Security Plesk

Plesk Security Essentials: Firewall, Fail2Ban & IP Blocking

You don't need a security plugin to lock down the basics — Plesk's built-in tools cover most of what a small business site needs.

Most successful attacks on small business websites are automated bots trying common passwords over and over. Plesk's built-in security tools stop the majority of this without needing any extra plugin.

1. Enable Fail2Ban

Under Tools & Settings → Security → IP Address Banning (Fail2Ban), turn the service on. It automatically blocks any IP address that fails to log in repeatedly within a short window.

2. Adjust ban rules

You can set how many failed attempts trigger a ban and how long the ban lasts. A common setting is 5 attempts within 10 minutes leading to a 1-hour ban.

3. Turn on the firewall

If your server has Plesk Firewall available, enable it under Tools & Settings → Firewall. It lets you control which ports and services are reachable from the internet.

4. Manually block an IP address

If you notice repeated suspicious activity from one address in your logs, add it directly under IP Address Banning as a permanent block, no need to wait for Fail2Ban to catch it.

Key takeaway: Check your Fail2Ban banned-IP list every few weeks — a sudden spike in bans is often the first sign your site is being actively targeted.

5. Enforce strong passwords

Under Tools & Settings → Security Policy, Plesk can require minimum password strength for all panel and mailbox accounts, reducing the risk of easily guessed logins.

6. Restrict admin panel access

Where your traffic pattern allows it, restrict Plesk panel login to specific IP addresses under Restrict Administrative Access — especially useful if you always manage your site from the same office or home connection.

7. Keep everything updated

Security tools only work as well as the software behind them. Set WordPress Toolkit's auto-updates and check Plesk's own update notifications regularly.