The 'X-Powered-By-Plesk' header discloses that the server is managed by the Plesk control panel. By revealing this detail, attackers gain insight into the hosting environment or control panel in use, potentially uncovering known vulnerabilities, outdated modules, or default Plesk configurations. In some instances, malicious actors can specifically target weak spots within the Plesk ecosystem, such as unpatched extensions or default credentials. Ultimately, publicizing the usage of Plesk increases the attack surface by enabling adversaries to focus on any Plesk-specific flaws or recommended exploits, possibly leading to unauthorized access or disruption of hosted services.
Remove or mask the 'X-Powered-By-Plesk' header so external requests do not discover that you are using Plesk. Configure your Plesk settings or underlying web server (e.g., Apache, Nginx) to strip or rewrite technology-identifying headers. Keep Plesk updated with the latest security patches and regularly review installed extensions for vulnerabilities or default credentials. If you use a reverse proxy, CDN, or load balancer, ensure it does not re-inject this header into responses. Consider employing a Web Application Firewall (WAF) or intrusion detection system to detect and block malicious traffic attempting Plesk-based exploits. Periodic security audits help confirm that sensitive environment details are not inadvertently disclosed.
Code: A05:2021
Category: Security Misconfiguration
5.3
5.3
We use cookies to enhance your browsing experience and analyze our traffic.