FAQs About BitHut Services
What is 'Hosting'?
Your website needs to reside somewhere (on a web host) for your content to be seen. Since data is relayed across the Internet for reading on a viewer’s computer, the issue of “bandwidth” (the speed and reliability with which information is transferred) is a key measure to consider when selecting a hosting environment.
The discussion gets deeper with considerations of backups, version control, security hardening, intrusion detection, disaster preparedness, redundancy, server optimization and service availability. And there are a myriad of other fine details to consider, implement and maintain. Bottom line, all these considerations are important. They all impact your site's performance and effect.
WordPress is the market-leading Content Management System (CMS). Some two-thirds of all modern websites are built on this platform. WordPress is easy to use for both technical and non-technical folks. And it’s wicked powerful and scalable. That makes WordPress sustainable and feature-rich.
Magento is the market-leading CMS for e-commerce stores. Magento is a bit complicated, but it's the way to go if you're a serious retailer. This system has loads of advanced retailing, fulfillment and shipping features.
Why SEO Hosting?
If you’re serious about business, you’re well-advised to build a scalable website that can handle significant traffic in the future. And to distinguish your site from competitors, it should be fine tuned with Search Engine Optimization (SEO) strategies. Do-it-yourself free website services with cheap hosting are fine for starter or individual sites. But before long, you’ll likely find they’re too limited for gaining significant business and web search traction.
What’s 'Unlimited' Data Transfer?
With unlimited data transfer, your users are not limited by the amount of data they download when viewing your site.
What’s 'Unthrottled' Bandwidth?
Bandwidth throttling is the intentional slowing of Internet speed by a service provider. With hosting, you get what you pay for. So by going with a premium “unthrottled” service, you’re getting faster data transfer speed.
What if I Need More Storage or a Higher Visitation Limit?
If you get close to or exceed the limit of your hosting package, we'll inform you and offer upgrade assistance. We’re happy to help you scale to any level of success.
Can I have my Own Customer URL?
Yes. One of the huge benefits of going with professional services is that you can have your own custom URL website address. That’s great from a branding standpoint. And you'll protect traffic channels to your business.
What’s a 'Clean IP' Address?
Websites associated with “spamming” (junk mail) or fraudulent practices can have their Internet Protocol (IP) addresses blacklisted. If your website is on a shared server service and another site is blacklisted, your site might be affected. That won't happen with Clean IP service.
What’s an SSL Certificate?
SSL stands for “Secure Sockets Layer,” a security encryption technology that protects sensitive information passed over the Internet. If your website collects sensitive user information - such as names, emails, credit cards and any other form-based information - SSL Certificates are recommended. SSL Certificates are purchased and installed on an annual basis to keep encryption protocols up to date and compliant with best practices for protecting user information.
What Kind of Security Monitoring Does BitHut Provide?
Strong security measures ensure your website is protected from exploits and running at peak performance. Understanding WP Engine security measures will give you freedom to develop and operate your website within the scope of our secured environment. This document is designed to give you an overview of these security measures and how they may effect your website.
Malicious code can embed itself into a website by writing to the file system. This occurs when a vulnerability leaves the door open for malicious injection from a theme or plugin. The WP Engine environment limits the processes that can write to your disk. So even if you’re using a theme or a plugin with a vulnerability, it's extremely hard for them to be exploited.DISK WRITE LIMITATIONS
By logging all attempts to write to your disk, we can identify both malicious and non-malicious code. If necessary, we'll make additional site-by-site allowances for special cases. Should you require an allowance, please contact our support for review.Disk write privileges are limited to the following:
- If you're logged into the WordPress Dashboard, you're able to perform all standard functions. This includes writing posts & pages, editing themes, plugins & style sheets and activating & disabling plugins.
- CAPTCHA plugins and image editing plugins are allowed to write to disk.
- SFTP users can add, edit and delete files via a dedicated SFTP client.
DISK WRITE PRIVILEGES
Disk write privileges are blocked for the following:
- Generic PHP code and anything else in that process space that has not been given write privileges.
Some frequently used scripts are known to contain vulnerabilities. Our system scans the files structure to identify these vulnerabilities. Scripts that are insecure will be disallowed. And scripts with available updates will be automatically patched.
- TimThumb — Older versions of TimThumb are known to contain vulnerabilities. When our system scan identifies an older version, we automatically update the script. After the upgrade is complete, the system notifies you by email.
- Uploadify — Access to this script is blocked due to known security threats. To learn why, check out this blog post from our partners at Sucuri.
Some plugins expose a website to vulnerabilities. This is unintentional nearly all the time, but we still have to draw a line in the sand. Our system scanner searches for these plugins and automatically disables them. We also disable certain plugins for performance reasons. Our comprehensive list of disallowed plugins (along with reasons for banning them) is found here.
Here are some FAQs about our security processes.
Do you provide a segregated environment (physically or logically) so each customer’s data is isolated and protected against any unauthorized access?
Yes. We offer dedicated environments for customers of various profiles. Our dedicated and Enterprise solutions benefit customers who create exceptional value from their websites and their visitors. Fully dedicated environments which aren’t shared with other WP Engine customers and don’t share processing power, memory, disk space or other system resources have many advantages. This includes improved reliability, mitigated risk and better positioning for growth and success.
Dedicated server environments are particularly valuable for websites with high transaction volume. We happily support demanding WordPress sites.
We still offer enterprise-level service for customers who don’t require fully dedicated hosting environments. For these customers we offer logical separation, which is achieved through separate file system roots for each customer. Both “chroot” and “apparmor” prevent executable code from one customer to access files of another customer. Each customer has a separate MySQL username/password to isolate database access. Attempts to access data outside the tree are prevented and logged.
We offer fully segregated hosting environments for all our customers.
Are backup tapes kept?
Yes. Backups are maintained so each customer’s data is kept logically separate from other data. Full backups are stored as tarballs on Amazon S3. Customers do not have access.
Do you conduct or arrange in-house vulnerability scanning for all infrastructure, servers, databases and applications on at least a quarterly basis? Please describe how vulnerability scanning reports are used by your company and how remediation of vulnerabilities occurs.
Yes. We have tools and custom scripts in-house for vulnerability scanning. We scan externally (through network connections) and internally (scanning disks and databases for known vectors and exploits).
We also contract with well-regarded security firms, including Sucuri, for auditing and remediation.
Reports are processed internally and remedied as fast as possible with the assistance of these firms. Any changes are reported on our public status blog, but only after we’ve made the changes to reduce the chance of exposure.
Does your computing environment undergo external penetration testing by an independent, qualified vendor at least once per year? Please describe how penetration testing reports are used by your company and how remediation of vulnerabilities occurs.
Yes, security firms perform external penetration testing. See previous question for details.
Can we (your customer) perform penetration testing of our WordPress installations hosted in your environment?
Please contact us for further information.
Does your data center environment undergo a SAS 70 Type II examination at least annually?
Is all computing equipment located in a physically secure facility, where electronic access controls are used to prevent unauthorized access to computing facilities?
Yes. Neither we nor our customers have physical access. This is controlled completely by our hosting providers.
Are firewalls configured based on the principle of least privilege, where firewalls only allow approved applications, protocols, and services required to meet business needs?
Are intrusion detection or intrusion prevention systems used to monitor and/or protect your network?
Yes. They are updated monthly, or as-needed.
Do you encrypt backup media?
Yes. We use Amazon S3 for backups, therefore consult their information about encryption for details.
Do you conduct or require background screenings for all personnel (employees and contractors) that have access to critical infrastructure, servers, applications, or data?
Do you use documented security baselines to harden and secure IT systems? Please describe how you ensure that security baselines are implemented and working effectively.
Yes. Our security firms establish baselines and ensure we’re adhering to them. These change over time as new information and processes are put into place.
Do you maintain reasonable security precautions consistent with industry best practices, as documented in standards such as ISO/IEC 27002?
Yes, but we do not specifically support ISO ISO/IEC 27002.
Do you maintain detailed audit logs that capture at a minimum a) host name, b) account identifier, c) date and time stamp, d) activity performed, and e) source network address? Are audit logs kept for at least 90 days?
Yes, but audit logs are kept for at most 7 days.
If an information protection incident was to occur, are you able to provide audit logs to the customer for our review?
Yes, for certain logs, especially access logs. There might be some logs which we cannot show you. We will work with you to help determine the nature of the exposure and what you might want to do to remediate.
How often are Backups Run?
Backups are auto-generated every 24 hours
What is Priority Support?
Priority Support means we will address you issue Fast! You will be able to talk to someone on our team who interested and capable of helping you.
What's included in Your Performance Report?
The performance report will include information about site speed, spelling, search engine rank, analytics, w3c compliance, alt text, broken links, social media visibility, url formats, readability, missing files, amount of content, printability, popularity, freshness and much more.