Most successful attacks on small business websites are automated bots trying common passwords over and over. Plesk's built-in security tools stop the majority of this without needing any extra plugin.
1. Enable Fail2Ban
Under Tools & Settings → Security → IP Address Banning (Fail2Ban), turn the service on. It automatically blocks any IP address that fails to log in repeatedly within a short window.
2. Adjust ban rules
You can set how many failed attempts trigger a ban and how long the ban lasts. A common setting is 5 attempts within 10 minutes leading to a 1-hour ban.
3. Turn on the firewall
If your server has Plesk Firewall available, enable it under Tools & Settings → Firewall. It lets you control which ports and services are reachable from the internet.
4. Manually block an IP address
If you notice repeated suspicious activity from one address in your logs, add it directly under IP Address Banning as a permanent block, no need to wait for Fail2Ban to catch it.
Key takeaway: Check your Fail2Ban banned-IP list every few weeks — a sudden spike in bans is often the first sign your site is being actively targeted.
5. Enforce strong passwords
Under Tools & Settings → Security Policy, Plesk can require minimum password strength for all panel and mailbox accounts, reducing the risk of easily guessed logins.
6. Restrict admin panel access
Where your traffic pattern allows it, restrict Plesk panel login to specific IP addresses under Restrict Administrative Access — especially useful if you always manage your site from the same office or home connection.
7. Keep everything updated
Security tools only work as well as the software behind them. Set WordPress Toolkit's auto-updates and check Plesk's own update notifications regularly.