Texas Christian University provides WordPress as a full content management system for the university. WordPress is an open source project and it is free to use. This document contains the policies and procedures that are the responsibility of the Office of Web Management, Information Technology – Systems, and Information Technology – Applications.
WordPress Hosting
Currently the university’s campus-wide WordPress hosting solution is WP Engine. They are a hosting company that specializes in maintaining WordPress installations. The university’s WP Engine account is funded by Information Technology and managed jointly by IT Systems, IT Applications, and the Office of Web Management.
TCU Areas of Responsibility
I. Information Technology – Systems
All Domain Name Systems changes in relation to the [html]tcu.edu[/html] domain are handled by IT Systems.
I. Information Technology – Applications
All PHP code should comply with the Office of Web Management, IT Applications, and TCU’s Secure Personal Information policies. IT Application is responsible of all PHP code vetting for third party vendors. IT is also responsible for code vetting plugins. IT Applications serves as a backup for the Office of Web Management for maintenance of the TCU framework and WP Engine account management.
II. The Office of Web Management
The Office of Web Management serves as the primary administration point for WordPress across the university. These responsibilities include:
- Account management: WordPress dashboard users, WP Engine installs, WP Engine users, WP Engine SFTP accounts, and WP Engine support
- WordPress installs
- Developing and maintaining WordPress themes
- TCU WordPress framework
- WordPress plugins
Security
I. WordPress Installs & Themes
All WordPress themes are to be installed by the Office of Web Management or the identified support person. Only the Office of Web Management and the identified support person can install a theme. Only the Office of Website Management can add a new WordPress install into TCU’s WP Engine account.
II. WordPress Plugins
The Office of Web Management keeps a list of approved plugins for the university. In order for a plugin to be added into the approved list it must meet IT Applications, IT Systems, Office of Web Management, and TCU Secure Personal Information guidelines.
WP Engine has a list of disallowed plugins for all WordPress installs. The list can be found at http://wpengine.com/support/disallowed-plugins/. To remain in compliance with our hosting solution, plugins that are on the disallowed list should never be installed. WP Engine will notify TCU if any of these disallowed plugins are used on any install. After a certain period of time, if no action is taken, WP Engine will remove the disallowed plugin automatically.
III. WP Engine SFTP accounts
The Office of Web Management should always create a personal Secure File Transfer Protocol (SFTP) account within WP Engine control panel. Each WordPress install has its own account list of users. Your SFTP account should always contain your name or TCU username. Always use your personal SFTP account to connect to the server. Never use the WP install’s default SFTP account unless it is absolutely necessary.
IV. SSL
All WordPress websites should use full-time SSL connections using a valid Let’s Encrypt certificate. Forms that contain Sensitive Personal Information (SPI) should always be approved by Information Security Services.
V. Updates – Plugins & WordPress Core
All WordPress websites should be upgraded once a month to ensure we are always using the most stable version. It is required to perform a manual backup when updating new themes, plugins, and the WordPress core.
WordPress Website Procedures
I. WordPress Installs
All WordPress installs are created inside the WP Engine account. Each install name should contain “tcu” at the beginning followed by the sub-domain for the current [html]tcu.edu[/html] domain. If the name is too long then shorten it or remove “tcu” from the beginning. Do not enable the multisite feature.
II. WordPress Site Backups
WP Engine maintains a daily backup routine for all installs. These can be accessed in the WP Engine control panel. It is required to perform a manual backup when installing new themes, plugins, and updating the WordPress core. If anything goes wrong with the update you are required to restore an install to a previously working WordPress version.
III. WordPress Themes
All WordPress themes must be responsive and comply with the WordPress Application Programming Interface (API). Each website should generate code that is in full compliance with the standards set by the World Wide Web Consortium (W3C).
IV. Third party vendors
The Office of Website Management is responsible for installing, migrating the database, and making the DNS request. No third party vendor should have WP Engine access.
V. WordPress dashboard user roles
All users should work with their personal WordPress account that is attached to their personal email address. Never use the default user account for an install unless it is absolutely necessary. The default user account is reserved for The Office of Website Management. The default user account will always be attached to the wordpress@tcu.edu email address.
Admins:
Only the Office of Website Management and the identified support person should have an admin account. It is under the Office of Website Management’s discretion to decide if certain individuals should have an admin account.
Editors:
All WordPress users outside of the Office of Website Management and the identified support person should have an editors account. The developer for the Office of Website Management should be able to open certain restricted areas of WordPress as needed.
VI. DNS Request
All DNS changes must be requested by emailing [html]ITNetworkServices@tcu.edu[/html].