GuildPortal FAQ

Frequently Asked Questions about GuildPortal Hosting


Q: What Does GuildPortal Do About Security?

Servers

GuildPortal's web and database servers are always kept up-to-date with the latest security updates, automatically. If a security-related update is available, it is applied immediately, even if that means an unannounced down-time event for a restart.

Web servers are equipped with an ISAPI filter that checks every single request before it even touches the GuildPortal code, filtering out common (and not so common) attempts at hacking. The filter also checks for and completely blocks unusual requests, alerting GP administrators of the activity.

Code

At the core of its code base, GuildPortal is also checking every request for possible malicious content, even though any such request has already passed the ISAPI filter. Requests to web pages, javascript files, and even normally un-checked resources are scanned for anything suspicious. Depending upon the severity, a would-be attacker could be presented with an innocuous "not found" response, immediate black-listing, and server-level banning with an automatic report of their actions sent to their internet service provider.

Because most other guild hosts use a combination of open-source software as the base and components of their offerings, they are at high risk of being compromised, since anyone can check their code (or the building blocks their code is based on) for vulnerabilities. Because GuildPortal's code is not open-source or based upon any other platform, it is not available for close inspection by anyone, excepting ourselves.

Administration

Support accounts, which are used to conduct activity in response to support tickets, are not possible to login to except from specific locations.  Even so, the potential damage that rights granted by such accounts is mitigated by the fact that none of our core administrative tools are web-based.

Auditing

We perform regular checks of the system to ensure it is safe from attacks, although we will not disclose the methods here for security reasons. However, our main focus is on writing code that is not vulnerable to attacks, making auditing a step we take as part of overall code review, not as a crutch.

All attempted attacks are logged and reviewed daily. The volume of these can be quite large. Although they are not successful, we still block individual IP addresses (and sometimes entire ISPs, depending upon the volume and nature of the attacks) simply to rid the site of traffic that doesn't do anybody any good.

The fact that there are attempted attacks every day may sound alarming, but in truth it happens to every web site of any volume, and web sites focused on online gaming are a popular target. GuildPortal is not only capable of detecting and blocking these attacks, but it is also has the advantage of not being susceptible to them, even if they got through.