Documentation

Everything you need to install, configure, and get the most out of Security Audit for Plesk.

Installation

Security Audit installs like any other Plesk extension. No SSH access or command-line tools are required for installation.

From the Plesk Extension Catalog

Log in to your Plesk panel as administrator.
Navigate to Extensions > Extension Catalog.
Search for "Security Audit".
Click Install (Free) or Buy (Pro / Master).
The extension appears under Extensions in the left sidebar.

Requirements: Plesk 18.0+ on Linux. PHP 7.4 or later. The audit tools (npm, composer, bundle-audit, pip-audit) must be installed on the server for their respective ecosystems to work. WordPress auditing has no external tool requirement.

Audit Tool Availability

The extension relies on CLI tools that are typically already available on a Plesk server:

npm — Available if the Node.js component is installed in Plesk. If missing, go to Tools & Settings > Updates & Upgrades > Add/Remove Components and install Node.js.
Composer — Included with Plesk's PHP component. Usually available out of the box.
bundle-audit — Required for Ruby projects. Needs manual installation (gem install bundler-audit) if you host Ruby sites.
pip-audit — Required for Python projects. Needs manual installation (pip install pip-audit) if you host Python sites.
WordPress — No external tool required. The extension reads PHP files directly.

If a tool is not available, the extension simply skips that ecosystem. You can check which tools are detected from the Info tab inside the extension.

Your First Scan

After installation, navigate to the Security Audit extension and click the Scan Now button on the Dashboard tab.

The scan will:

Iterate through all domains on the server.
For each domain, check the document root (e.g., httpdocs/) and the home path (e.g., /var/www/vhosts/domain.com/) for lock files.
Run the appropriate audit tool for each detected ecosystem.
Aggregate and display results on the dashboard.

First scan can take a while. On a server with 30+ domains, the first scan may take 5-10 minutes. Progress is shown in real time. Subsequent scans are faster thanks to caching.

Understanding the Dashboard

The main dashboard shows:

Severity summary cards — Total count of Critical, High, Moderate, and Low vulnerabilities across all domains.
Domain table — Each domain with its detected ecosystems, vulnerability counts by severity, and a total. Click any count to filter the domain detail view.
Last scan date — When the most recent scan completed.
Scan progress — When a scan is running, a progress bar shows the current domain being scanned.

Click a domain name to see its full vulnerability list. Click a severity count to see only vulnerabilities of that level.

Scan Schedule

Requires Pro or Master tier.

Navigate to the Schedule tab to configure automated scans.

Setting	Options	Description
Scan Frequency	Hourly, Every 6h, Every 12h, Daily, Weekly, Monthly	How often to run automated scans
Scan Time	HH:MM (24h format)	Server time to start the scan. For hourly scans, only the minute is used.
Day of Week	Sunday-Saturday	Used only for Weekly frequency
Day of Month	1-31	Used only for Monthly frequency

Tip: Schedule scans during off-peak hours (e.g., 03:00) to minimize impact on server performance.

Severity Threshold

The notification threshold controls which vulnerabilities trigger email alerts:

Critical only — Only critical-severity vulnerabilities trigger emails.
High and above — Critical + High (recommended).
Moderate and above — Critical + High + Moderate.
All vulnerabilities — Everything, including Low severity.

The dashboard always shows all vulnerabilities regardless of threshold. The threshold only affects email notifications.

Email Notifications

Requires Pro or Master tier.

When a scan completes and finds vulnerabilities above your threshold, the extension sends an HTML email report. New vulnerabilities are automatically highlighted with a "NEW" badge so you can see what changed since the last scan.

Settings

Additional Notification Email — An extra email address that receives reports (besides the Plesk admin email).
Sender Email — The "From" address. Use an address from a domain hosted on the server with DKIM enabled for best deliverability.

Master-only Options

Email Content — Choose between All existing vulnerabilities or Only new vulnerabilities detected in the latest scan.
Email Recipients — Send to Administrator only, Domain owner (customer) only, or Both.

Test Email

Use the Send Test Email button on the Schedule page to verify your email configuration. Check your spam folder if you don't receive it.

Ignore List

Requires Master tier.

The ignore list lets you dismiss known or accepted vulnerabilities. Ignored vulnerabilities are excluded from the dashboard counts, email notifications, and exported reports.

To ignore a vulnerability, click the Ignore button in the Actions column on the domain detail page. You can optionally provide a reason (e.g., "not exploitable in our setup"). To restore an ignored vulnerability, go to the Ignored tab and click Restore.

Export Reports

Requires Master tier.

Export your vulnerability data for audits, compliance, or sharing with stakeholders:

CSV — Download a spreadsheet with all vulnerability details (domain, package, version, ecosystem, severity, title, CVE, URL).
Printable PDF — Opens a print-optimized HTML page with summary cards and tables, ready for Print > Save as PDF in your browser.

Export buttons are available on both the main dashboard (all domains) and individual domain detail pages.

npm

Lock files detected	`package-lock.json`, `yarn.lock`
Audit command	`npm audit --json --prefix={path}`
Timeout	120 seconds
Formats supported	npm v6 (advisories) and npm v7+ (vulnerabilities)

The extension automatically detects the npm audit output format and normalizes both v6 and v7+ JSON structures into a unified vulnerability format.

Composer

Lock file detected	`composer.lock`
Audit command	`composer audit --format=json --working-dir={path}`
Timeout	120 seconds

Requires Composer 2.4+ (the audit subcommand was introduced in 2.4).

Bundler

Lock file detected	`Gemfile.lock`
Audit command	`bundle-audit check --format json`
Timeout	120 seconds

Install via gem install bundler-audit. The database is updated automatically by bundle-audit.

pip

Lock files detected	`requirements.txt`, `Pipfile.lock`
Audit command	`pip-audit -f json -r {path}/requirements.txt`
Timeout	120 seconds

Install via pip install pip-audit. Uses the OSV database for vulnerability lookups.

WordPress

Detection	`wp-config.php` in document root or home path
Database	Vulnerability intelligence feed (auto-updated)
Cache	24 hours (auto-refresh, stale fallback on failure)
No CLI tool required	The extension reads PHP files directly

WordPress auditing checks:

Core version — Read from wp-includes/version.php.
Plugins — Scans wp-content/plugins/*/ for version headers.
Themes — Reads version from wp-content/themes/*/style.css.

WordPress auditing is available on all tiers, including Free.

License Tiers

Feature	Free	Pro	Master
Full scan (all domains)	✓	✓	✓
Dashboard & domain detail	✓	✓	✓
5 ecosystems (incl. WordPress)	✓	✓	✓
Scan log	✓	✓	✓
Scheduled scans	—	✓	✓
Individual domain rescan	—	✓	✓
Email notifications (with new vuln alerts)	—	✓	✓
Email recipient selection	—	—	✓
Customer portal access	—	—	✓
Ignore list	—	—	✓
Export CSV / PDF	—	—	✓

Activation

License keys are managed through the Plesk billing system:

Purchase a Pro or Master license from the Plesk Extension Catalog.
The license key is automatically provisioned to your server.
The extension detects the key and unlocks the corresponding features.
Check the License tab to verify your current tier.

No manual key entry is required. If you switch tiers, the change takes effect immediately.

FAQ

Does the extension modify my site files?

No. Security Audit is strictly read-only. It reads lock files and runs audit commands but never modifies your code, dependencies, or configuration.

How long does a scan take?

It depends on the number of domains and ecosystems detected. A server with 30 domains typically takes 3-8 minutes. Each audit command has a 120-second timeout to prevent hanging.

Can customers see other customers' data?

No. Customer access (Master tier) is strictly scoped: each customer only sees their own domains. The extension uses Plesk's built-in access control to enforce this.

What happens if an audit tool is not installed?

The extension silently skips ecosystems whose audit tool is not available. For example, if pip-audit is not installed, Python projects are detected but not audited. Check the Info tab to see tool availability.

Does it scan subdirectories recursively?

No. The extension scans the document root, the home path, and first-level subdirectories. It does not recurse into nested directories to keep scan times reasonable.

Can I scan a single domain instead of all?

Yes, with Pro or Master tier. Use the Rescan button next to any domain in the dashboard table.

How do new vulnerability alerts work?

The extension fingerprints each vulnerability (ecosystem + package + CVE). On each scan, it compares fingerprints against the previous scan. New vulnerabilities are highlighted with a "NEW" badge in the email report. With Master tier, you can also choose to send emails only when new vulnerabilities are found.

Changelog

v1.0.0 (2026)

Initial release.
Multi-ecosystem scanning: npm, Composer, Bundler, pip, WordPress.
Dashboard with severity summary cards and domain table.
Per-domain vulnerability detail with filtering by ecosystem and severity.
Scheduled scans (hourly to monthly) with configurable time.
HTML email notifications with new vulnerability diff detection.
Customer portal with independent scan storage per user.
Ignore list for dismissing accepted risks.
Export reports as CSV or printable PDF.
Scan log with color-coded output.
System info page with audit tool availability check.
3-tier licensing: Free, Pro, Master.