• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Bug: upgrade to 10.4 disables password protected directories (with fix!)

S

shall

Regular Pleskian
Upgraded to 10.4 last month from 9.5.4 to address the reported security issue.

Aside from the problems with email and FTP, apparently there was also an issue that disabled the password-protected directories on ALL sites server-wide.

I discovered this issue today and manually re-activated the password-protection for all these directories on all domains. I initially tried to think of a way to automate the process, but since the paths are unique to each site and some use custom paths while all use the "/plesk-stat" protected directory, I felt it would be safest to just manually reactivate the protected folders for each site.

Every single site on the server suffered from this bug - the "/plesk-stat" folder for every single site was visible to the world. To test it, simply open up any domain on your site with "/plesk-stat/webstat/" for the path as so:
http://example.com/plesk-stat/webstat/
If you're not prompted for a login, you've been bit by this bug.

The fix:

1) Login to your Plesk 10.x for Windows admin panel
2) Click "Subscriptions"
3) For each (domain) in the list
3a) Click the (domain)
3b) Click "Websites & Domains"
3c) Click "Password-protected Directories"
3d) For each (directory) in the list
3d1) Click the (directory)
3d2) Click "Directory Settings"
3d3) Click "OK"
3d4) Repeat for the next (directory)
3e) Repeat for the next (domain)
4) You're done: now test thoroughly.
 
This caused me a headache

I was trying to implement web-stats and doing this "fix" caused me great pain. When I followed the steps nothing really happened except that my site went down. I kept getting a 404 Resource Cannot be Found error. I lost sight of the problem and spent hours inside Plesk Panel for Windows (10.4) trying to figure out what went wrong.

Going through my notes from last year when I set up a site I noticed I wrote down that I granted write/modify permissions to the httpdocs folder for IWPD_#(plesk_user) (where # is the assigned plesk #). And when I went to IIS I noticed those permissions were UNCHECKED.

So, what this did for me was to wipe out my previous permissions that I set up.

So just be careful. Not saying this didn't work under the exact same use case as the OP - just beware.
 
You must log in or register to reply here.

Similar threads

Hangover2
Forwarded to devs Migrator fails to migrate password protected directories
Replies
7
Views
4K
HHawk
HHawk
C
Issue Password Protected Directory not working
Replies
1
Views
3K
Markus G.
M
E
How to Set up Your WordPress Website Security
Replies
0
Views
2K
Elvis Plesky
E
E
5 Excellent WordPress Backup Solutions
Replies
14
Views
5K
MiAn
M
J
Plesk Onyx – Designed for Vultr.com
Replies
0
Views
3K
Joerg Strotmann
J
Back
Top