Website Administration
For website administrators (admins), there is some important information that should be followed across every UA WordPress site for consistency and security.
Security
Security is a top priority for all UA WordPress sites. Here are some tips to keep your site secure:
- Do not create a user with the username `admin` or `webmaster`
- Install and activate the Duo Universal plugin
- Keep the UA Theme, any plugins, and WordPress core up to date
- Ensure the WordPress dashboard is only accessible while on a campus network or the VPN. Contact OIT if you discover the dashboard can be reached off campus without the VPN.
User Management
Managing users is an important part of maintaining a WordPress site. Here are some tips to help you manage users:
- WordPress usernames MUST match the user's myBama username. This is critical for several plugins to work.
- Only create users with the roles they need to complete their tasks
- Ensure users are removed from the site when they no longer need access
A note on student employees
Site owners are welcome to add students to their site as content editors, but should not be given admin permissions. If using a plugin or other method to add roles, students should not be given any role that contains any of the following capabilities:
- install_plugins
- install_themes
- delete_themes
- delete_plugins
- edit_plugins
- edit_themes
- edit_users
- add_users
- create_users
- delete_users
- promote_users
- switch_themes
More about WordPress roles and capabilities can be found on the WordPress documentation site.
This is a general guideline following best practice for security, but exceptions may be made at the site owners discretion where providing a student with an admin capability is critical to web operations.