If Plesk blocks the administrator login with this message:
Access for administrator from address '203.0.113.2' is restricted in accordance with IP Access restriction policy currently applied.
then the Plesk admin IP access policy currently does not allow your source IP.
This usually happens after enabling the stricter whitelist mode:
Denied from the networks that are not listed.
In this mode, only explicitly listed IP addresses or networks can log in as Plesk administrator.
The example IPs below use documentation ranges. Replace them with your real admin IPs or VPN networks.
Symptoms
You can reach the Plesk login page, but after submitting the administrator login, Plesk shows:
Access for administrator from address '203.0.113.2' is restricted in accordance with IP Access restriction policy currently applied.
The server itself is still reachable via SSH.
Check the current Plesk access policy
Log in via SSH as root and check the policy:
plesk db "SELECT * FROM misc WHERE param='access_policy';"
plesk db "SELECT * FROM cp_access;"
Typical whitelist mode output:
+---------------+------+
| param | val |
+---------------+------+
| access_policy | deny |
+---------------+------+
access_policy = deny means Plesk is in whitelist mode: access is denied unless the source IP matches an allowed entry.
Fast recovery: temporarily allow all admin IPs
If you need to regain access immediately, reset the restriction list and switch back to the permissive mode:
plesk db "DELETE FROM cp_access;"
plesk db "UPDATE misc SET val='allow' WHERE param='access_policy';"
systemctl restart sw-cp-server sw-engine
After this, Plesk administrator login should work again from any IP, unless another firewall or proxy blocks it.
Fix whitelist mode from SSH
If you want to keep whitelist mode enabled, add your current admin IP through the Plesk database.
Example: allow 203.0.113.2/32:
plesk db "DELETE FROM cp_access;"
plesk db "INSERT INTO cp_access (type, netaddr, netmask) VALUES ('deny', '203.0.113.2', '255.255.255.255');"
plesk db "UPDATE misc SET val='deny' WHERE param='access_policy';"
systemctl restart sw-cp-server sw-engine
Yes, the type='deny' value looks counterintuitive. Plesk’s official recovery article uses this exact SQL pattern for adding an IP address back to the access list during a lockout.
Now test the Plesk login again.
Add additional admin networks
After confirming that login works again, add your other trusted networks.
Example entries:
plesk db "INSERT INTO cp_access (type, netaddr, netmask) VALUES ('deny', '198.51.100.0', '255.255.255.0');"
plesk db "INSERT INTO cp_access (type, netaddr, netmask) VALUES ('deny', '192.0.2.10', '255.255.255.255');"
systemctl restart sw-cp-server sw-engine
Check the result:
plesk db "SELECT * FROM misc WHERE param='access_policy';"
plesk db "SELECT * FROM cp_access;"
Common mistake: comma-separated networks in the UI
In Plesk, add networks one by one. Do not paste multiple networks into one field like this:
203.0.113.2/32, 198.51.100.0/24, 192.0.2.10/32
Instead, create separate entries:
203.0.113.2/32
198.51.100.0/24
192.0.2.10/32
Important notes
This setting only restricts Plesk administrator access. It does not block SSH, RDP, websites, mail services, or other open ports on the server.
For serious hardening, combine it with:
- a firewall
- VPN-only admin access
- strong administrator credentials
- two-factor authentication
- separated SSH access rules
References
- Plesk Support: Unable to log in to Plesk as administrator because of IP access restriction
https://support.plesk.com/hc/en-us/articles/12377966333463 - Plesk Documentation: Restricting Administrative Access
https://docs.plesk.com/en-US/obsidian/administrator-guide/plesk-administration/securing-plesk/restricting-administrative-access.59465/