dxw s WordPress Platform

dxw’s WordPress Platform

G-Cloud lot 2 (PaaS) service definition

Version 2

Overview

dxw’s WordPress Platform is a highly managed Platform as a Service for hosting WordPress websites. The platform delivers secure, robust, and highly scalable capacity for WordPress websites to a variety of clients in the public and private sectors.

The platform is ideally suited to projects which require robust security and the ability to rapidly scale on demand, without large upfront investment in infrastructure or burdensome accreditation processes. Because capacity can be flexibly provisioned, the platform is also suitable for high quality hosting of smaller sites. As a highly managed service, dxw’s WordPress platform is well suited to any organisation which uses WordPress but lacks in house expertise in WordPress administration or development. Our simple support packages allow clients to obtain help from WordPress experts on any issue to do with the operation of their site: from technical problems to questions about the use of WordPress’s many built in features and plugins. The platform is proactively operated in order to:

● Allow hosted services to be rapidly scaled according to demand

● Allow hosted services to be easily replicated in order to provide redundant capacity

● Minimise the risk of information security incidents by centrally managing and deploying hardened configurations

● Identify and fix bugs and exploitable vulnerabilities present in hosted services (given the constantly changing nature of threats, this is an ongoing process)

● Learn as early as possible when a potential issue may exist (by intelligently monitoring hosted services) and take early action to prevent or mitigate it

● Monitor trends in performance and demand in order to forecast capacity requirements

This document describes the Platform’s features and standard pricing, and provides some technical details about the platform’s day-to-day operation. If you have any questions about the platform, or would like to discuss the possibility of hosting your WordPress sites using the platform, please get in touch using

The platform

On-demand scaling and replication

dxw’s WordPress Platform gives you a great deal of flexibility. You can add and remove

capacity within a few hours whenever you need to, and because it’s a cloud service, you only

pay for what you actually use.

All of the sites hosted on the platform are centrally managed, configured and deployed. When clients require additional capacity, or would like to replicate their site to multiple locations, additional load

balanced instances of the site can be deployed within a couple of hours. Our infrastructure is preconfigured to make load balancing WordPress installations very easy, so there’s almost no lead time.

Hardened, secure environment

We’ve developed a set of hardened, secure configurations for the server tools that power

WordPress. These configurations make a large number of common attacks impossible,

helping to keep your site safe. In addition, because the platform is centrally managed, we can

roll fixes and improvements out to all our clients immediately, at no extra cost. The same

approach is used for updates and routine maintenance: what we fix once enhances the

service for everyone.

We’ve got a lot of experience managing WordPress sites, and over the years we’ve developed hardened, optimised configurations for each layer of the stack used to host sites: from the database, to the

webserver, to the cache. Because we use centralised configuration management, we’re able to ensure that whenever an improvement is made, all of our clients benefit.

We spend a lot of time thinking about security, and we regularly add new controls to help keep all of our clients safe. We are ISO27001 accredited, and our entire business falls within the scope of our information security management system. If you’d like to know more about how we keep our clients’ services safe, available and private, we’d love to talk to you.

Proactive maintenance

A site is only as secure as its source code: the most secure platform in the world won’t keep

you safe if your code is full of holes. So when we find potential issues in your codebase, we

try to fix them immediately (or let you know). And because, on a modern website, leaving

things insecure is usually riskier than fixing them with only light testing, we always fix-first,

and ask questions later.

We monitor the behaviour of all our clients’ sites closely. Logs are reviewed daily and various alerts are set up to warn us immediately when something has occurred that needs attention. When we are responsible for maintaining the codebase for a client site, we follow up these issues and fix any problems within a site’s codebase as we discover them. We also apply plugin and WordPress core updates as soon as possible

following their release.

For sites where the client maintains their code directly, we alert them about the issue, so that they can take action.

Monitoring and alerting

We monitor all sites on the platform 24 hours a day, and receive alerts when serious issues

are detected, allowing us to take action quickly when required.

We use a combination of tools and approaches to ensure that all of the sites we host are running smoothly. We measure various attributes of production systems and generate status alerts when their values are unacceptable. We measure and graph some of these to help diagnose problems and to perform capacity planning. We also monitor logs on production machines and respond to unusual entries.

Some of our monitoring also takes action automatically: for example, temporarily banning IP addresses to prevent brute force attacks on user accounts.

Painless deployment and rollback

All sites on the platform are stored in and deployed from source control. This gives us

maximum control over the code that’s deployed on your live site. Your code is deployed

automatically from the latest version marked as production ready, and can easily be rolled

back to earlier versions in the event of a problem.

We use a central Git server to store code for all sites on the platform. Because code is stored centrally, we can easily deploy new instances of your site on demand, and it’s trivial to deploy (or revert to) any version of your codebase.

Access to git is key based, and happens over industry standard encryption, so your code stays safe and secure.

Daily Backups

Because the Platform is centrally managed, everything that is deployed is added to our

backup systems. Backups are taken daily, and kept forever .

We back up configurations, databases, code and deployed files daily. These are transferred to our backup server where they are stored. Periodically, all backups on the database server are pushed into cloud storage for long-term retention (we don’t guarantee to be able keep all backups forever, but we haven’t deleted any yet).

Updates and patches

When updates are available, we apply them straight away. Our experience with the web has

led us to conclude that delaying updates while they are tested is much more risky! So we

apply them immediately, and then fix any issues that arise.

There are some circumstances in which we won’t immediately apply an update: for example, when we know that it’s likely to cause a problem, or when we know that it makes particularly big changes. This is unusual. In the rare case that a routine update causes a problem, we either fix, notify the client, or revert the update, depending on the severity of the issue and the importance of the update.

Firewall protection

Each of our machines runs its own firewall. These firewalls protect your services from

attack, limit administrative access to each machine, and allow us to log suspicious traffic for

inspection. And because we maintain a firewall on each machine, it’s easy to customise the

rules for your site if you need to.

We use software firewalls on all of our machines. Because everything on the platform is centrally configured, this adds very little management overhead, and gives us maximum flexibility to accommodate our clients’ requirements. Because each firewall only processes traffic for the machine it’s on, there is no performance impact. And avoiding expensive hardware firewalls helps us to keep costs low.

Responsive, comprehensive support

As a highly managed service, our responsibility doesn’t stop at the operating system. We

maintain the whole of your WordPress stack, from the machine up, so you can ask us for

help with almost anything.

Our support helpdesk is available 24 hours a day (though only emergency requests are dealt with

out-of-hours). You can ask for assistance with pretty much any problem you come across, from a bug on the system to help using the WordPress administration interface.

You can also tailor a support contract that includes extra services, like training, comment moderation, web analytics, or development work. Or, you can pay for those services as you need them.

Technical and operational information

Information assurance

We anticipate that the platform will be accredited to IL2.

dxw is certified to ISO27001. The scope of our certification includes all of our activity, including the platform. Our ISO27001 certification also sets a robust baseline for current and future accreditation processes.

Backup & restore

As with most operational aspects of the platform, the requirements for backup and restoration can be varied by individual client and business need. However, the core elements of the platform are regularly and automatically backed up and stored off-site. These elements include:

●

●

●

●

●

We are able to vary the frequency of backup, period of retention and number of backup sites to suit the needs of individual clients. We are also able, periodically, to provide a physical medium containing a full copy of the code and data for your hosted service.

Disaster recovery

Because the platform is a cloud service, it introduces a level of abstraction in infrastructure provision, enhancing resilience by replicating hosted services across numerous sites is trivial, and quick to implement. Hosted services can take advantage of this feature when redundancy is a priority, or can be deployed more simply when the additional investment in redundancy is not required. This arrangement also offers a range of multi-site disaster recovery options to the platform.

In addition to the client facing aspects of backup, recovery and resilience, dxw's own internal processes are defined as part of the ISO27001 accreditation documentation set. They assure dxw's business continuity; itself a prerequisite to delivery of uninterrupted client service.

Persistence of storage

All storage of application files and media is persistent. Storage persistence allows for the straightforward provisioning of additional server resources; with seamless transfer of data during the change.

On-boarding and off-boarding

As a highly managed service, the platform’s on- and off-boarding processes are largely manual, and are carried out by our staff. In general, this work is included within our normal terms and charges. However, complex or unusual requirements may make it necessary to carry out additional chargeable work, or to increase the minimum term for hosting. This may also occur where code for the hosted service being on-boarded is incapable of being successfully load balanced, and requires enhancement.

Experience has taught us that effectively managing new hosted services requires us to develop an understanding of the code and the functionality it delivers. An effective way for us to understand new services is to review some or all of their code manually as part of the on-boarding process. This is also a useful check against basic security vulnerabilities which may be present in production code. Close contact with you throughout the on-boarding of the service allows us to deploy your service optimally and to make best use of the platform’s flexibility, providing benefits throughout the life of the contract

effective working arrangement within which minor changes and support can be delivered. Our approach is therefore one of close personal involvement (involving at least two dxw members), not only when

confirming specification details, but throughout the term of your hosting with us.

Deciding the appropriate allocation of guaranteed and non-guaranteed computing resources for the hosted service (setting the requirement for permanent capacity and flexible capacity) is a planning activity carried out as part of on-boarding and aims to ensure that best value overall is obtained over a long term view of the hosting operation, given the level of resilience required.

Where there are requirements for a hosted service to be isolated from other hosted services on the

platform, for security considerations or any other reason, these will form part of the configuration design for the client, which is considered during on-boarding.

Off-boarding is similarly conducted with an emphasis on manual intervention. We also consider a close contact exit process to be an important input to dxw's quality management processes.

The time required for provisioning and deprovisioning, can vary considerably by service. It can range from a few hours in many cases, to a few weeks in the event of a complex service requirement.

Scope of sector coverage

While the platform is available to public, private and third sector clients it is predominantly designed for use by public sector organisations.

The platform is available for use by third parties who may subsequently resell them (amongst other purposes) as a basis for the delivery of services to government or elsewhere in the public sector. We see this type of flexibility as part of the advantage of using cloud based services.

Customisation

dxw’s WordPress Platform can be customised in two main ways: relating to the management of infrastructure and capacity; and the provision of support.

Infrastructure

The balancing of flexibility and capacity against cost will be influenced by the load and redundancy requirements of the hosted service.

If traffic is largely predictable, we can configure the platform to allocate compute resources which are slower to scale, but cheaper to provide. If the traffic is not predictable, we can use compute resources which are trivially scalable, but which come at an increased cost.

For hosted services which require replication in order to increase resilience, these approaches can be combined in order to create a configuration which is appropriate for the hosted service’s business requirements.

Similar customisation can be carried out where clients require isolated environments in order to obtain additional security accreditation.

Support

Support can primarily be customised to increase or reduce the amount of time allocated to the hosted service’s support tickets. This support time can be varied as required, allowing a high degree of flexibility:

clients can easily increase their support allocation during busy periods, and reduce it when a peak in demand for support has passed.

The services provided as part of the support arrangement can also be customised. Beyond basic maintenance and support tasks, additional support arrangements can include:

● Training in the use of the WordPress administration area, writing content for the web, leveraging social media and other basic web skills

● The provision of specialist expertise for content writing, user experience design and testing, web development and other operational specialists

● The platform provides scope to commission a range of additional management services, from strategic consulting on cloud hosting, code development and customisation, to other services relating to the use of cloud and web technologies

In addition, dxw has a wide range of services available through Lot 4 of the G-Cloud framework.

Service management

A named service manager and additional named reserve point of contact will be formally appointed during on-boarding.

However, routine communication relating to service management and support tasks is carried out exclusively via our support ticketing system. Personal telephone and email contact is provided subject to availability, but all requests for changes must ultimately be made via our support helpdesk, in order to allow us to manage and prioritise support requests efficiently.

Anything that we have agreed to provide as part of the support contract can be managed via the support helpdesk. Requests for new or additional features, or changes which fall outside the support contract, are made by communicating directly with the service manager.

Service & other constraints

Maintenance windows

The goal of a the platform is uninterrupted, consistent service. However, inevitably maintenance windows are required and some service interruption will occasionally occur. In these circumstances, we manage the interruption using clear and timely communication. Our detailed terms of service for hosting set out our commitment to give reasonable notification, dependent on the nature and extent of the planned maintenance window.

Limitations on support

Unless otherwise agreed, the support helpdesk cannot be used to request support with third party services. It also cannot be used to request new functionality, or any changes which fall outside of the support

arrangement.

Self service

As a highly managed service, there is no provision for self service or for the client to directly modify or manage any aspect of the platform, beyond the functionality provided by the hosted service itself.

support helpdesk.

The ability to deploy code to the platform can be made available to clients. However, this necessitates careful management and clear lines of communication, and usually means that the client becomes wholly responsible for the deployment of updates to the code for which they are responsible.

Use of the support helpdesk

Support requests must be made via the support helpdesk, which will create a numbered support ticket. We cannot guarantee to act upon requests which are not documented in a numbered support ticket.

Guidance on best practice for the submission of support tickets is made available to all clients during on-boarding.

Deprecation of functionality

As a managed cloud service, functional deprecation will occur from time to time. We approach this as a planned and scheduled process: giving notice to hosting clients, and offering alternative functions where this is available.

Service levels

Availability

You can expect the platform to be available 100% of the time: that is to say that other than during scheduled maintenance, our infrastructure will provide two way traffic from any other properly routed Internet address, to the addresses allocated to your hosted service.

In any real world system involving components and connectivity, there is of course no such thing as perfect reliability. However, the monitoring and proactive approach that we follow makes unexpected interruptions extremely unusual. We will always work with you to minimise the impact of interruptions if they do occur. The uptime of hosted services can be monitored by third parties if required, assuming no access is required which exceeds that routinely available to the public. More complex uptime monitoring can be considered during on-boarding.

Financial recompense for interruptions

We acknowledge that, other than during scheduled maintenance, anything less than 100% availability is a lapse in the service level that you expect. We also believe that complex expressions and targets of “percentage of time available” are statistically unreliable, and are not the best way to manage service levels.

However, we are happy to make available historical performance reports of service availability (defined as above in terms of successful two way Internet address routing). We believe this gives some assurance of the robustness of our platform, without adding a large burden of complexity in terms of ongoing performance measurement and management, or giving undue credence to statistics which are not by themselves very useful indicators of availability.

If, despite our best efforts, the platform does become unavailable as a result of a failure of a component that we control, we will be liable for the refund of fees paid for any period of downtime longer than 1 hour,

on a pro rata basis.

Support hours

dxw’s Service Level Agreement is available separately.

Support boundaries and interfaces

Our standard support service is flexible, and can be used by clients wherever assistance with the platform or their hosted service is required; up to a predefined time limit. The level of support provided for the hosted service itself; eg, for fixing bugs and applying updates, is specified during on-boarding, according to the requirements of the project.

We are able to liaise with third party support helpdesks when required.

Data centre best practice

The data centre suppliers used by dxw in provision of the platform conform to the best practices described in the EU Code of Conduct for Data Centre Operations.

Any future changes to dxw’s suppliers will be subject to continuity of this accreditation.

The design of the data centres we use is aligned to the Uptime Institute’s tiering framework, and meets the requirements for Tier 2. However, the data centres have not been certified by the Uptime Institute.

Training

A comprehensive range of training services is available, independent of hosting services which may be contracted for. These could cover topics as varied as WordPress administration, writing for the web, or social media strategy and integration.

Ordering and invoicing process

All invoicing processes in relation to the platform are automated and simplified as far as possible. Invoices are raised in arrears at the end of each calendar month for standard, recurring fees. For additional services provided (in excess of support forming part of the basic service, or at client request) invoices are raised when the work is completed.

Invoices are subject to VAT, and must be paid within 30 days. Invoices can be raised in advance if required by a customer.

Termination terms

Normally, either party may terminate a hosting agreement with six weeks' written notice. For some projects which require complex on-boarding, a longer minimum term may apply.

Data restoration / service migration

No specific description for data migration is provided, as it is not required for the platform to be used. We can consider specific client requirements for data and service migration on request in advance of

Consumer responsibilities

As a cloud hosting platform, we wish to keep to an absolute minimum any restrictions or requirements falling on clients. However, we expect clients whose code cannot be altered by our staff (perhaps because it is maintained by a third party, or by the client themselves) to be diligent in checking their code for bugs or security vulnerabilities, and to quickly rectify them when found.

Unless otherwise agreed, dxw does not carry out comprehensive testing of hosted services following updates or configuration changes. While we expect that our automated monitoring will catch a great majority of issues following updates, we do also expect clients to periodically review their site and report issues that they find. For most clients, this process fits easily with their day-to-day work, and need not be explicit, formal or separate.

Technical requirements

As a cloud hosting platform enabled by the Internet, provision of the platform is largely decoupled from any specific technical requirements such as bandwidth or latency. These will have a bearing on end users’ experience of hosted services, but not on the formation and continuation of the relationship between hosted service and hosting platform.

Similarly, there are no requirements for specific application libraries to be used in order for hosted services to be operated on the platform. Nor are there any specific client side requirements (including browsers) as a result of a customer’s use of the platform, other than those of the hosted service itself.

Where technical support is required to scale and optimise hosted services to run at a desired level of performance for users of the hosted service, support can be provided via this framework as additional specialist support resources. Assessment of such technical requirements is addressed as part of the on-boarding process.

Trial service

No trial use of the the platform is offered.

Typical configuration

The £700/month specification referenced in the selection questionnaire is for a single dxw instance, approximately equivalent to one Amazon Elastic Compute Cloud (EC2) large instance, including a basic allocation of support time suitable for the majority of our clients. dxw instances are suitable where demand is predictable.

The equivalent option where the platform is required to satisfy “peaky” demand (characterised by a higher degree of volume variation, scale and unpredictability) would have a baseline cost of approximately £900/month, with additional costs incurred where we are instructed by the client to increase capacity. The total cost is dependent on the level of additional capacity required and the length of time for which it is active.

Support time is increased in increments of £300.

Compute capacity for predictable demand is increased in increments of £100/month per dxw instance, and at prevailing Amazon Web Services (AWS) rates for Ireland plus 20% where peaky demand must be

of costs and capabilities.

These prices are provided for reference only and are subject to change without notice. If you are considering using the platform, please contact us to obtain a pricing suitable for your specific requirements.

Open standards and open source software

dxw’s WordPress Platform is built almost entirely using open source software and standards. We are happy to provide more details on request.