Sites are complex digital spaces with evolving digital standards that can have very steep learning curves. It takes multiple teams of people to keep sites running securely and smoothly. Accessibility, security, design, and development are areas that most communicators must have a basic understanding of in order to produce an effective digital product.

Building a site at Duke may seem a little daunting but the guide below can act as a starting point for building secure, accessible, on-brand sites for your organization.

Domains – What is the url?


  • Third-level domains: (require University Communications approval)
  • Fourth-level domains:, do not require UComms approval and are managed through system administrators


Web Accessibility – Who can see it?

Everyone. Everyone should be able to access a public site at Duke. Duke’s Web Accessibility Initiative exists to ensure people with a wide range of abilities have equal access to Duke’s web content. It is the central resource for information, guidelines, and Duke’s official web accessibility guidelines.

Web Security – Is it safe?

Security is CRITICAL. If a site is deemed to be a security risk (through a breach or lack of appropriate security or versioning upgrades) the IT Security Office reserves the right to take a site offline until that site is cleared to be restored.

You should be aware of the following security policies and guidelines:

  • Data Classification Standard. Duke has defined three classes of information: Sensitive, Restricted and Public.
  • Web Governance Policy. Guidance and options for those managing websites at Duke.
  • Acceptable Use. Establish and promote the ethical, legal, and secure use of computing and electronic communications for all members of Duke University and its affiliated entities.

Service Level Agreements – How can I keep it up?

–What does maintenance really mean?

Once a site is launched and past its QA period, sites typically move into a “maintenance” phase. Maintenance can refer to the general updates of the site but the most critical component is the upkeep needed to keep the environment (infrastructure) up to date. It is the responsibility of the site owner (department) to ensure that a maintenance agreement is in place.  Restated: the platform (Drupal/WordPress), as well as the hosting space, require regular attention and updates to keep them from becoming a security risk.

If you’re working with a vendor: Any work being done through a contract organization – internal or external – requires a minimum service-level agreement of 10 hours per year. Due to the changing nature of the web and the need for version and security upgrades on our preferred platforms, site owners need to identify some portion of their budget and calendar for updates and patching. Without this, sites are subject to vulnerability and attacks. Should a security breach occur, the security office may remove the affected site until it can be confirmed as no longer a risk. IT organizations such as OIT and DHTS cannot be held responsible for sites and actions that they did not create nor participate in.

Web Site Development – How do I make it?

Self-Service: Sites@Duke Express

Sites@Duke Express is a WordPress network that offers a robust set of easy-to-use tools, including Duke themes and Duke-specific plugins. The service also provides the option of a custom domain mapped to your site. There is no charge to users.

Advanced Site Building: Sites@Duke Pro

The Sites@Duke Pro platform is a new Drupal-based solution ideal for schools, departments, institutes, centers, labs, initiatives, programs, and more. It offers flexible site-building options with a professional visual design that meets Duke’s accessibility and branding guidelines. There is a low start-up cost and a monthly maintenance fee that covers all infrastructure, support, and rollout of new features and fixes as they become available.

Custom internal – Duke Web Services and other web development groups across campus

Custom websites can be developed using internal and external resources. (See Working with Vendors) After selecting your development group you will also need to coordinate hosting and domains. (see above and below). Any custom work still has an expectation to meet technical and branding requirements.

Working with External Vendors

The abundance of work across Duke can’t be met by the in-house resources alone. We utilize vendors from around the area including some in other areas of the country and abroad. The following guidelines have been developed to streamline the process of working with external vendors. Learn more about Working with Vendors.

Hosting – Where Does it Live?

Providers within Duke

  • OIT maintains a centralized web hosting environment that provides virtual servers (VMs) to both OIT-supported services as well as applications and services supported by the departments and schools across Duke University. To meet the needs of a majority of OIT’s VM requests and to provide a consistent offering, a set of standard offerings and processes has been created and details can be found at the following links:
  • DHTS Centralized frameworks are based on the following technologies and platforms:
    • Public Web Sites: Drupal Content Management Platform (Linux, Apache, MySQL and PHP based).
    • Intranet Sites: Microsoft Sharepoint 2010 (Windows Server, IIS, MS SQL Server and .NET based)
    • Contact the DHTS web services group for more information.
  • Your school/dept/unit
  • External (requires Web Governance Group approval)
  • External vendors need to host through Duke

Types of Hosting

  • Sites@Duke: free
  • Virtual Machine: custom
    • Compliance with Duke’s security standards
    • Automatic OS updates/upgrade
    • Help with Shib and site set up
    • Backups and monitoring
    • DNS assistance
  • External (requires WGG review): really custom