Texas Christian University provides WordPress as a complete content management system. WordPress is an open-source project that is free to use. This document contains the policies and procedures that are the responsibility of the Office of Web Management, Information Technology – Systems, and Information Technology – Applications.
WordPress Hosting
Currently, the university’s campus-wide WordPress hosting solution is WP Engine. They are a hosting company that specializes in maintaining WordPress installations. The university’s WP Engine account is funded by Information Technology and managed jointly by IT Systems, IT Applications, and the Office of Web Management.
TCU Areas of Responsibility
I. Information Technology – Systems
All Domain Name Systems changes to the [html]tcu.edu[/html] domain are handled by IT Systems.
I. Information Technology – Applications
All PHP code should comply with the Office of Web Management, IT Applications, and TCU’s Secure Personal Information policies. IT Application is responsible for all PHP code vetting for third-party vendors. IT is also responsible for code vetting plugins. IT Applications is a backup for the Office of Web Management to maintain the TCU framework and WP Engine account management.
II. The Office of Web Management
The Office of Web Management serves as the primary administration point for WordPress across the university. These responsibilities include:
- Account management: WordPress dashboard users, WP Engine installs, WP Engine users, WP Engine SFTP accounts, and WP Engine support
- WordPress installs
- Developing and maintaining WordPress themes
- TCU WordPress framework
- WordPress plugins
Security
I. WordPress Installs & Themes
All WordPress themes are to be installed by the Office of Web Management or the identified support person. Only the Office of Web Management and the identified support person can install a theme. Only the Office of Website Management can add a new WordPress install to TCU’s WP Engine account.
II. WordPress Plugins
The Office of Web Management keeps a list of approved plugins for the university. A plugin must meet IT Applications, IT Systems, Office of Web Management, and TCU Secure Personal Information guidelines to be added to the approved list.
WP Engine has a list of disallowed plugins for all WordPress installations. The list can be found at http://wpengine.com/support/disallowed-plugins/. To remain compliant with our hosting solution, plugins on the disallowed list should never be installed. WP Engine will notify TCU if any plugins are used that are disallowed on any installation. After a certain period, if no action is taken, WP Engine will remove the disallowed plugin automatically.
III. WP Engine SFTP accounts
The Office of Web Management should always create a personal Secure File Transfer Protocol (SFTP) account within the WP Engine control panel. Each WordPress install has its account list of users. Your SFTP account should always contain your name or TCU username. Always use your personal SFTP account to connect to the server. Never use the WP install’s default SFTP account unless it is necessary.
IV. SSL
WordPress websites should use a valid Let’s Encrypt certificate for full-time SSL connections. Information Security Services should always approve forms that contain Sensitive Personal Information (SPI).
V. Updates – Plugins & WordPress Core
All WordPress websites should be upgraded once a month to ensure we are always using the most stable version. A manual backup is required when updating new themes, plugins, and the WordPress core.
WordPress Website Procedures
I. WordPress Installs
All WordPress installs are created inside the WP Engine account. Each install name should contain “tcu” at the beginning, followed by the sub-domain for the current [html]tcu.edu[/html] domain. If the name is too long, shorten it or remove “tcu” from the beginning. Do not enable the multisite feature.
II. WordPress Site Backups
WP Engine maintains a daily backup routine for all installs. These can be accessed in the WP Engine control panel. A manual backup is required to install new themes and plugins and update the WordPress core. If anything goes wrong with the update, you are required to restore and install a previously working WordPress version.
III. WordPress Themes
All WordPress themes must be responsive and comply with the WordPress Application Programming Interface (API). Each website should generate code that fully complies with the World Wide Web Consortium (W3C) standards.
IV. Third-party vendors
The Office of Website Management is responsible for installing and migrating the database, as well as making the DNS request. No third-party vendor should have WP Engine access.
V. WordPress dashboard user roles
All users should work with their personal WordPress account, which is attached to their email address. Never use the default user account for an install unless it is necessary. The default user account is reserved for The Office of Website Management. The default user account will permanently be attached to the wordpress@tcu.edu email address.
Admins:
Only the Office of Website Management and the identified support person should have an admin account. It is at the discretion of the Office of Website Management to decide if specific individuals should have an admin account.
Editors:
All WordPress users outside the Office of Website Management and the identified support person should have an editor’s account. The Office of Website Management developer should be able to open certain restricted areas of WordPress as needed.
VI. DNS Request
All DNS changes must be requested by emailing [html]ITNetworkServices@tcu.edu[/html].