WordPress Policies

A. Introduction

Texas Christian University provides WordPress as a full content management system for the university. WordPress is an open source project and it is free to use. This document contains the policies and procedures that are the responsibility of the Office of Website Management, Information Technology – Systems, and Information Technology – Applications.

B. WordPress Hosting

Currently the university’s campus-wide WordPress hosting solution is WP Engine. They are a hosting company that specializes in maintaining WordPress installations. The university’s WP Engine account is funded by Information Technology and managed jointly by IT Systems, IT Applications, and the Office of Website Management.

C.  TCU Areas of Responsibility

I.  Information Technology – Systems

All Domain Name Systems changes in relation to the tcu.edu domain are handled by IT Systems.

I.  Information Technology – Applications

All PHP: Hypertext Preprocessor (PHP) code should comply with the Office of Website Management, IT Applications, and TCU’s Secure Personal Information policies. IT Application is responsible of all PHP code vetting for third party vendors. IT is also responsible for code vetting plugins. IT Applications serves as a backup for the Office of Website Management for maintenance of the TCU Framework and WP Engine account management.

II.  The Office of Website Management

The Office of Website Management serves as the primary administration point for WordPress across the university. These responsibilities include:

  • Account management: WordPress dashboard users, WP Engine installs, WP Engine users, WP Engine SFTP accounts, and WP Engine support
  • WordPress installs
  • Developing and maintaining WordPress themes
  • TCU WordPress Framework
  • WordPress plugins

D. Security

I.  WordPress Installs & Themes

All WordPress themes are to be installed by the Office of Website Management or the identified support person. Only the Office of Website Management and the identified support person can install a theme. Only the Office of Website Management can add a new WordPress install into TCU’s WP Engine account.

II.  WordPress Plugins

The Office of Website Management keeps a list of approved plugins for the university. The Office of Website Management is responsible for maintaining this list. In order for a plugin to be added into the approved list it must meet IT Applications, IT Systems, Office of Website Management, and TCU Secure Personal Information guidelines.

WP Engine has a list of disallowed plugins for all WordPress installs. The list can be found at http://wpengine.com/support/disallowed-plugins/. To remain in compliance with our hosting solution, plugins that are on the disallowed list should never be installed. WP Engine will notify TCU if any of these disallowed plugins are used on any install. After a certain period of time, if no action is taken, WP Engine will remove the disallowed plugin automatically.

III.  WP Engine SFTP accounts

The Office of Website Management should always create a personal Secure File Transfer Protocol (SFTP) account within WP Engine control panel. Each WordPress install has its own account list of users. Your SFTP account should always contain your name or TCU username.  Always use your personal SFTP account to connect to the server. Never use the WP install’s default SFTP account unless it is absolutely necessary.

IV. SSL

All WordPress websites should include our wildcard SSL certificate. It should always be active for logons and WP dashboard. The SSL certificate should be active on forms that contain Sensitive Personal Information (SPI) vulnerabilities. Forms that contain Sensitive Personal Information (SPI) should always be approved by Information Security Services.

V. Updates – Plugins & WordPress Core

All WordPress websites should be upgraded once a month to ensure we are always using the most stable version. It is required to perform a manual backup when updating new themes, plugins, and the WordPress core.

E.  WordPress Website Procedures

I.  WordPress Installs

All WordPress installs are created inside the WP Engine account. Each install name should contain “tcu” at the beginning followed by the sub-domain for the current tcu.edu domain. If the name is too long then shorten it or remove “tcu” from the beginning. Do not enable the multisite feature.

II.  WordPress Site Backups

WP Engine maintains a daily backup routine for all installs. These can be accessed in the WP Engine control panel. It is required to perform a manual backup when installing new themes, plugins, and updating the WordPress core. If anything goes wrong with the update you are required to restore an install to a previously working WordPress version.

III.  WordPress Themes

All WordPress themes must be responsive and comply with the WordPress Application Programming Interface (API). Each website should generate code that is in full compliance with the standards set by the World Wide Web Consortium (W3C).

IV. Third party vendors

The Office of Website Management is responsible for installing, migrating the database, and making the DNS request. No third party vendor should have WP Engine access.

V.  WordPress dashboard user roles

All users should work with their personal WordPress account that is attached to their personal email address. Never use the default user account for an install unless it is absolutely necessary. The default user account is reserved for The Office of Website Management. The default user account will always be attached to the wordpress@tcu.edu email address.

Admins:

Only the Office of Website Management and the identified support person should have an admin account. It is under the Office of Website Management’s discretion to decide if certain individuals should have an admin account.

Editors:

All WordPress users outside of the Office of Website Management and the identified support person should have an editors account. The developer for the Office of Website Management should be able to open certain restricted areas of WordPress as needed.

 VI.  DNS Request

All DNS changes must be requested by emailing ITNetworkServices@tcu.edu.