Hosting & Security
The CampusPress Technical Guide
Hosting & Infrastructure
CampusPress has carefully selected partners for hosting data centers to physically house the servers that we use. CampusPress staff remotely manage and maintain the servers and applications in these datacenters.
The two partners include Amazon Web Services (AWS) and Peer1. CampusPress, and our customers, are able to leverage certifications and security assurances by these partners as it relates to physical security.
Amazon Web Services
Amazon Web Services is trusted by governments and institutions worldwide. For security reasons, Amazon does not share specifics such as physical locations or network infrastructure with the public.
Certifications include ISO27001:2005, SSAE16 SOC 1, SOC 2, SOC 3, and PCI-DSS ROC.
Peer1 also hosts many of the largest websites on the web, including WordPress.com and WordPress VIP.
Certifications include SSAE 16, CSAE 3416, and ISAE 3402.
Datacenters & Hosting Regions
All data centers include the highest levels of 24//365 on-site security, regulated climate control, redundant power, automated off-site backups, and industry-leading network infrastructure.
In order to comply with local legal requirements, each customer can choose to be fully hosted in one of four regions, including:
Hosted in Amazon Web Services’ Sydney Region: aws.amazon.com
Hosted in Peer1’s Toronto data center: cogecopeer1.com/en/services/hosting/infrastructure
Hosted in Peer1’s Portsmouth, UK data center: cogecopeer1.com/en/services/hosting/infrastructure
Hosted in Amazon Web Services’ Virginia Region: aws.amazon.com
Infrastructure and Architecture
Our fully managed networks include multiple web, database, mail, and load balancing servers. We’re generally able to add, replace, and do maintenance on hardware without impacting performance or needing scheduled downtime.
We only host WordPress Multisite, and fine-tuned to support it, including Apache web servers with PHP, NGINX for load balancing, and MYSQL databases.
We use Docker containers with Ansible to isolate each WordPress install from each other, while still allowing each site to benefit from the scalability that comes with our infrastructure. Customer code base is separated in unique Bitbucket repositories.
In our US and AU regions, all images, documents, and other user files are uploaded securely to Amazon S3 so that they are able to be served at much faster speeds using Amazon’s vast cloud network.
As a CloudFlare Certified Partner, we make available their services at no additional costs to help protect and accelerate sites we host. This includes a CDN, advanced DDOS protection, and Railgun speed improvements.
Cache and Traffic Spikes
All text content on the public side is cached automatically so that no matter how many visitors your site gets, speeds stay fast. We handle billions of page views each year, and are confident we can handle the largest of any sudden traffic spikes.
SSL & HTTPS
We encourage enabling https/SSL protection for all logged in user activity. Customers can provide SSL certs or we can obtain certs via CloudFlare.
Backups & Disaster Recovery
There are multiple backup and replication processes in place.
Networks are hosted on a cluster of multiple web and database servers for built-in replication and redundancy. Nightly database backups are encrypted and then stored with Amazon S3. Backups are kept for at least 30 days. Backups are verified and full restores are tested on a bi-weekly basis.
Our data center partners, Peer1 and Amazon, both also perform their own regular backups of their servers that are stored off site (but within the same country) in order to protect against natural disasters or catastrophic events.
In many cases, our extensive database logs can be used to roll back or recreate content and data as well. Restore times depend on the size of the WordPress network and the cause of the disaster, but full backup recovery should take no more than 24 hours.
We use a variety of tools to automatically monitor performance and reliability of the service, including Munin, Nagios, StatsD/Graphite, Pingdom, and New Relic.
All services are set to send automated alerts to our support and systems teams, which are monitored and handled 24/7. These tools also provide us with a wealth of information and data so that our team can constantly work to improve performance and efficiency in our service.
General Security Information
The security and reliability of our service is our number one priority.
In addition to the general WordPress security features, we have staff who perform daily checks of industry security blogs, websites and newsletters to keep on top of any potential vulnerabilities that pertain to the systems we use or employ.
We use ClamAV for all servers and TrendMicro and Norton for our desktops with regular updates as needed. We use WPScan for WordPress code and database monitoring.
Any WordPress core, plugin, or theme security patches will be applied within 24 hours of release.
See wordpress.org/about/security for details on the security of the WordPress core.
Every CampusPress employee goes through background checks and an onboarding process that includes a trial period where access to customer servers and data is provided only when working directly under the supervision of another staff member.
CampusPress staff only have access to systems that are directly required to complete the functions of their job. We use dual factor authentication for all critical systems and communications services, and automatically log all staff activity using an internal logging tool and Amazon Cloud Trail.
All CampusPress staff (including contractors) undergo initial training to ensure proper understanding of all security related processes. Staff regularly attend industry conferences and otherwise stay informed of best practices and relevant trends. Staff agree, in writing, to all policies and procedures annually.
Security Breaches and Notifications Policy
Should any security related event occur, our policy is to alert our customers via email no later than 24 hours of our team becoming aware of the event. We will work closely with any customers affected to determine next steps such as end-user notifications, needed patches, and how to avoid any similar event in the future.
Privacy & Data
Personally Identifiable Information (PII)
We only require a username and email address to log in and use the WordPress network. Customers may choose to also provide names.
We do not collect, store, require, or transmit PII data related to health, financial institutions, mailing addresses, government ID numbers, etc.
Only CampusPress staff have access to customer data. Our hosting partners, including Amazon Web Services, Peer1, and CloudFlare, do not have logical access to WordPress networks, the database, or user data that we host.
Should a customer request, we will completely destroy and delete all data and content from a given user.
The full end-user privacy agreement is found at incsub.com/privacy-policy.
In general, we don’t sell, share, or publish any user data. We only collect and store data for the purposes of providing the WordPress hosting service.
Exports & Database Dumps
Should a customer leave us, or should a local archive of user data be required, we can provide a complete export and database dump of a network. We will completely purge all customer data within three months of cancelling service.
In order to ensure the reliability of our service, we’ve implemented a change management policy that we follow for all updates, upgrades, and code changes.
We perform all WordPress core, plugin and theme updates, general improvements, and server maintenance during a regularly scheduled weekly window.
All changes are thoroughly tested by our developers and quality assurance team as follows:
- Tested fully in local testing environment by technical team.
- Automated and unit testing in multiple development environments.
- Manual testing by QA team in multiple development environments using all major browsers and operating systems, including mobile devices.
- Full deployment to small subset of live networks and all development/test networks that willingly participate in beta testing program.
- Final manual code and performance review by technical team leadership.
- Full deployment to all customers during next regular ‘Primary Updates’ window (Tuesdays) and an update published to our change log alerting customers.
- Continuous monitoring by technical and support teams.
- For any significant changes that end users may notice, we’ll provide documentation and warning to Super Administrators well in advance.