Restricting Remote Access via XML API

XML API is an interface third-party software can use to interact with Plesk. You can use it to remotely perform various operations in Plesk. For example, you can create customer accounts, delete subscriptions, and much more. However, an attacker can potentially use XML API for malicious purposes, for example, to gain control over your server. To protect against such attacks, we recommend restricting remote access via XML API.

In Plesk, you can either prohibit all connections via XML API or allow them only from trusted IP addresses. To do so, you add the following entries to the panel.ini file.

To prohibit all connections via XML API:

enabled = off

To allow connections via XML API only from specific IP addresses:

allowedIPs = IP_addresses

Where the allowedIPs setting accepts one or more IP addresses separated by commas or whitespace ( ) characters.

Here are valid examples of the allowedIPs setting in the panel.ini file:

allowedIPs =,
allowedIPs =

Note: Do not add the whitespace ( ) character before or after the comma that separates several allowed IP addresses.


Leave your feedback on this topic here

If you have questions or need support, please visit the Plesk forum or contact your hosting provider.
The comments below are for feedback on the documentation only. No timely answers or help will be provided.