You are here: Home » How To’s » Make your Server PCI Compliant

Make your Server PCI Compliant

In order to gain PCI compliance (at least level 4 which is what most small to medium eCommerce sites need to pass these days) you need to make certain changes to your Plesk configs.


I have tried to list them all here to make the job as simple and as painless as possible!
First of all, you need to disable SSLv2 everywhere … this includes Apache, Courier IMAP and Postfix and even WordPress if you’re using it on your site!

Update and add the following

smtpd_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
smtp_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

Courier IMAP

edit /etc/courier-imap/imapd-ssl and change TLS_CIPHER_LIST to the following


and do the same for /etc/courier-imap/pop3d-ssl



Next, Apache

create a file in /etc/httpd/conf.d – we use one called fido.conf

In it make sure you have the following

<IfModule mod_ssl.c>
# Disable acceptance of weak SSL ciphers

# Disable any connection attempts using SSLv2
SSLProtocol all -SSLv2

# This directive controls whether the server response header field, which is
# sent back to clients, includes a description of the generic OS-type of
# the server as well as information about compiled-in modules.
# See
ServerTokens Prod

# Disables the footer on server-generated documents, hiding the version of
# Apache being used.
# See
ServerSignature Off

# Disable the trace method so attackers cannot intercept the session ID
TraceEnable off


In addition to security the Apache configs you also need to secure the Apache directories and make sure that indexes are turned off, or a blank index.html exists in directories so that an attacker can’t navigate around behind the scenes.  You also need to ensure that any source control directories are blocked (such as .svn, .cvs, etc).  The following .htaccess file snippet covers this and more ….



WordPress has a number of forms which accept passwords in plain text.  The mere presence of these on your server can cause you to fail the PCI scan.  The following added to your .htaccess file however should stop the scanner complaining

.htaccess file

# PCI Compliance
<IfModule mod_rewrite.c>

#Block access to hidden files and directories (including .svn, .cvs, etc)
RewriteRule /\..*(/.*|$) – [R=404,L]
<Files wp-login.php>
Order Deny,Allow
Deny from All

#IPv4 Addresses you trust
Allow from your.ip.address
Allow from x.x.x.x

#IPv6 Addresses which you trust
Allow from xx:xx:xx:xx::/64
Allow from yyyy:yyyy:yy::/48


Once done re-run your PCI scan and see what else (if anything) they complain about.  If you are running the latest Plesk (v 11) and also have your OS fully up to date, then you should be pretty close to being clean and passing that all important PCI scan.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.