Accessibility
Plugins
The One Click Accessibility plugin handles a lot of the basics of meeting accessibility standards as well as providing a front end widget for visitors to adjust the page to meet their needs.
Alt Text
It is best to get in the habit of adding Alt Text to an image during the upload process. Alt Text is used by screen readers to provide a description of the image to those who can not see it.
Contrast Ratio
When the color of text against the color of the background does not have sufficient contrast, many people are unable to easily read it. What may look aesthetically pleasing to you may be unreadable to a visitor. While the minimum recommended ratio is 3:1, we would like to aim for at least a 7:1. There are tools out there to help with this, one for OSX users is “Colour Contrast Analyzer”.
Lighthouse
The lighthouse feature in chrome, or googles page speed insights application, will provide good feedback on a page’s accessibility issues.
Performance and Responsiveness
This will be expanded on in a separate section, but performance is an accessibility issue. Some visitors may only be able to access your site from very slow networks, or only from certain kinds of devices. If your site takes too long (or fails) to load on those networks, or does not look or perform correctly on those devices, then those visitors are being excluded.
Feedback
Using plugins and automated tools for addressing accessibility is an excellent start and will do most of the work. However, they can not account for all needs. Listen to feedback from the populace and make adjustments accordingly. If someone tells you they have trouble reading text, their screen reader gets stuck on a given page, they can’t get to the information they need on the device they rely on, or any other kind of issue: Believe them and work to fix it.
Web Application Firewall
All Atlantian WordPress sites should have the dreamhost web filter enabled by default, which is managed by the kingdom webminister through the dreamhost site panel. Individual wordpress sites should also enable a local firewall plugin and configure it to actively block detected threats. Wordfence is the currently recommended plugin.
History Auditing
It is recommended to install the Simple History plugin, or one that creates a similar event log. It should be easy to monitor account logins/changes, page updates, and installation or update of plugins and themes.
User Accounts
It is required by policy that an account with administrator privileges remain in control of the kingdom webminister. New accounts for any wordpress in Atlantia may only be provided to members that are warranted by the office of the Webminister. A warrant can be requested for any member.
HTTPS Only
All wordpress sites should be issued an SSL certificate and load only over https. The kingdom webminister can issue free Let’s Encrypt certificates from the dreamhost panel to any site. Newly created sites typically have an SSL certificate generated automatically. With the adoption of HSTS policies, your site may become inaccessible if it does not use a valid SSL certificate.
HTTP Security Headers (Advanced)
There are a range of headers that the webserver can send to visiting browsers in order to help protect visitors from various forms of hijacking or injection attacks, as well as preventing the site from being easily spoofed by targeted phishing campaigns.
It is strongly recommended to implement standard security headers which are missing from wordpress, including:
- Strict-Transport-Security “max-age=63072000;” “expr=%{HTTPS} == ‘on'”
- X-XSS-Protection “1; mode=block”
- X-Content-Type-Options “nosniff”
- Referrer-Policy “strict-origin-when-cross-origin”
- Expect-CT “max-age=7776000, enforce”
- Access-Control-Allow-Origin “null”
- Access-Control-Allow-Methods “GET,PUT,POST,DELETE”
- Access-Control-Allow-Headers “Content-Type, Authorization”
- X-Frame-Options “SAMEORIGIN”
- X-Permitted-Cross-Domain-Policies “none”
These headers can be added to the site .htaccess file if you have ssh/sftp access, or you can add most of them with a single plugin “Headers Security Advanced & HSTS WP”. Note that the headers added by the plugin can not be customized if there are any conflicts.
A Content Security Policy header is also recommended, but requires some custom design based on your content. Consult the kingdom webminister for assistance.