Requirements for building self-hosted websites

Audience

This document is for at least two different audiences:

• Customer - the Harvard Chan School entity wanting to have a self-hosted website, separate from our main website https://hsph.harvard.edu .
• Vendor - the vendor being hired by the customer to design AND/OR maintain the self-hosted website

Customer project management and contracts

• Prior to signing any contracts with the vendor, the customer should have the contract reviewed by Harvard Strategic Procurement.
• While the IT department and Office of Communications are strategic partners in self-hosted websites projects, it is the customer's responsibility to manage the project, the budget, the relationship with the vendor and to ensure that the project is in compliance with School and University policies. If the customer is not confident that they can meet these requirements, we encourage them to consider publishing their content on the School website, the School Intranet or using HarvardSites.

Customer establishment of maintenance plan

Customers are responsible for ensuring that:

• WordPress core, all plugins and themes are kept up-to-date at least once a month.
• Technical and Accessibility issues are addressed promptly based on criticality.

The IT department is not able to assist with these maintenance requirements and therefore we require that the customer either:

1. Establish a maintenance agreement with the vendor that is building the site. The agreement should include monthly maintenance agreement, SLA terms for off-cycle patches for security, major bugs and accessibility issues. A pre-established hourly rate for maintenance work. We also recommend including a small number of hours for small improvements and bug fixes after the launch of the site.
2. Opt to use the School website maintenance service. This vendor supported service is offered by IT Department. This service is charged back to customers with the Pantheon Hosting once a year. This service doesn't include improvements and changes (a separate agreement can be established with our vendor for these) but will cover the customer's requirements of keeping their website up-to-date, secure and accessible. This service is only accessible if the website is following all best practices listed in this document or exceptions have been approved by HSPH IT.

Technical requirements

Domain names

• Most self-hosted sites will use a sub-domain of the School domain similar to: yourname.hsph.harvard.edu
• In rare cases, some groups may be allowed to use a .org domain name similar to: www.yourname.org. This must be discussed and approved first by the HSPH Web Communication Group and then by the HSPH Trademark School Contact.
• In rare cases, some groups, that are recognized as University-wide entities may be allowed to use a .harvard.edu domain name similar to: yourname.harvard.edu. This must be discussed and approved first by the HSPH Web Communication Group and then by Office of the Provost - Trademark Program by submitting the Domain Name Request Form (for harvard.edu).

All domain name approval, registration and DNS changes are managed by HSPH IT, customers who have previously registered their domain will need to transfer ownership to the School.

Code and hosting

• Self-hosted sites must be hosted on the School Pantheon account. HSPH IT will provide the hosting environment.
• Vendor should store all code for the site on a GitHub repository provided by HSPH IT.
• WordPress is the only CMS currently supported for self-hosted
• We strongly recommend a mono-repository approach containing WordPress Core, all plugins, themes and configuration files. Specific 3rd party plugins (including HSPH required plugins) should be managed via composer.
  • An example GitHub repository is under development to reflect this: https://github.com/HarvardChanSchool/self-hosted-example

Required plugins

• Page builders other than Gutenberg (WordPress Core Block Editor) are discouraged (see Maintenance for more details).
• Authentication and Authorization must be done by Harvard Single Sign-On (HarvardKey)
  • Pantheon wp-saml-auth Plugin and the Harvard Chan wp-saml-auth-config must-use plugin should be installed and activated. For more information, see Setup HarvardKey on a Self-Hosted Pantheon Site.
  • You will need to request Harvard Sponsored Roles for all vendor affiliates in order for them to access the different project resources (Github, Pantheon, WordPress, ...)
  • HSPH IT will assist with the installation and configuration process.
• Pantheon platform plugins:
  • WP Redis
  • Native PHP Sessions for WordPress
  • Pantheon Advanced Page Cache
• Harvard Chan WP and Pantheon Security Plugin.
• Disable comments - Unless your website will use comments (discouraged - this should be discussed and approved by the Web Communication Working Group).

Recommended plugins

Below are not required but we strongly encourage vendors to use when a specific feature is needed. The School already owns licenses for theses plugins and are

Other plugins

Most projects will likely require the usage of other plugins not listed in the required and recommended plugins list above. We recommend that you use the following criteria to evaluate whether a plugin is suitable or not:

1. Always prefer open source, free plugins hosted on Wordpress.org over paid plugins.
2. Prefer plugins that are actively maintained, have an active community and established documentation. Do not use plugins that have not been updated in several years, or were published a few weeks back with a limited number of installations.
3. Please consider performance, accessibility and privacy when making plugin decisions:
   • Do not use plugins that require to be logged into an account or don't allow you to opt-out from data collection.
   • Do not use plugins that offer a UX/UI that is drastically different than WordPress Core.
   • Do not use plugins that spam the administration with ads or up-sales or any other marketing dark pattern.