WordPress Policy

/https://siu.edu/search-results.php

Last Updated: Dec 03, 2025, 08:42 AM

Enterprise Information Technology (IT) Policy for WordPress Usage and Security.

  1.  Purpose

    To define acceptable use, configuration, maintenance, and security controls for all WordPress‑based web sites and applications owned, operated, or hosted by Southern Illinois University (SIU). The goal is to protect SIU data, preserve service availability, and ensure compliance with applicable regulations.

  2. Scope

    • Applies to every WordPress installation (core, plugins, themes) on production, staging, development, or testing
    • Covers managed WordPress services, and third‑party WordPress SaaS platforms used for SIU purposes.
    • Includes all employees, contractors, vendors, and partners who create, manage, or access WordPress sites on behalf of SIU.

  3. Roles & Responsibilities

    Role Responsibility

    IT Operations and Web Development Team

    Approve the policy, oversee periodic reviews, and ensure alignment with overall security program.

    IT Operations / Platform Team

    Provision, harden, patch, and monitor WordPress servers; enforce baseline configurations.

    Investigate WordPress related alerts, coordinate remediation, and report incidents.

    Web Development Team

    Follow secure coding practices, vet plugins/themes, and maintain version control.

    Site Owners / Business Units

    Designate a Site Administrator, and ensure content complies with SIU’s web standards.

    All Users

    Adhere to this policy, report suspicious activity, and complete required security awareness training.

  4. Approved Deployments

    1. Infrastructure – WordPress is running on Plesk.
    2. Hosting – Only onsite hosting is available as well as database access for your WordPress site.
    3. Updates – All WordPress core, plugins, themes, will be automatically updated via Plesk.
    4. TLS – All HTTP traffic must be encrypted with TLS 1.2 or higher; use certificates issued by the SIU PKI or a trusted CA.

  5. Configuration Baseline

    Setting Requirement

    WordPress Core

    Latest stable release; auto‑updates enabled—updates applied within 30 days of release.

    Database

    MySQL with least privilege accounts.

    Authentication

    MFA Plugin is installed by IT Operations. All administrators must use MFA; strong password policy (≥12 characters, mixed case, numbers, symbols). The plugin must remain enabled.

    Admin Accounts

    Limit to individuals with siu.edu email; shared accounts prohibited.

    Debug Mode

    Disabled (WP_DEBUG=false) on production; temporarily enabled only on request.

    XML‑RPC

    Disabled unless explicitly required; otherwise block at the web‑server level.

    REST API

    Restrict to authenticated users for privileged endpoints; rate‑limit requests.

    Directory Indexing

    Disabled for all WordPress directories.

  6. Plugin & Theme Management

    1. Approval Process – Only plugins/themes from the official WordPress.org repository or vetted commercial vendors may be installed. Each addition requires approval from the IT Operations Team.
    2. Removal – Unused plugins/themes must be deleted within 7 days of deactivation.

  7. Patch Management

    • Core Updates – Updates will be automatically applied by Plesk.
    • Plugin/Theme Updates – Updates will be automatically applied by Plesk.
      • Plugins/Themes which cannot be updated within 30 days will be removed.
      • Plugins/Themes which are vulnerable will be disabled and removed if not patched in 2 weeks from detection.

    Backups run regularly, if you need you site restore open a ticket with the Web Development Team.

  8. Monitoring & Logging

    Component Log Requirements

    Web Server

    Access logs (including request URI, IP, user‑agent) retained ≥90 days.

    Application

    WordPress audit log (login attempts, admin actions, plugin changes) stored centrally.

  9. Backup & Recovery

    • Weekly backups of the database and site files are available for recovery.
    • Backups are retained for 3 months.

  10. Incident Response

    1. Detection – Any anomalous activity (e.g., unauthorized admin login, file changes) triggers an alert to the Security Incident Response Team.
    2. Containment – Immediate isolation of the affected WordPress instance (e.g., put site into maintenance mode, revoke compromised credentials).
    3. Eradication – Remove malicious code, replace compromised plugins/themes, rotate secrets.
    4. Recovery – Restore from clean backup if necessary; validate integrity before bringing the site back online.
    5. Post‑mortem – Document findings, update the policy or hardening checklist, and communicate lessons learned to stakeholders.

  11. Compliance & Auditing

    • Quarterly internal audits to verify adherence to this policy.
    • Routine Plesk evaluation of WordPress vulnerabilities.

  12. Policy Enforcement

    Violations may result in:

    • Revocation of WordPress access privileges.
    • Revocation of hosting for WordPress site.