Wikipedia says so, so it must be true
http://en.wikipedia.org/wiki/Plesk
Wow. Just wow. Let me address this:
Attackers routinely attack the Plesk interfaces to obtain root/admin access since Plesk does not enforce strong passwords by default.
True, it doesn't enforce strong passwords for the admin user (although it does for users), but, how is bad passwords getting bruteforced a Plesk vulnerability?
This makes them an easy and lucrative target for malicious users attempting to compromise Internet hosts.
This is misleading. The sites hosted on Plesk servers are the lucrative target. They don't need Plesk to be horribly insecure. Plesk's default vhost configuration actually adds a few protections that I never see used by non-Plesk customers.
[qoute]Plesk also runs many services on external interfaces by default (e.g. mysql), which means that they are generally exploited very quickly by attackers.[citation needed][/quote]
Plesk uses the system MySQL package. If your distro of choice lets MySQL listen on a public interface, then blame the distro. Plesk never changes MySQL settings. Anyway, WTF are you doing hosting without a firewall?
Some users have complained that Plesk is not secure in the sense of multihosting security since all virtual hosts are run under the same Apache user and share the same configuration.[25] However, in Plesk 7.5.6 for Windows and onward, all virtual hosts can run under their own worker process group, secured using their own respective IIS user. In Plesk for Linux, one could use the apache2-mpm-itk (Multi-Processing Module) or the alternative suEXEC+FastCGI+PHP solution - both of which are not directly related to plesk itself.
Apparently *some* users don't know much about Apache. Isn't this how Apache works? If you want individual sites to run as individual users in Apache, suExec and some CGI handler is the way you do it. Which Plesk gives you the option for, btw. Has for a long time now.
Plesk also defaults to port 8443 for HTTPS applications, this clashes with both Microsoft ISA servers and Microsoft Small Business Servers, which disallow non-standard ports for HTTPS.
So now a [1] choosing the pile of dung that is Microsoft ISA, and [2] not knowing how to allow custom ports is somehow Plesk's fault? Running admin panels on non-standard ports is a pretty standard practise, and makes sense if you have only one IP address and want to run an SSL site.
Plesk offers users the possibility to install web applications with just a few mouse clicks using the Application Packaging Standard.[26] On the downside, it's not always possible to upgrade these applications as easily to fix security problems, which might lead to vulnerable servers.
Now, this is true. Updates are a bit slower than getting them from the vendors/projects directly. But, from what I see in my job every day, the average web developer don't know how to set file/directory permissions appropriately, doesn't know you're meant to update your web apps, and will probably break their site if they tried. And this is, again true regardless of weather or not Plesk is being used. The average web developer will stick phpMyAdmin somewhere under his documentroot (/phpMyAdmin typically), (some will even configure it with the root password) use it to set up his site, and then just leave it there. Seriously, most web devs are better off letting Plesk or something else handle updates.
Overall, Plesk itself is pretty tight. In five years and taking care of tens of thousands of Plesk servers, I have yet to see a server getting compromised through Plesk itself. I'm not saying it can't happen, but this shouldn't be keeping you up at night. Your own code is far more likely to be vulnerable.
My one fierce criticism is Plesk's choice of MTA: qmail. It's such a POS. It is riddled with so many problem, its performance is pretty poor, the way it organises the queue is terrible, it cycles through message IDs at a frightening pace, making it pretty hard to find anything in the already terrible logs, it handles DNS really poorly, it has no concept of queue integrity. It may have been the cool new kid on the block in 1995 but compared to even Sendmail, it's a real stinker by today's standards.
Fortunatey (in part due to pressure from us), Parallels now offer you a choice betwen qmail and Postfix. qmail is still the default when you install, but it's fairly easy to switch. There are still some odd things about the way they configure it, but they have been responsive to our bug reports and it's pretty good now.
There app sets up the pop3 service as well automatically configured
