Out-of-the-box Plesk is already quite secure, however there are some further tweaks you can use without needing to pay extra.... these include:
1. tools & settings - system updates [ensure automatic plesk & system updates are active]
2. tools & settings - server-wide mail settings [switch on spam protection based on DNS blackhole lists - you can use their suggested defaults]
3. tools & settings - spam filter settings [switch on server-wide SpamAssassin spam filtering]
4. tools & settings - spam filter settings [switch on server-wide greylisting spam protection - hugely reduces spam by causing messages to attempt delivery more than once (spammers almost never do)]
5. tools & settings - firewall [enable]
6. tools & settings - IP address banning (fail2ban) [enable - and remember to set yourself as a trusted IP Address, to avoid being locked out...]
7. install and activate the extension Google Authenticator for two factor authentication, if you have a fixed IP on your Internet broadband connection, you may also consider restricting the admin login to that...
There are further things of course, but the above gets you going and are low stress items... as always, your mileage may vary!
Simply switching it on will turn on the default rule sets for a Plesk server (Windows and Linux), meaning service ports in use will be opened and others closed...
After that, it depends if you want to close some of the default ones off... which is a whole thread in itself... such as you may decide you do not want to have insecure / non-SSL web ports, mail ports, etc open, or you know some will not be used even though they are bundled, etc... but it really is something to consider on a case by case basis although I would suggest you disable what you dont use... the below example is for Linux, so Samba (Windows file sharing) has been turned off, as well as the usual ~if not allowed explicitly above, deny all other traffic rules near the bottom.