Input New Advisor in Plesk 17.8.11

[Liwindo]

I recently changed to the new Plesk-Edition and have a small input to the new Advisor and the scoring:

- It makes no sense to downgrade the voting when using PHP 7.0 or 7.1 - they are not deprecated so why downgrade the using of it as long a lot of software isn't compatible to 7.2?

- It's comprehensibly that you want to earn money - but suggesting the Symantec Extension as part of security is rubbish according to the fact that Symantec is no longer part of the TLS-Business.

 

[MarkM]

^ these are the exact reasons the advisor extension was the first I disabled. It seems more like advertising it the current state versus an actual tool that is useful. I can see those that are less technically inclined spending more money on software that could be irrelevant to their need.

 

[Ruslan Kosolapov]

Hi. Thanks for the feedback!

Regarding PHP versions - it's known issue, will be fixed in the next version of Advisor.
Regarding Symantec. Do you mean the extension should be called Digicert SSL?


Regarding words like "useless". OK, it's your opinion and I appreciate it.
But still. For example, the overview (list) of used PHP versions for all websites - is it really useless? How do you sure that you are running up-to-date PHP on your websites?

OK, even you're really don't need any existent recommendation, let's discuss - what recommendations could be useful for you?

 

[Liwindo]

Thanks for the answer.

I never used the word "useless" and I never said that an overview of the used PHP-Versions is a bad idea. If it's a bug that will be fixed I agree to the idea.

It would be helpful to create an Advisor that don't downgrade the rating of the server when you haven't installed an app for that you have to pay extra: Symantec and Advanced Atomicorp ruleset. And if the Advisor checks if there is a Worpress-Instance installed at all and don't downgrade because just not having the app installed.

Sorry if my words are to emotional but the current Advisor gives the impression that Plesk is only willing to sell Addons instead of helping admins to secure there servers.

 

[MarkM]

How do you sure that you are running up-to-date PHP on your websites?

Personally, I would go in and disable the versions after they are discontinued.

what recommendations could be useful for you?

As Liwindo stated, anything paid should just come as a suggestion and not affect rating. The Symantec Extension with the recommendation of so many different SSL options is brutal. I'd hate to be on the other line of a call having to explain this to someones less technical.

Actual advise; like hey the mail queue is larger then normal, hey you have a large number of failed logins from X IP or X user... etc. Advise to review the Minimum Password Strength.

Basically, more like CSF. More tweaks and suggestions on security related modifications, and less pushing of third party software.

 

[Brujo]

@Ruslan Kosolapov perhaps add FTPS usage policy also to advisor

well I have seen now often inough that several "plesk administrator" just focus on to get the green bar from advisor to reach "supposed good condition" by just installing mentioned extensions, therefor please take into consider to review the weight of ratings, for example:

The SEO Toolkit is not installed = +100 to rating or The Symantec SSL extension is not installed = +50 to rating (high rated)

compared to

(x%) websites are not secured with valid SSL/TLS certificates = +4 to rating (low rated)
(x%) domains use an outdated PHP version = +11 to rating (low rated)

to get a better statement for good condition

well thats just my 2 cent on it

 

[Ruslan Kosolapov]

@Brujo, thanks for your 2 cents!

Remember, such kind of recommendations give you points per website. As I see, in your example you have a quite big number of websites, at that quite low number of websites are not-so-good. That's why you see +4 points. If you unsecure ALL your websites, you'll see +400 there:



I have an idea to introduce bonus points (e.g. 100), that you gather only if 100% of websites conform the recommendation. But I'm afraid it's unclear.

What do you think?

 

[Ruslan Kosolapov]

@Mark Muyskens and @Liwindo, thank you for your posts and ideas. Some of your ideas are already in the backlog Some I've just added.
Stay tuned!

 

[Brujo]

good question and not so easy to answer under the circumstance to do it right for everyone

well in general it seems to be to easy right now to get/reach the level of good condition and this should be more strict in my opinion. Additional extension (buy) the level of importance should be downgraded or count only when the basic settings are fullfilled

proof /test with a bigger system:
This is missing/not installed/not used:
The Opsani extension is not installed +20 to rating
The Opsani extension is not active +100 to rating
Configured storing scheduled backups in remote storage +200 to rating
The SEO Toolkit is not installed +100 to rating
KernelCare is not installed +50 to rating
The Advanced Atomicorp rule set is not selected +50 to rating
The Symantec SSL extension is not installed +50 to rating
for php & SSL I have just a low % missing so this is ony +6 to rating

So I did not use any paid extension (miss ~570 points) only the needed (in my opinion) ones and still have outdated PHP Versions (low %) and not all within SSL (low %) and get easily green conditions with 2474 points

Just as examples / ideas, as long as unsecure, outdated, unsave, ... services / settings are existing or installed (like old php versions or not secured SSL, weak Pasword...) - good conditions should be never reach and and should be reduce to a lower grade / rank

I also like the Idea of Mark "More tweaks and suggestions on security related modifications"

 

[Cliff Wootton]

I found the Advisor helpful but I also think that it needs to be smarter. For example, the SEO toolkits and other paid extensions shouldn't count against the score unless they are installed, licensed but not active. Many users would choose not to install a paid for extension so they can never accomplish green status.

Likewise, having turned off remnote backups in my service plan, Advisor still downgrades my score even though I have no intention of buying remote backup starage as I keep backups in my base office systems. No need for additional backups. Since they are no longer a configurable option, Advisor should not count them.

Its a helpful tool though. I'd love to see you enhance it further and make it smaretr and deeper, given that it should be aware of all interal Plesk configurables.

I don't mind seeing reccommendations even for paid software. In fact that would be helpful but that shouldn't compromise the scoring if we have valid reasons for not buying the tools.