WordPress Policies
WordPress is an open source project that is free to use, however, authorization to develop and maintain a site on behalf of the University, its schools/colleges or departments, is the responsibility of the Office of Website Management, in conjunction with Information Technology Systems and IT Applications.
Office of Website Management
The Office of Website Management serves as the administrator for WordPress across the University. Areas of responsibility and associated details are as follows:
Account management
Only the Office of Website Management and the identified support person (determined by the Office of Website Management) will have an admin account. Other WordPress users will have an editors account with restricted access.
Dashboard users
- Users should work with their personal WordPress account that is attached to their personal email address. The default user account is reserved for the Office of Website Management.
WP Engine installation
- All WordPress installs are created inside the WP Engine account. Each name should contain “tcu” followed by the sub-domain (i.e. tcuemergency.tcu.edu). If the name is too long, you may remove “tcu” from the beginning (i.e. emergency.tcu.edu).
- Installs are backed up on a daily basis and may be accessed in the WP Engine control panel. When installing new themes, plugins or updating the WordPress core, manual backup is required. If an error occurs during an update, you are required to restore the install to a previous working version.
- WordPress core and plugins should be upgraded once a month to ensure the most stable version is being used.
WP Engine user authorization
WP Engine SFTP accounts
A personal Secure File Transfer Protocol (SFTP) account within WP Engine’s control panel will be created for each user. Your SFTP account will contain your name or TCU username and should always be used to connect to the server. Never use the WP install’s default SFTP account unless it is absolutely necessary.
WP Engine support
The Office of Website Management will install, migrate the database and make the domain name request. Third-party vendors do not have WP Engine access.
SSL Certificate
All WordPress sites should include TCU’s wildcard SSL certificate. It should always be active for logons and WP dashboard. The SSL certificate should be active on forms that contain Sensitive Personal Information (SPI) vulnerabilities. Forms that contain Sensitive Personal Information (SPI) should always be approved by Information Security Services before sites are published.
Development and installation of WordPress child themes
Child themes must be responsive and comply with the WordPress Application Programming Interface (API). Each website should generate code that is in full compliance with the standards set by the World Wide Web Consortium.
Development of WordPress Web Standards Theme (parent theme)
All WordPress websites should have this theme installed. Any changes to the parent theme should be done in a child theme.
Management of WordPress plugins
WordPress provides a host of plugins designed to extend and expand the functionality of the content management system. TCU permits the use of plugins that meet the guidelines set forth by IT Applications, IT Systems, the Office of Website Management, TCU Secure Personal Information and WP Engine.
The list of approved plugins for WordPress and WP Engine may be accessed in the web visual guide section. The use of any unapproved plugin violates TCU’s compliance protocol and will be removed.
IT Systems
- Management of all domain names in regard to the tcu.edu domain
- DNS changes must be requested via email to ITNetworkServices@tcu.edu
IT Applications
- Management of Hypertext Preprocessor (PHP) code compliance
- Vetting of PHP code for third-party vendors
- Authorization of WordPress/WP Engine plugins
- Serves as backup to Office of Website Management for maintenance of the TCU Framework and WP Engine account management