D4.FR builds software for hosting providers, web agencies & freelancers · Discover Orbiter, our flagship product   Request a Demo →
orbiter.systems Request a Demo
Orbiter · Shield & Fortress

Your CMSes, armored
at the kernel level.
WAF + anti-exfiltration built in.

Shield mounts your site code read-only at the Linux kernel level. Fortress adds nginx WAF, PHP hardening, real-time upload scanner and network egress control. No cosmetic chmod — real, kernel-enforced protection.

Request a Demo Back to home
Layer 1 — Shield

Armored protection at the kernel level

The docroot is mounted read-only at the kernel VFS level via Docker :ro bind mount. Even a compromised root inside the container cannot write.

Kernel :ro mount

Docker bind mount read-only at the VFS level. No chmod, chattr or PHP exploit bypasses it. Structural protection, not cosmetic.

8 pre-configured CMS profiles

WordPress, WooCommerce, Joomla, PrestaShop, Magento, Drupal, Laravel and Custom. Each profile knows which folders to keep writable (uploads, cache, sessions).

Surgical RW folders

Only the truly necessary folders (wp-content/uploads, cache, logs) stay writable. Everything else — core, plugins, themes — is immutable.

nginx exec-block in RW zones

On top of the kernel mount, nginx returns 403 for any .php / .phtml / .phar / .pl / .cgi / .sh / .py uploaded into writable zones. Defense in depth.

5-min watchdog audit

The healthcheck cron verifies from inside the container that the docroot is still read-only. Instantly detects any mount drift.

1-click activation, reversible

Button in the UI or shield-enable CLI command. Can be activated at container creation. Disabled hot without data loss.

Demonstration

Cosmetic chmod vs kernel mount

Classic chmod protection
Enforcement levelUserspace
PHP bypasschmod()
Root bypassTrivial
Dropping a malicious .phpSucceeds
Audit detectionNone
Shield (Docker :ro)
Enforcement levelKernel VFS
PHP bypassImpossible
Root bypassImpossible
Dropping a malicious .phpEROFS
Audit detection5-min watchdog
Layer 2 — Fortress

Layered anti-exfiltration

nginx WAF generated per rule, PHP hardening, real-time upload scanner and network egress control. Activate / deactivate layer by layer.

7-rule nginx WAF

SQLi, LFI, XSS, RFI, scanners, sensitive files, PHP exec in upload zones, xmlrpc, rate-limit. Generated from the store, injected at reconfigure-domain time.

Real-time upload scanner

systemd service per domain. MIME check (libmagic), PHP pattern, ZipSlip, SVG, PDF, Shannon entropy, Pillow image regeneration. 7 individual checks.

PHP hardening

Surgical disable_functions (exec, system, passthru, ...) + open_basedir + extra-disable / extra-allow per domain. Optional strict mode for risky zones.

Controlled egress

3 modes: permissive (default), standard (block bind-shell to non-whitelisted IPs), strict (internal DNS + strict IP allowlist). Prevents data exfiltration.

WordPress hardening

Block xmlrpc.php, block REST API if unused. Mu-plugin dropped into wp-content/mu-plugins/ for inline protections.

Built-in WAF test

The "Test WAF" button runs a real curl with SQLi payload against the domain and checks that nginx returns 403. Continuous validation, not declarative.

8
Shield CMS profiles
7
Fortress WAF rules
7
Upload scanner checks
0
Client code modified
Free Demo

See Shield + Fortress in action

Live demo: we attempt a malicious PHP upload on a WordPress, we watch Shield + Fortress block it. No commitment.

Selectionnez une date pour voir les creneaux disponibles
Time zone: Paris (CET/CEST) — Monday to Friday
Presentation in French or English
4 + 4 =

  No commitment · Response within 24h · Dedicated D4.FR support