Security Considerations

All GSD subsites must adhere to certain security guidelines and processes.

Overview

The Site Builder platform gives editors the flexibility to create websites that are well-designed and user-friendly. As part of that process, editors must be aware of the security policies they are required to follow, and the security settings and limitations of the Site Builder platform. 

Harvard’s Digital Security Policy 

All subsites built on the GSD Site Builder platform must follow Harvard’s Digital Security Policy. Editors should only include Level 1 (public) content on their site, or Level 2 (low) content if it is password protected with Harvard Key. The Site Builder platform is not appropriate for any sensitive content, regardless of whether or not it is password protected. 

Please contact the Help Desk for assistance if you are unsure what level of security your content falls into.  

For more information on Harvard’s Digital Security Policy, please use the following resources: 

Harvard Key Protection 

The Site Builder platform is built using WordPress. Administrative access to WordPress, for editing and configuring a subsite, is managed through Harvard Key. Users can be added as editors if they have an active Harvard Key account.  

In some cases, your entire website, or pages within it, may need to be protected behind Harvard Key. If this is a requirement, please contact the GSD’s digital project manager to ensure this functionality is added to your site.   

Restrict Access Settings 

Within your page’s editor you will see a panel called “Restrict This Content.” Using this tool, you will be able to restrict access to an entire page or to specific parts of a page. 

Screenshot of the "Restrict This Content panel" with the various settings available.
The Restrict This Content panel is located at the bottom of the page editor.

Restricting an Entire Page: 

  • User Level: From the dropdown, select the user group that should have access to this page. Select “Subscriber” to give access to anyone with a valid Harvard Key. By default, your site will be set up so Harvard Key access is granted to all GSD Harvard Key holders. You may, however, request a subset of Harvard Key holders instead (eg: GSD students or GSD faculty). If your required subset of Harvard Key holders does not already exist, you will need to set up a managed group in Harvard’s Grouper platform in order for us to customize who can access your content through Harvard Key. 
  • Hide From Feed: This is only applicable to blog posts. Tick this checkbox if you do not want the blog post to appear in the blog index. 

Restricting Sections of a Page 

If you would like to hide only some of a page’s content behind Harvard Key, use the [restrict…] and [/restrict] shortcode. This will need to be added in two HTML blocks in your content. Use an HTML block with [restrict…] above your protected content, and an HTML block with [/restrict] below your restricted content. 

WordPress Password Protection 

If your visitors do not have Harvard Key accounts, or you do not have a managed group in Grouper, you may choose to password protect your page through WordPress’s built-in password protection feature. WordPress’s password protection is only available per page or per post. It will not allow you to password protect an entire site or sections of content on a specific page.   

This function should be a last resort because it only allows you to set up one password to share across multiple users. Content behind a WordPress password is not considered secure and should still fall in the Level 1 (public) security level. 

To access the WordPress Password Protection:

  • Open the page editor. 
  • Open the Page Settings tab on the right-hand side. 
  • In the Status & Visibility panel, click the Visibility field. 
  • Choose Password Protected and enter a password. 
  • Save 
Screenshot of WordPress "Status and Visibility" panel with password protection settings open.

 
Security in Media Library  

WordPress does not include security protection for any files uploaded to the Media Library. All files (images, PDFs, Word docs, etc) uploaded to your media library must be limited to only Level 1 (public) content, regardless of whether or not the pages you put the files on are password protected. 

For more information on how to share media files that fall into Level 2 or higher, please contact the Help Desk

Form Security 

Site Builder allows you to create customized forms so your site’s visitors can contact you. Site editors may inadvertently create forms that ask for personal information that is considered to be sensitive information under Harvard’s Digital Security Policy or the Family Educational Rights and Privacy Act (FERPA)

To avoid this, please contact the GSD web staff so we can review any forms you want to set up, to make sure you are not asking for sensitive information.