Plesk API is an interface you use to interact with Plesk. You can use it to remotely perform various operations in Plesk. For example, you can create customer accounts, delete subscriptions, and much more. However, an attacker can potentially use Plesk API for malicious purposes, for example, to gain control over your server. To protect against such attacks, we recommend restricting remote access via Plesk API.

In Plesk, you can either prohibit all connections via Plesk API (both XML API and REST API) or allow them only from trusted IP addresses.

To do so, you add the following entries to the panel.ini file.

To prohibit all connections via Plesk API:

[api]
enabled = off

To allow connections via Plesk API only from specific IP addresses:

[api]
allowedIPs = IP_addresses

Where the allowedIPs setting accepts one or more IP addresses separated by commas or whitespace characters.

Here are valid examples of the allowedIPs setting in the panel.ini file:

[api]
allowedIPs = 10.58.108.100,192.168.0.0
[api]
allowedIPs = 10.58.108.100 192.168.0.0

Note: Do not add the whitespace character before or after the comma that separates several allowed IP addresses.