Plesk Obsidian 18.0.79 arrives as an update focused on security, automation and server maintenance. This is not a release designed only to add visible features to the control panel, but one with relevant changes for administrators, hosting providers, technical agencies and teams managing Linux and Windows servers with multiple customers, websites, databases and mail services.
The release notes make the focus clear: Plesk carried out a security audit, fixed several vulnerabilities and introduced hardening improvements across different parts of the product. For a control panel that usually acts as a management layer for web, mail, DNS, databases, WordPress, certificates, users and extensions, this kind of update is not minor. Plesk is not an isolated application; it is a component that concentrates many permissions and a broad administration surface.
The version also expands the scope of the REST API, introduces new operations for files and logs, allows customers and resellers to use the API, adds support for Microsoft SQL Server 2025 and publishes a script to upgrade AlmaLinux 8 servers to AlmaLinux 9 in place. All of this points in a clear direction: Plesk wants to be less of a manual panel and more of a platform that can be integrated into automation workflows.
Security and hardening: the less visible, but most important part
The 18.0.79 update follows a broad security audit. The release notes do not publicly detail every vulnerability fixed, which is common in products with operational impact, but they do mention multiple fixes, hardening improvements and adjustments to internal components. For administrators, this should translate into a practical recommendation: plan the update as a priority, especially on internet-facing servers with multiple customers.
Among the specific changes, in Plesk for Linux, the license management component now verifies the SSL/TLS certificate of the key authentication server. It is a technical adjustment, but an important one, because it reduces risks in sensitive communications. The handling of emails sent locally through /usr/sbin/sendmail has also changed: they are now processed with DKIM signing applied, which helps with deliverability and email authentication consistency.
The Secret Keys Manager has also improved. It now shows the owner of each key and allows administrators to create keys for customers and resellers directly from the interface. In multi-user environments, knowing who controls each secret is not a cosmetic detail: it helps organise credentials, reduce confusion and improve traceability.
Plesk also announces a security change coming in version 18.0.80: the Access-Control-Allow-Origin header in API responses will no longer use * by default and will instead use the self value, meaning the Plesk server’s scheme, host and port, with support for custom ports. It is a sensible measure to reduce unnecessary exposure in web and API integrations.
The REST API gains weight for customers and resellers
One of the most relevant changes is that the REST API is no longer limited to administrator accounts. From this version onwards, customers and resellers can also use it. This opens the door to more flexible integrations for hosting providers, agencies and teams that want to delegate operations without granting full administrative access.
The version includes new endpoints to work with the file system inside a domain’s webspace. The API can download file content, upload or overwrite files, append content to the end of a file, copy, move, rename or delete files and directories. On Linux, an endpoint has also been added to modify permissions using chmod. In addition, the new logs endpoint makes it possible to search domain logs, such as Apache, nginx or PHP-FPM logs, for specific patterns.
| New REST capability | Practical use |
|---|---|
| Download file content | Backups, checks or external integrations |
| Upload or overwrite files | Simple deployments without manual panel access |
| Append content to a file | Configuration automation or logging |
| Copy, move or rename | Remote web structure management |
| Delete files or directories | Controlled cleanup from integrations |
| Change permissions on Linux | Maintenance and deployment operations |
| Search domain logs | Diagnosis without SSH access |
Impersonation with X-Impersonate-Login | Running calls on behalf of other users |
The X-Impersonate-Login header is also important. It allows administrators to execute API requests on behalf of other users without needing their credentials. Used correctly, it can simplify support, automation and internal operations. Poorly governed, it requires clear controls, auditing and permission separation. In multi-user platforms, impersonation should always be treated as a sensitive capability.
AlmaLinux, SQL Server 2025 and component changes
Plesk for Linux includes an expected novelty: a public script is now available to upgrade AlmaLinux 8 servers to AlmaLinux 9 in place. This can be useful for providers and administrators managing fleets on AlmaLinux 8 who want to avoid full reinstallations. Even so, an operating system upgrade in production should never be treated as a routine click. Extension compatibility, PHP versions, databases, external repositories, backups and maintenance windows should all be reviewed first.
On Windows, Plesk adds support for Microsoft SQL Server 2025 as a user database, with local installation through Plesk Installer. This is a logical update for those maintaining .NET environments, legacy applications or enterprise projects relying on SQL Server.
The version also removes AWStats from Plesk for Linux. GoAccess becomes the default web statistics tool. The removal of AWStats will not surprise many administrators, as GoAccess fits better with modern log analysis and more agile visualisation. mod_pagespeed is also removed from nginx, along with an update to the Google PageSpeed Insights extension, due to a security vulnerability in the PSOL library based on libwebp.
| Change | Impact for administrators |
| AlmaLinux 8 to 9 script | Makes migrations easier without reinstalling, but requires testing |
| SQL Server 2025 | Support for new databases on Windows |
| AWStats removed | GoAccess becomes the default web statistics tool |
| mod_pagespeed removed | Less risk from a vulnerable dependency |
| Contrast theme by default | Visual change in new installations |
| Dr.Web EULA and privacy policy | Explicit acceptance during installation or update |
AI support, WordPress and monitoring
Plesk keeps its AI Support Assistant in beta for servers running Plesk Obsidian 18.0.78 or later. The assistant can answer questions about Plesk features and configuration in a single conversation, although it does not yet support conversation history or automated actions. It can be enabled from panel.ini through the [copilot] section, while knowledge base article search can be enabled with [knowledgeSearch].
This feature should be seen as support, not a replacement for technical judgement. It can help resolve quick doubts or locate documentation, but administrators will still need to validate any change in real environments. The fact that it does not execute actions automatically reduces risk during this beta phase.
WP Toolkit 6.11.0 also receives important changes. Site administrators can now manage security measures from the WordPress dashboard through the WP Toolkit plugin. The API allows triggering installation scans for specific users, APS catalog integration has been removed, and the risk scoring model has been adjusted. One notable change is that vulnerabilities with an EPSS score equal to or above 0.5 are now automatically rated as critical.
WP Toolkit also fixes multiple issues: false positives in author scan blocking, problems in maintenance mode, issues with LiteSpeed, Redis Object Cache, nginx-only mode, mass security screens and memory consumption in notifications or maintenance tasks. For providers with many WordPress installations, these fixes may be more important than the new features.
On the monitoring side, Grafana has been updated to version 12.4.3 to fix multiple security issues, and Monitoring 2.11.0 now delivers threshold alerts through Grafana Unified Alerting. Alerting support has also been restored, and linux/arm64 support has been added for the built-in JSON datasource plugin.
What administrators should do before updating
Version 18.0.79 looks especially recommended because of its security focus, but that does not remove the need for planning. Administrators should review backups, check extension compatibility, read the changes in third-party components and pay attention to removals such as AWStats or mod_pagespeed. It is also worth reviewing integrations that depend on the API, especially considering the planned Access-Control-Allow-Origin change in version 18.0.80.
On Linux servers, the availability of the AlmaLinux 8 to 9 upgrade script may be an opportunity to prepare an operating system upgrade plan. On WordPress servers, WP Toolkit 6.11.0 deserves a specific review because it changes risk criteria and fixes issues affecting bulk operations.
Plesk Obsidian 18.0.79 does not completely change the panel experience, but it does reinforce sensitive areas: security, API, logs, migrations, mail, WordPress and monitoring. For administrators, this is a version that should be read less as a routine update and more as a refresh of the server’s operational foundation.
Frequently asked questions
What is the main new feature in Plesk Obsidian 18.0.79?
The main focus is security. The version follows an audit, fixes vulnerabilities and introduces hardening improvements, while also expanding the REST API and adding new endpoints.
Can the REST API now be used by customers and resellers?
Yes. Until now it was available to administrators, but this version extends it to customer and reseller accounts, making integrations easier with less administrative exposure.
What changes in web statistics for Linux?
AWStats has been removed from Plesk for Linux and GoAccess becomes the default web statistics tool.
Does Plesk now support Microsoft SQL Server 2025?
Yes. Version 18.0.79 adds support for Microsoft SQL Server 2025 as a user database, with local installation through Plesk Installer.