MLM Software Security

Your Data. Your Server. Secure by Design.

MLMOrbit's security starts with the most important decision: your data lives on your server, not ours. Built on Laravel — with built-in protection against SQL injection, XSS, and CSRF — with Google 2FA, Transaction Password for every financial operation, OTP on wallet purchases, IP activity logging, and role-based access. Every financial action authenticated. Every user action logged.

Your server — data never passes through MLMOrbit infrastructure after installation
Transaction Password — a separate financial password for all money movement
Every user action logged with IP and timestamp — full audit trail
Your Server — Self Hosted Data Owned
Laravel Framework Security Built In
Google 2FA (MFA) Configurable
Transaction Password Always Required
OTP on Wallet Purchases Configurable
IP Activity Logging Always On
Role-Based Access Control Always On
Keep Your Data

The Most Important Security Decision Is Where Your Data Lives

Most MLM software is SaaS — your data lives on their servers, in their databases, under their control. If they have a breach, your distributors' data is exposed. If they go down, your business goes down. If they change their terms, your options are limited. MLMOrbit is different.

SaaS Cloud MLM

Their Servers. Their Rules.

Your distributor data stored on their infrastructure
Their breach = your members' data exposed
Their downtime = your business down
Monthly fees — ongoing dependency on their platform
MLMOrbit — Self Hosted

Your Server. Your Data.

Installed on your Linux Ubuntu VPS — your database
MLMOrbit has no access to your data after installation
Your uptime depends on your VPS — not our infrastructure
One-time license — no ongoing dependency on our platform

Every Member Record Is on Your Server

Member names, addresses, purchase history, wallet balances, commission records, rank history, genealogy data — all stored in your MySQL database on your Linux Ubuntu VPS. Nobody outside your organisation can access it.

No Data Passes Through MLMOrbit After Installation

Installation is a one-time event. After installation, your MLMOrbit instance runs independently on your server. Commission calculations, wallet credits, rank evaluations — all run on your hardware. No data flows back to us.

Developer Edition — Full Source Code

Developer Edition includes full source code with Git access. Your development team can audit every line — no black boxes, no hidden data collection, no proprietary components you can't inspect.

Laravel Security

Built on a Framework That Takes Security Seriously

Laravel is not a choice of convenience. It is the PHP framework with the most comprehensive built-in security tooling — used by enterprise applications handling millions of transactions daily. MLMOrbit inherits that security layer as the foundation.

SQL

SQL Injection Prevention

Laravel's Eloquent ORM uses parameterised queries by default. No raw SQL from user input. Database commands cannot be injected through form fields or URL parameters.

XSS

Cross-Site Scripting Protection

Laravel's Blade templating engine escapes output by default. Malicious scripts entered by users cannot execute in other members' browsers.

CSRF

Cross-Site Request Forgery

Every form in MLMOrbit includes a CSRF token. Requests without a valid token are rejected. Attackers cannot trick authenticated users into submitting actions they didn't initiate.

MASS

Mass Assignment Protection

Eloquent's guarded model protection prevents unintended data writes. Attackers cannot inject additional database fields by manipulating request payloads.

What This Means Without the Jargon

SQL?

A hacker cannot type something into a login form that tricks the database into revealing other members' passwords. Laravel prevents this at the database query level.

XSS?

A distributor cannot put malicious code in their profile name that then executes when admin views their record. Laravel escapes all output before displaying it.

CSRF?

A member cannot be tricked into clicking a link that secretly submits a withdrawal request from their account. Every form action requires a valid token that only the real page can generate.

AGE?

Laravel has been maintained by a large open source community since 2011. Security vulnerabilities are found and patched continuously — not once at launch. Your MLMOrbit installation benefits from 13+ years of community security hardening.

Security Layers

Every Layer of Protection — What It Does and When It Applies

MLMOrbit applies multiple security layers above the framework. Some are always on. Some are configurable. All are purpose-built for the specific security requirements of a direct-selling financial platform.

Security LayerWhat It DoesStatus
Google 2FA (MFA) Two-factor authentication via Google Authenticator. Member enters time-based OTP from their phone in addition to their password at login. Configurable per user from admin panel. Configurable
Transaction Password A separate financial password required for all money movement — withdrawals, fund transfers, and wallet purchases. Different from the login password. Even a compromised login cannot move funds without the Transaction Password. Always On
OTP on Wallet Purchases One-time password sent to member's registered mobile or email before their wallet balance is used for a product purchase. Adds a second confirmation step for wallet spending. Configurable
IP Activity Logging Every login, order, account change, and financial action is logged with username, IP address, action description, and timestamp. Both per-user history and platform-wide logs available to admin. Always On
Role-Based Access Control Admin, Sub-Admin, and Staff roles enforced at the application level. Staff cannot see financial data. Sub-Admin cannot access Settings. Each role accesses only what their function requires. Always On
Password Hashing Member passwords are stored as bcrypt hashes — never in plain text. A database dump cannot reveal member passwords. Admin cannot see member passwords — only reset them. Built In
Fund Transfer 2FA Optional two-factor verification specifically on member-to-member fund transfers. Separate from login 2FA — adds a dedicated authentication step before any peer transfer is authorised. Configurable
Financial Security

Transaction Password — The Financial Security Layer

A login password protects your account. A Transaction Password protects your money. MLMOrbit requires a separate financial password for every money movement — even if the member is already logged in.

Why a separate password?

In most software, logging in is the only gate. If a member's login credentials are compromised — through phishing, a weak password, or a shared device — an attacker has access to everything, including their wallet and withdrawal capability.

MLMOrbit requires a Transaction Password that is completely separate from the login password. A compromised login only gives access to account information — not the ability to move money. The Transaction Password is the second gate that protects the financial layer specifically.

Member Logs In — Login Password

Standard login with username and password (+ optional 2FA). Member is now authenticated. Can view account, genealogy, reports.

Member Initiates Financial Action

Member requests a withdrawal, initiates a fund transfer, or purchases with wallet balance. Financial action detected.

Transaction Password Required

MLMOrbit prompts for the Transaction Password — separate from the login password. Member must enter it to proceed. This step cannot be bypassed.

Authorised — Action Proceeds

Transaction Password verified. Financial action executes. Action logged with timestamp, IP, and Transaction Password confirmation.

Which Operations Require Transaction Password

Every financial operation in MLMOrbit requires the Transaction Password — regardless of how recently the member logged in.

Withdrawal Request
Requesting payout from Loyalty Wallet to bank account
TX PASS
Fund Transfer
Sending wallet balance to another member
TX PASS
Wallet Purchase
Spending Growth Wallet or Circular Economy Wallet at checkout
TX PASS
ePin Creation
Creating an ePin that debits the wallet balance
TX PASS
Activity Logging

Every Action Logged. Every IP Recorded.

MLMOrbit logs every user action with the username, IP address, action description, and timestamp — automatically, always. No action in the platform is untracked.

Per-User Activity Log

Admin drills into any member's profile and views their complete activity log — every login, every order, every account change, every financial action — with IP address and timestamp. Support resolution, fraud investigation, and dispute resolution are all handled from this view.

Platform-Wide Activity Logs

Admin reports include a platform-wide Activity Log — filterable by date range and searchable by username. Any unusual pattern — multiple login attempts, activity from a new IP, unusual transaction volume — is visible and traceable.

Login History Per Member

Separate from the activity log, every member has a Login History tab in their admin profile — showing each login event with IP address and timestamp. If a member reports an unauthorised access, admin sees exactly when and from where.

Activity Log — Admin View

Username IP Address Action Time
demouser1 203.82.14.9 Withdrawal request — $250 — Loyalty Wallet 14:32:18
demouser3 117.55.98.41 Login successful 14:29:05
demouser7 89.203.14.7 ePin created — $100 — Growth Wallet debited 14:27:44
newmember42 45.123.88.20 Account activated via ePin EP-4X8K-9M2R 14:22:11
demouser2 192.168.1.1 Order placed — Protein Powder 1kg — $45.00 14:18:33
admin 10.0.0.5 Login as User — demouser1 (support session) 14:15:00
Note the last entry: admin's Login as User action is logged — the admin username, the member they accessed, the IP, and the timestamp. Support sessions are never silent.
Access Control

Every Team Member Sees Only What They Need

Role-based access is not a configuration option in MLMOrbit — it is the architecture. Three roles, enforced at the application level, with no override at the user level.

FULL ACCESS

Admin

Complete access to all modules including Settings, Finance, Users, Reports, CMS, Tools, and system configuration. Only Admin can modify compensation settings, payment gateways, or system-wide rules.

Dashboard Users Finance Settings Reports CMS Tools Tickets
OPERATIONS

Sub-Admin

Day-to-day operations — member management, payout approvals, fund request processing, reports, CMS content, and Tools. Cannot access Settings or modify system configuration.

Dashboard Users Finance Reports CMS Tools Tickets
TICKETS ONLY

Staff

Support ticket management only. Staff can view and respond to tickets. Has no access to member financial data, wallet balances, genealogy, reports, or any other module.

Tickets

Admin Security Actions — Per Member

Suspend User

Instantly blocks the member's access to the platform. Wallet balances preserved. Reversible by admin.

Reset Password

Forces the member's login password to reset. Member receives a reset link. Admin cannot see the new password.

Login as User

Admin accesses member's account for support. Fully logged — admin username, member username, IP, timestamp. Cannot be silent.

Resend Verification

Resends mobile verification to the member's registered number. Useful for onboarding support without account access.

Backup & Recovery

Your Data. Your Backup. Your Responsibility.

Because MLMOrbit runs on your server, backup is your responsibility — which is both the security advantage and the operational obligation of self-hosting. We recommend the following schedule for an active MLM network.

Daily

Full Server Backup

Complete server snapshot including all files, configuration, and database. Most VPS providers offer automated daily snapshots. Recommended retention: 7 days.

Hourly (Active Networks)

Database Backup

The database holds all member data, wallet balances, commission history, and genealogy. For active networks with frequent transactions, hourly database dumps are strongly recommended. mysqldump to a remote location or backup service.

Critical

Off-Server Storage

Backups stored only on the primary server provide no protection if the server itself fails. Backup to a separate storage service — S3, Backblaze B2, or your VPS provider's backup service.

Server Requirements

MLMOrbit requires a Linux Ubuntu VPS. Shared hosting is not supported — it does not provide the isolation, memory, or control required for a production MLM platform.

OS: Linux Ubuntu 20.04+
PHP: 8.4+
RAM: Minimum 8GB
Database: MySQL
Cache: Redis
Hosting type: VPS only — shared hosting not supported

Free installation included. Our engineering team installs MLMOrbit on your VPS, configures the server environment, and hands you the keys. No technical knowledge required to get started.

FAQ

MLM Software Security — Questions Answered

Common questions about how MLMOrbit protects distributor data, how financial operations are authenticated, and what happens on your server after installation.

See security features in demo →
Your MLMOrbit installation runs on your own Linux Ubuntu VPS. All member data, wallet balances, commission records, transaction history, and genealogy data are stored in your database on your server. MLMOrbit does not have access to your data after installation is complete. There is no central cloud where client data is aggregated. Your data is yours — not ours, not shared with any third party.
Yes. MLMOrbit is built on the Laravel PHP framework which provides built-in protection against the most common web vulnerabilities. SQL injection is prevented through Laravel's Eloquent ORM which uses parameterised queries by default. XSS is prevented through automatic output escaping in Blade templates. CSRF is prevented through tokens on every form submission. Mass assignment is prevented through Eloquent's guarded model protection. These are not add-ons — they are built into the framework used to build every part of MLMOrbit.
Transaction Password is a separate financial authentication password required for all money movement in MLMOrbit — withdrawal requests, fund transfers, and wallet purchases. It is completely different from the member's login password. A member must enter their Transaction Password to authorise any financial operation, even if they are already logged in. This means that if a member's login credentials are compromised, the attacker cannot move funds without also knowing the Transaction Password — a completely separate credential they would also need to obtain.
MLMOrbit integrates with Google Authenticator for two-factor authentication. When enabled, members must enter a time-based one-time code from their Google Authenticator app in addition to their password at login. Google MFA can be enabled or disabled per user from the admin panel. The admin Settings module also contains the Google MFA configuration for platform-wide 2FA policy. Settings → Google MFA controls the platform configuration. Individual user 2FA is managed from the Users module.
Yes. MLMOrbit includes a Login as User function in the admin panel that allows admin to access a member's account for support purposes — to diagnose a reported issue, verify a balance, or investigate a transaction. Every Login as User session is fully logged — the action appears in both the platform-wide activity log and the member's login history, with the admin's username, the member's username, the IP address, and the timestamp. It cannot be used silently. Any Login as User action is visible to any admin who reviews the activity logs.
MLMOrbit runs on a standard Linux Ubuntu VPS, which supports automated backup scheduling through your hosting provider. Recommended schedule: daily full server backup and hourly database backup for active MLM networks. Most major VPS providers — DigitalOcean, Vultr, Linode, AWS EC2 — offer automated snapshot and backup services. Critical: store backups off-server in a separate storage service (S3, Backblaze B2) — backups on the primary server provide no protection if the server itself fails. MLMOrbit does not manage backups — as a self-hosted platform, backup responsibility belongs to the server owner.
Keep Your Data

Your Server. Your Data. Installed and Secured by Our Team.

We install MLMOrbit on your VPS, configure every security layer, and hand you the keys. Your data never touches our infrastructure after installation. No technical knowledge required to get started.