An important aspect of website security is protecting sensitive data such as your server statistics. Here is an important security tip for Plesk users.
Depending on your current Plesk configuration, your server stats may be openly available to anyone who visits either of these URLs:
If you get a password prompt or the pages don’t exist, then nothing to see here, you’re all good. If, however, these pages exist and are available to the public, you may want to secure your data using any of the following techniques.
Here are three ways to lock down your Plesk stats (either AWStats or Webalizer), depending on whether or not the stats are required. Any of these techniques will work to secure your stats.
- Disable ’em — if you don’t need Plesk stats, simply disable them (select “None” from the web-stats dropdown).
- Require login — if you want to use the stats, require a login (make sure the box is checked).
- .htaccess — add this rule to your site’s root .htaccess file:
RedirectMatch 403 ^/plesk-stat/?
The settings for Plesk stats are located in the General Hosting settings for your domain. See this screenshot for details.
Update: if you use the “require login” technique, the login should be the same as your site’s main/FTP username and password.
Update (2014/09/17): After taking the time to go through all of my domains and change the settings for each (which in Plesk is no quick task), I have re-checked on my Plesk Statistics settings only to find that Plesk 12 has automatically changed every single domain’s Stats settings back to the default setting, enabled. So take heed, if you implement this security measure, Plesk may not honor your preferences, meaning that you will inevitably need to go through and change the setting after each Plesk update. This happened, by the way, when Plesk was upgraded from 11 to 12, or somewhere in between.