How to Use Web Application Firewall (WAF) in Plesk
The Web Application Firewall (WAF) in Plesk helps secure your websites from hacking attempts and malicious traffic using ModSecurity rulesets.
Step 1: Log in to Plesk
Go to:
https://your-server-ip:8443
Log in with your Plesk credentials.
Step 2: Open WAF Settings
-
Go to Tools & Settings (for server-wide settings)
or -
Go to Websites & Domains > Apache & nginx Settings (for per-domain control)
Scroll down to the Web Application Firewall (ModSecurity) section.
Step 3: Enable WAF
If not already enabled:
-
Set Web Application Firewall mode to:
-
Detection only– logs threats but does not block (good for testing) -
On– actively blocks suspicious traffic
-
Step 4: Choose a Rule Set
Plesk supports several rule sets, such as:
-
Atomic Basic ModSecurity Rules (default, free)
-
Atomic Advanced Rules (paid subscription)
-
OWASP Core Rule Set (CRS) – open-source and widely used
Choose the one that best fits your security needs.
Step 5: Save Settings
Click Apply or OK to activate WAF with your selected mode and ruleset.
Changes take effect immediately and begin filtering incoming requests.
Step 6: Monitor WAF Logs
-
Go to Tools & Settings > Web Application Firewall > Logs
-
You can view detected or blocked requests
-
Useful for debugging false positives or tuning rules
Optional: Customize WAF Settings
-
Exclude specific rules that interfere with your app
-
Set custom security policies for individual domains
-
Use the Imunify360 WAF integration for real-time updates and machine learning protection
Summary
| Setting | Description |
|---|---|
| Mode | Detection Only or On (Active Blocking) |
| Rule Sets | OWASP CRS, Atomic Basic/Advanced |
| Scope | Server-wide or per domain |
| Logging | View logs for threats and false positives |
