Using WordPress: Tips For Editors


How do I sign into Scalia Law Sites remotely?

Users must download a VPN client from the IT Services Downloads page. For iOS or Android devices, install the Cisco AnyConnect client through the appropriate app store.

Instructions for Windows
Instructions for Mac

Once installed, enter your desired the URL for your VPN group in the format vpn.gmu.edu/<group>. If you do not know your specific VPN group or do not have one, you may enter vpn.gmu.edu and click Connect.  Select GENERAL from the Group list and login with your NetID and Patriot Pass password. See VPN Groups for additional information and how to determine your group.

I can’t sign in because of 2FA. What is that and how can I get it?

Two-Factor Authentication (2FA) is required to connect to the VPN. If you are a Mason employee who uses the VPN to access Mason resources, you are encouraged to enroll in 2FA. This tool allows Mason employees to verify who they are before connecting to protected networks. An alert will go to your cell phone if you or someone else attempts to login using your credentials. You will then be prompted to approve or deny entry.

Enroll in 2FA .

How do I administer the site and take care of my content?

A user must first be given access to the site by the Director of Design and Web Services. Once an account has been created, simply add “/scalia-law-login” to the end of the URL of the site you are working on. For example, to sign into sls.gmu.edu, the link would be sls.gmu.edu/scalia-law-login.

How do I use the WordPress Dashboard?

Please refer to this short six minute video to get an overview of the WordPress Dashboard.

A more comprehensive look at the WordPress Dashboard is found below:

Of course, we are here to help. If you have any questions, please contact one the web administrators and we’ll gladly walk you through the process.

The Menu settings are found on the left side of the WordPress Dashboard under Appearance->Menus.

To the left of this page you will see various categories of items you may add to the Menu, such as pages or custom links. Simply check off the page you would like to add and click on Add to Menu for pages, or copy and paste a URL and give it a title under custom links.

Once the Page or Link has been added to the Menu Structure window to the right, you may drag your selection up or down to prioritize your menu items. Dragging the item slightly to the right while under another item will create a child/parent item relationship making organization of links easier than ever.

Sidebar content is called a Widget in WordPress nomenclature. Widgets can be found under Appearance-> Widgets. In order to add sidebar content to a page, you must first create the Widget in the Sidebar category.

Once the content has been created, you will need to add to the page. Under every editor view of a page, you will see the Custom Sidebar menu. Activate it by checking off the menu item, then select the Sidebar Radio button.

How do I embed videos from YouTube and Vimeo?

On any YouTube video, click on the Share button underneath the subscribe button. From there, simply copy and paste the Share link into the Edit Page window.

For Vimeo, copy the video URL and paste it into the Edit Page window. Example:

https://vimeo.com/220470204

Simple Steps to Secure WordPress Site

  1. Keep WordPress updated
  2. Keep plugins updated
  3. Only use trusted plugins
  4. Only use trusted themes
  5. Choose a secure password
  6. No “admin” username
  7. Decent hosting
  8. Keep regular backups
  9. Restrict login attempts (use iThemes Security)
  10. Switch on SSL encryption
  11. Change database prefix
  12. Two-factor authentication (use Google Authenticator)
  13. Monitor what’s happening
  14. Block access to system files

    # protect files
    <files wp-config.php>
    Order deny,allow
    Deny from all
    </files>
    <files readme.html>
    Order allow,deny
    Deny from all
    </files>
    <files license.txt>
    Order allow,deny
    Deny from all
    </files>
    <files install.php>
    Order allow,deny
    Deny from all
    </files>
    <files error_log>
    Order allow,deny
    Deny from all
    </files>

    # Block the include-only files.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>

  15. Build your own firewall
  16. Hide .htaccess file
    # STRONG HTACCESS PROTECTION
    <Files ~ "^.*\.([Hh][Tt][Aa])">
    order allow, deny
    deny from all
    satisfy all
    </Files>
  17. Protect WP-Admin area
  18. Block PHP in uploads folder
    <Files *.php> Deny from All </Files>
  19. Tighten PHP configuration
    ; Disable allow_url_fopen in php.ini for security reasons
    allow_url_fopen = Off
    ; Disable allow_url_include in php.ini for security reasons
    allow_url_include = Off
    ; Disable display_errors in php.ini for security reasons
    display_errors = Off
    log_errors = On
  20. Create your own encryption keys
  21. Folder permissions

Source: Primary Image

phpCAS and WordPress

Make sure your account is in the “Administrator” role, as you won’t be able to login as admin after switching to CAS.

1. Download phpCAS and unzip/untar it: https://wiki.jasig.org/display/CASC/phpCAS

2. Download wpcas.zip and unzip it in wp-content/plugins

3. edit wp-content/plugins/wpcas/wpcas.php and remove or comment out line 57:

/* $wpcas_options['server_path'] == '' || */

4. Create wp-content/plugins/wpcas/wpcas-conf.php with the following content (change “/path/to” to the path to CAS.php that you installed in step 1):

<?php

// the configuration array

$wpcas_options = array(

'cas_version' => 'S1',

'include_path' => '/path/to/CAS.php',

'server_hostname' => 'login.gmu.edu',

'server_port' => '443',

'server_path' => ''

);

// this function gets executed

// if the CAS username doesn't match a username in WordPress

function wpcas_nowpuser( $user_name ){

die('you do not have permission here');

}

?>

4. Login with an account that’s in the Administrator role.  In “Plugins”, activate the wpCAS plugin.

5. If possible, test in a separate browser.  When you click “Log in” you should be redirected to https://login.gmu.edu.  Type in your PatriotPass NetID and password.  You should be redirected back to your WordPress site.