- This document shall set forth the requirements of using Word Press and Word Press Host (hereinafter Host) for any and all Sage Colleges
- Requests for new WordPress sites and servers shall be places through the WordPress Instance Request form found at https://jira.sage.edu/desk/plugins/servlet/desk/portal/1 located in the Applications and Infrastructure section.
- There shall be one administrator account within each Word Press instance, and that account shall be run collectively by the Information Technology Department.
- The maximum endowment of privileges to any other user account shall be that of Editor. An Editor account is allowed to make changes to content of text and images within Word Press but it does not allow them to make configuration changes such as theme changes, theme installations/uninstallation, plug-in installations/uninstallations, theme activations/deactivations, and/or plug in activations/deactivations. Editors do not have the permission to update the Word Press platform itself.
- The only employees that are permitted and are responsible for making system changes are the current Director of IT, the Senior Network Administrator, and the current Web Master.
- All account passwords will be a minimum of twelve (12) characters long, and are required to be a sequence of characters not found in a dictionary with at lease at least one (1) upper case character, at least one (1) lower case character, at least one (1) number, and at least (1) special character.
- All Word Press servers will be equipped with a web application firewall (WordFence) that will monitor and scan for any penetration points within the server. The Administrator is required to meet the highest standard of security that the web application firewall has determined possible. Including but not limited to password changes for any user, plug in removal, theme removal, content removal, account deactivation, and any other operation seemed fit.
- On every production Word Press server, all plug-ins that are installed must be active for the purpose of serving production content. This does not apply to Word Press servers that are in the testing phase of deployment.
- On every production Word Press server, all themes that are installed must be active for the purpose of serving production content. This does not apply to Word Press servers that are in the testing phase of deployment.
- All non-essential themes and plug-ins must be uninstalled. This does not apply to Word Press servers that are in the testing phase of deployment.
- All theme and plugin installation requests must be submitted to the IT Department through a WordPress Theme/Plugin Request at https://jira.sage.edu/desk/plugins/servlet/desk/portal/1 located in the Applications and Infrastructure section.
- Each request will require:
- The URL to the plug-in and/or theme page
- The target Word Press site for the plug-in and/or theme installation
- An e-mail address to reach the requester
- Each request will be reviewed in the order in which it is received. It may take up to twenty (20) business days to review each request for various vulnerabilities and compatibility issues. If any issues are found, the plug-in and/or theme will not be accepted for installation. The requester will be notified via e-mail if the plug-in and/or theme is accepted or rejected.
- Each request will be met with various test, that determine that compatibility, and relative security, and maintainability of the plugin or theme.
- The testing phase of a request will proceed as follows:
- The IT Department will conduct research that determines compatibility, security, and maintainability of the plugin/theme. If the plugin/theme is found to not meet the necessary requirements, a rejection notice will be sent to the requester.
- A clone of the production host will be created.
- The plugin/theme will be installed on the cloned host.
- The IT Department will run various penetration test on the Wordpress platform and underlying cloned host. If the cloned host fails to pass any tests, the plugin will be rejected with notice and the clone will be destroyed.
- After the testing phase has completed, a notice of acceptance will be sent via email to the requester. The notice will contain a go live date inquiry, a live date will be arranged between the requester and the IT Department at this time.
- All Word Press content will be served via the Hyper Text Transfer Protocol (HTTP) over Secure Socket Layer (SSL.) More commonly known as HTTPS.
- All Hosts will be equipped with an intrusion detection suite (OSSEC) that will monitor file systems for file modifications, which will alert the IT Department should there be any changes or irregularities.
...