Security and Prevention
Orbit's servers and software are configured to reduce the risk of being compromised by outside parties.
- Server Hardening - Each default web server configuration is modified by Orbit to enhance the operating environment of the overall system. This server "hardening" results in a client website, regardless of its hosting environment, being more resilient to well-known attack vectors than a default installation.
- Restricted Access - As part of Orbit's security prevention, direct access to our servers and development tools are restricted to a small list of authorized users and network locations. This "whitelist" of authorized users denotes that all request for access must be denied, unless the request for access meets specific, approved requirements. If access is granted, system permissions restrict users to specific data that only they have access rights to.
- Data Encryption - Orbit also takes care in handling client data. In addition to our access control rules and permissions, Orbit uses well-regarded standard encryption when transferring and storing client data as needed. In addition, Orbit supports and encourages the use of secure data transfer protocols for client to access Mighty-Site.
- File Logging and Monitoring - All servers send a daily digest of updated files in the previous 24 hours. Orbit Support validates all updated website script files that were made by Orbit or a known client source. If the updates are not made by a known source, Orbit will take action to address the security breach.
- Security Vulnerability Scans - Orbit conducts quarterly vulnerability scans on all Steadfast servers using OpenVAS. Orbit updates all Steadfast servers per the recommendations of these scan results prioritizing critical and high level issues. Vulnerabilities discovered to the standard Mighty-Site codebase will be fixed by Orbit. Vulnerabilities discovered to website scripts may require Orbit Support or a proposal for a scope of work with the client.
- Regardless of these precautions, new and existing security exploits are always evolving. While Orbit cannot guarantee that a website will never be compromised, Orbit is always reviewing its security methods to identify new and existing security prevention techniques.
Orbit uses an open-source monitoring system called Nagios. Orbit utilizes this system to alert the support team of server performance issues and outages:
- Nagios sends alerts via email and SMS when critical services fail and recover, providing administrators with notice of important events.
- Alerts provide time for Orbit Support to take corrective measures before critical systems become overloaded or fail. During normal business hours and waking hours, if a server fails, a Support team member will attempt to restore the server or contact the hosting provider.
- Orbit also contracts Steadfast.net for managed services as needed, which includes proactive Zenoss monitoring.
Daily Backup Service
Orbit's hosting service includes daily backup solutions. Standard backup services are provided to clients at no additional cost. These services include servers that run a web-accessible backup program called R1Soft Continuous Data Protection (CDP). This system is configured to create incremental daily backups of changed files for five days. Orbit also creates a daily backup of the database to the webserver to quickly restore the entire database if needed (which is extremely rare). If a more robust backup solution is required, a separate service or hosting agreement will be provided to the client.
- Server Hardware Maintenance and Upgrades - Server hardware maintenance and upgrades are managed by Steadfast.net as needed, usually due to hardware failures. Upgrades are requested by Orbit for performance and security reasons. Steadfast provides and installs hardware replacements and upgrades. See Steadfast.net regarding Steadfast’s SLA regarding maintenance. Orbit Support will notify the client of website downtime due to hardware updates.
- Software Maintenance and Upgrades - Orbit maintains all software installed on all servers and will upgrade the software as needed for performance and security reasons. Orbit Support will notify the client of website downtime due to software updates.
- Website Form Monitoring and Testing - Form activity is logged and reported in Mighty-Site for clients to use as a backup to emails not received. It is advised that clients audit this report, as email delivery is not 100% reliable. Each week, Orbit will report and test all Mighty-Site driven websites that did not record a successful send form action in the last seven days to ensure that the send form is properly scripted and configured. Clients may receive a test email sent by Orbit verifying that the form is working properly.
- Website Hosting Upgrades - At times, Orbit will advise a client to move their website to a different environment - for example from a Shared server to a Cloud server. Reasons include but are not limited to:
- The website receives significantly more traffic than other websites on that server, causing poor server performance.
- Large file and/or data storage requirements
- Specific security concerns due to client systems integration
Orbit Hosting Support
Orbit's Support team is available to address any website hosting issues. The team can be contacted by the support form on our site, phone, or email. The support team provides the following services according to our Support policy:
- Updates and fixes to any server with an issue that results in poor website performance or inaccessibility to end users
- Managing hosting partners to uphold the terms of their SLAs
- Notifying clients of planned maintenance and significant downtime
Client PCI Compliance Testing
E-commerce clients are likely required to use PCI compliance testing services like Trustwave and SecurityMetrics. Orbit's Support Team will audit and apply any critical and high-level issues per the terms of Orbit Support Policy or within the terms of a Management and Maintenance Services Agreement. Orbit offers this service for additional fees.
Website and Server Access FAQs
What access does Orbit hosting provide to my website?
The content management system allows you to update almost all content on your website. It also includes features to upload and manage media assets such as images, pdfs, and any static html files. There is a 10GB storage limit on shared servers.
Upon client request and Orbit review:
FTP access via SFTP to allow uploading of large media assets and/or data
MySQL access with a restricted user account via network access
Access to a git repository for outside development of non-proprietary code
What is the process for updating my Drupal or WordPress website hosted by Orbit?
Orbit Support is available to field your request or issue.
Should you require access to do your own development, we will provide a Git repository. You would use the Git repository to create your own development environment, then submit all changes to the repository. Orbit will be made aware of the pull request, review the changed code, and will provide a plan to make changes live.
What are the options for full access to my website or the server?
Orbit’s Mighty-Site® hosted service is a proprietary system, and full access to code and the server is not available.
Full access to Drupal or WordPress websites is available with dedicated or cloud server hosting
Orbit can set up a production (live) environment on an Orbit-hosted Cloud or Dedicated server. Optionally, Orbit can also set up development/staging environments
Hosting with non-Orbit servers is also an option*
What are the requirements or recommendations for hosting Wordpress or Drupal?
Minimum Recommended Requirements for Wordpress
Minimum Recommended Requirements for Drupal
A method to transfer files and data to and from the hosting environment (FTP or git via ssh for example)
*Where Orbit is not hosting, Orbit's support responsibility is to code developed or implemented by Orbit