Restricting Remote Access via XML API

For integration purposes, Plesk has the API called XML API that lets third party-software interact with Plesk. This interface allows Plesk operations, for example, creating customer accounts or subscriptions, to be called remotely. At the same time, the remote API can be used for malicious purposes. For example, an attacker can try to use the API to gain control over your server.

To improve Plesk protection from attacks that use the remote interface, you can prohibit connections through XML API completely, or allow them only for a limited number of IP addresses that you trust.

To restrict access to Plesk via XML API:

  1. Open for editing the configuration file panel.ini located in the following directory:
    • On Linux: /usr/local/psa/admin/conf
    • On Windows: %plesk_dir%\admin\conf\

    If the file does not exist, create it.

  2. Add the following lines to the file:
    • To prohibit all connections:


      enabled = off

    • To allow connections only from specific IP addresses:


      allowedIPs = <IP_addresses>

      <IP_addresses> here is a comma-separated list of IP addresses from which software can connect to Plesk via XML API.


Leave your comments on this page

Leave your feedback or question on this documentation topic below. For technical assistance, contact your hosting service provider or submit a request to Plesk support. Suggest new features for Plesk here. Discuss general questions on the Plesk forum. All offtopic comments will be removed.