Plesk API is an interface you use to interact with Plesk. You can use it
to remotely perform various operations in Plesk. For example, you can
create customer accounts, delete subscriptions, and much more. However,
an attacker can potentially use Plesk API for malicious purposes, for
example, to gain control over your server. To protect against such
attacks, we recommend restricting remote access via Plesk API.
In Plesk, you can either prohibit all connections via Plesk API (both
XML API and REST API) or allow them only from trusted IP addresses.
To do so, you add the following entries to the panel.ini
file.
To prohibit all connections via Plesk API:
[api]
enabled = off
To allow connections via Plesk API only from specific IP addresses:
[api]
allowedIPs = IP_addresses
Where the allowedIPs setting accepts one or more IP addresses
separated by commas or whitespace characters.
Here are valid examples of the allowedIPs setting in the
panel.ini file:
[api]
allowedIPs = 10.58.108.100,192.168.0.0
[api]
allowedIPs = 10.58.108.100 192.168.0.0
Note: Do not add the whitespace character before or after the comma that
separates several allowed IP addresses.
