes especially effective after installing in the RAM of servers active 24/7, 365 days a year. So Fileless attacks can hit any organization – like the Democratic National Committee in the US in mid-2016 for example. A hacker known as Guccifer 2.0 inserted a piece of Fileless malware into the Committee’s system and then gained access to 19,252 emails and 8,034 attachments. The document of the District Court for the District of Columbia states that Powershell scripts were used to hack the Microsoft Exchange Server of the Committee.

This intrusion resulted in the publication of a series of revelations that ended up hindering Hillary Clinton, Donald Trump’s then rival.

How to protect against Fileless attacks

Cybersecurity experts recommend the following measures to withstand the threat of fileless malware intrusion:

  1. A company that wants to protect its corporate cyber security has to be cyber-resilient and therefore stay informed about new kind of attacks.
  2. Avoid scripting languages like Powershell, because fileless malware actively exploits them. You can either delete Powershell or configure the system so that an attacker can’t exploit it.
  3. Use adapted solutions to detect malicious code – not just on the file system, but also in the RAM.
  4. Beware of Macros – they’re the most common tools on any computer and a possible entry point for fileless malware. As with scripting languages, companies don’t necessarily need to give up on all kinds of Macros. But they do need to be responsible when using them.

Fileless Attack Prevention Advice – From the Experts

Reputable sources of protection against fileless attacks stress that you need to “Keep your software up to date. As inconvenient as they can be, software updates are usually done to patch critical security vulnerabilities.” It’s one of the best practices for fileless malware protection.

As far as Microsoft products are concerned, Comparitech tell us “How to stop fileless malware”: “The main defense against any type of malware is to keep your software up to date. As Microsoft has been very active in taking steps to block the exploitation of PowerShell and WMI, installing any updates from Microsoft should be a priority.”

Ilia Kolochenko, CEO, Founder, High-Tech Bridge, speaks about the vulnerability of not keeping web applications up to date:

“It’s a very colorful, albeit very sad, example how a vulnerability in a web application can lead to disastrous consequences for an entire company, its customer base and beyond. Today, almost any critical data is handled and processed by web applications, but cybersecurity teams still seriously underestimate the risks related to application security.

Most companies don’t even have an up2date application inventory. Without knowing your assets, you won’t be able to protect them. Many global companies still rely on obsolete automated solutions and tools for their application security, while cybercriminals are already using machine-learning in their attacks when targeting and profiling the victims.”

Our cybersecurity experts at Plesk also advocate the importance of timely and regular installation of updates. Whether on your operating system, hosting server software, web applications, or CMS plugins. Right now, it’s the best way to protect against fileless attacks. Have a look at our Change Log for the latest information and released Plesk updates, and their installation procedure.

Auto Updates – Settings for Partners Clarified

Auto Updates for Partners

Starting from July 8, 2019, Plesk enables the automatic updates for Partners. Within a timeframe of 6 months, all Plesk servers running 17.0 and 17.5 will be automatically updated to Plesk Onyx 17.8. We’ve discussed why you should be on the latest Plesk version in a previous blogpost.

The Concept of Auto-Updates for Partners

We have added several crucial features to our Partner Central portal that allow Partners to apply additional settings related to the auto-updates, namely:

  1. Set the specific week days when the auto-updates will run
  2. Add email addresses (in addition to the administrator’s email) that will be used for update-related notifications

Note that these settings will become available in Partner Central on June 24, 2019.

The Phases of Auto-Updates Adoption

When it comes to auto-updates, several tiers of Partners are defined:

  1. Early adopters
  2. General release
  3. Late adopter release

Partners with Early adopter tier will be updated first, during June. General release tier implies the update right after the early adopter tier. This means that your Plesk servers will be auto-updated during the July – November time frame. Late adopter release tier means that the servers belonging to this tier will be auto-updated in September – November.

Auto Updates Tiers

How to Check my Tier on a Single Plesk Server?

In the Plesk interface, in the left side menu, click on Tools & Settings -> Update and then Upgrade settings.

Screenshot Update Tier

Alternatively, check via ssh console using the Plesk CLI:

plesk bin server_pref -s | grep -i release-tier

“current” Early adopter release
empty value or “release” General release
“stable” Late adopter release

How to Define a Specific Release Tier for a Bunch of my Servers?

You might want to check your tier to have a better understanding of the time frame when your servers will be auto-updated, and then decide to change the settings if you need to.

To do so:

  1. Log in to Partner Central here
  2. Go to Product Configuration > configuration you need > click Edit link close to Server Settings
  3. Select the tier you need and make sure the radio button Install updates automatically is selected
  4. Set weekdays when you want the auto-updates to run (at least 2)
  5. Enter the email address of a person or group of people who should be notified when the auto-update starts and ends
  6. Click Save

And that’s it – you’re ready!

Note: If you want to apply auto-update settings to more than one Plesk server, please use Partner Central.

kapc

Other Important Facts to Know (Frequently Asked Questions)

Q: When exactly will updates of my servers be installed?
A: The exact date and time of the update depend on the update settings configuration set by the party managing the Plesk servers. However, if you already see a notification in the Plesk control panel, it means that some time during the 5 month time frame the auto-updates will be installed.

Q: How can I know exactly (at least the month) when my server will be updated?
A: This is not possible – but you can adjust the settings of your tier, following the instructions above.

Q: Will all of my servers be updated at the same time?
A: No. There is a smart algorithm used by Plesk to update Plesk servers. For technical reasons, updating all servers at the same time is not possible.

Q: What will be the downtime when my Plesk server is upgraded, will my websites be down?
A: There is no downtime during the Plesk upgrade as such, though there is minor downtime (a few minutes) when the Control Panel service is restarted.

Q: Where can I find information about what was changed with the update?
A: You can find all the information about this in the Change Log for Plesk Onyx or What’s new pages.