We handle the technical stuff – account setup and core and plugin updates, nightly backups, DDoS protection, server optimization and more – so you can focus on your core business.
Networks are hosted on a cluster of multiple web and database servers for built-in replication, load balancing, and redundancy. Nightly database backups are encrypted and then stored with Amazon S3. Backups are kept for at least 7 days and no more than 30 days. Backups are verified and full restores are tested on a weekly basis.
Restore times depend on the size of the WordPress network and the cause of the disaster, but full backup recovery should take no more than 24 hours.
A variety of tools to automatically monitor performance and reliability of the service are used. All services are set to send automated alerts to our support and systems teams, which are monitored and handled 24/7. These tools also provide us with a wealth of information and data so that the team can constantly work to improve performance and efficiency in our service.
The security and reliability of our service is our number one priority.
In addition to the general WordPress security features, we have staff who perform daily checks of industry security blogs, websites, and newsletters to keep on top of any potential vulnerabilities that pertain to the systems we use or employ.
We use WPScan for WordPress code and database monitoring.
Any WordPress core, plugin, or theme security patches will be applied within 24 hours of release.
See wordpress.org/about/security for details on the security of the WordPress core.
Should any security-related event occur, our policy is to alert our customers via email no later than 24 hours of our team becoming aware of the event. We will work closely with any customers affected to determine next steps such as end-user notifications, needed patches, and how to avoid any similar event in the future.
We only require a username and email address to log in and use WordPress. Customers may choose to use Single Sign On services, further limiting LONZO’s access to information.
We do not collect, store, require, or transmit PII data related to health or financial institutions.
Only LONZO staff have access to customer data. Our hosting partners do not have logical access to WordPress networks, the database, or user data that we host.
Should a customer request, we will completely destroy and delete all data and content from a given user.
The full end-user privacy agreement is found at lonzo.eu/privacy-policy.
In general, we don’t sell, share, or publish any user data. We only collect and store data for the purposes of providing the WordPress hosting service.
Should a customer leave us, or should a local archive of user data be required, we can provide a complete export and database dump of a network. We will completely purge all customer data within three months of canceling service.
We have automatic and manual code reviews in place for all plugins and themes that are added to any site we host. All plugins and themes must adhere to the WordPress Coding Standards.
In addition, the plugin or theme must:
not rely on 3rd party services or phone home without our approval;
not automatically upgrade or modify theme files;
not change timeout of wp_remote_* calls;
not ever change wp_feed_cache_transient_lifetime (hook to the filter);
not use SHOW TABLES, instead use SHOW TABLES LIKE ‘wp_xyz’;
not use DESC to describe table, instead use DESCRIBE;
not change WP_DEBUG, error_reporting or display_errors;
not remove default roles (remove_role);
not flush rewrite rules ($wp_rewrite->flush_rules is not allowed);
not flush cache (wp_cache_flush is not allowed);
not contain SQL queries. Themes should use WordPress built-in functions for fetching post, pages, attachments, users and respective meta tags;
not create new tables or modify table schema;
not use filesystem functions listed here;
not store files in the server file system. Themes must always make use of WordPress attachments if it accepts file uploads