Restricting Remote Access via XML API

For integration purposes, Plesk has the API called XML API that lets third party-software interact with Plesk. This interface allows Plesk operations, for example, creating customer accounts or subscriptions, to be called remotely. At the same time, the remote API can be used for malicious purposes. For example, an attacker can try to use the API to gain control over your server.

To improve Plesk protection from attacks that use the remote interface, you can prohibit connections through XML API completely, or allow them only for a limited number of IP addresses that you trust.

To restrict access to Plesk via XML API:

1. Open for editing the configuration file panel.ini located in the following directory:
   • On Linux: /usr/local/psa/admin/conf
   • On Windows: %plesk_dir%\admin\conf\

   If the file does not exist, create it.

2. Add the following lines to the file:
   • To prohibit all connections:

     [api]

     enabled = off

   • To allow connections only from specific IP addresses:

     [api]

     allowedIPs = <IP_addresses>

     <IP_addresses> here is a comma-separated list of IP addresses from which software can connect to Plesk via XML API.