Is your website at risk from your own content team? In this episode of Accessibility Craft, we unpack a surprising legal development in accessibility lawsuits and explore a growing concern for organizations: how content creators, not just developers, can introduce accessibility issues and legal exposure. Along the way, the team debates governance, training, and permissions in WordPress, and how to future-proof your site in an AI-driven world.
In an Accessibility Craft first, we taste… Water! Specifically, a premium bottled water from Portugal, Healsi, and give our honest take on if it actually tastes any better than what comes out of the tap.
What We Cover in This Episode
- A U.S. accessibility lawsuit dismissed as “moot” and how it could be a signal of what’s to come
- Why documentation and keeping a record of your accessibility efforts has never been more important
- A proposed California law that could expand liability to developers, agencies, and even content creators who produce inaccessible software (or content)
- The hidden risks of giving too many users admin access in WordPress
- How poor content practices introduce accessibility issues at scale
- Practical strategies for governance, permissions, and training and why well-defined user roles and permissions might be your “secret accessibility weapon”
- The role of AI and automation as relates to user roles and permissions
Links & Resources Mentioned
- Healsi Pure Artesian Still Water
- Lawsuit Dismissed As Moot Based on (Unrebutted) Evidence that Website is Accessible
Tune in to Accessibility Craft conversation episodes like this one every other Monday.
Accessibility Craft is hosted by Amber Hinds, Chris Hinds, and Steve Jones. They are experts in digital accessibility and creators of software, courses, and specialized services that have made millions of websites more accessible through their work.
To learn more about us, you can visit our website.
Listen
Watch
Transcript
Chris Hinds: Welcome to Accessibility Craft, where we explore the complex challenges and emerging trends that are shaping digital accessibility, while sipping on unique craft beverages. This show is proudly produced by Equalize Digital, The most trusted name in WordPress accessibility. Join us every week as we break down accessibility news and share the expert strategies we’ve used to help make millions of websites more accessible.
Grab a drink, the show starts now!
Amber: Hey everybody, it’s Amber and I am here today with Chris.
Chris Hinds: Hey, everybody.
Amber: And Steve.
Steve Jones: Hello everyone.
Amber: And this is episode number 160 of the Accessibility Craft Podcast. If you want to find show notes and a full transcript, you can find those if you go to AccessibilityCraft.com/160. Now we start every episode off with beverage.
Today’s Beverage
Amber: What is our craft beverage of the day, Chris?
Chris Hinds: Water. The craft beverage of the day is water.
Amber: He told me that he was ordering water and I was like, what? Like sparkling or flavored? That’s what Paola said to me too. I was talking to her about how she’s gonna edit this. She’s like, is it flavored? I was like, no, I think it’s just water
Chris Hinds: Oh this. No, no, no. It’s not just water.
Steve Jones: Oh.
Chris Hinds: Not if you read the website of Healsi pure artesian still water.
Amber: From Portugal.
Chris Hinds: Yeah, from Portugal. It is rich in silica, whatever that means. It’s pH seven balanced. And they seem to be positioning it as a very, as a very fancy water, as is evidenced by the crystalline structure.
Like it was carved from a glacier or something, or cut like a diamond. But…
Amber: Like the bottle.
Chris Hinds: It is a really cool bottle design. That’s kind of what grabbed my attention and I was just like, you know, restaurants now with like water sommeliers, and water menus. But I, I’ve always been curious to try a really fancy water and so I bought the really fancy water that looks legitimately really fancy, that’s available on Amazon. And had it shipped.
Amber: How much did a case, or how many did we get? 12?
Chris Hinds: Yeah, I was actually surprised by this. So we sent, yeah, it was like a case of 12 and the 12 pack was like around 30 bucks. So it’s $2 a bottle for a 16 ounce bottle.
Amber: It is like airport pricing for your water, and you could have that same pricing at home.
Chris Hinds: Oh, no, I think you probably would be paying like two to three x that for this in an airport.
Amber: What were you pointing out there, Steve, when you showed the bottle of water to the camera?
Steve Jones: The bottom is all crystally looking too, like the.
Chris Hinds: Yeah, it’s like a kaleidoscope. For the listening audience Steve’s got his, the base of his bottle up to the camera, and he’s like rotating it. That is, it’s kind of trippy with the, with the light patterning inside the, the bottle itself. But I’m gonna crack mine open and I’m gonna…
Amber: okay.
Chris Hinds: See if I can taste silica.
Amber: Okay, so while you do that, I Googled this because I was like, is silicon like plastic? Silica is a naturally occurring chemical compound made of silicon and oxygen abundant in sand, rocks, and clay. It is used in industry to manufacture glass, ceramics and electronic components and in consumer products such as cosmetics, food, and to improve tire durability.
Chris Hinds: Yep.
Amber: Do you wanna drink your fancy water now?
Chris Hinds: That’s after processing. But yeah, silica comes from sand and it’s used in all sorts of things.
Amber: Are we doing like our normal smell? Like how does it smell?
Steve Jones: Mine….
Chris Hinds: It smells like nothing.
Steve Jones: Mine didn’t make any sound. It did’t fizz anything.
Amber: It’s not carbonated.
Chris Hinds: Still water. This might be our most boring…
Amber: I do think everyone has to go to Healsi.eu, H-E-A-L-S-I dot E-U and check out their website, which I think is the most BS filled website I have ever seen. I still haven’t tasted this water yet because I wanna build up to this a little bit more. It’s got a whole list of chemical compositions, and here’s what it says.
I mean this incredible image of this super buff dude with leggings and no shirt standing upside down on his hands on some sort of like barbell thing straight. I mean, he’s very, yeah. Apparently this will help you get so ripped, like that dude. And it says it helps with your bone health, detoxification, nails, hair and skin, heart health.
This water is going to save your life!
Steve Jones: You mean literally like water, right? Like, those are the…
Amber: All water does that? No, this is special water from Portugal.
Chris Hinds: This is special water. That’s pseudoscience at its finest right there. Oh, oh my goodness.
Steve Jones: I’m not getting much on the nose. Like…
Chris Hinds: yeah. Yeah, I know. Smells like water,
Amber: and it does taste different though. No.
Chris Hinds: Does it taste different to you?
Amber: Okay, so I have water from north of Austin, Texas. And it’s been filtered through our refrigerator. Also, our water here is really hard, so we also have a water softener.
Chris Hinds: Mm-hmm.
Amber: And that water compared to this water.
Chris Hinds: Our water’s probably gonna taste a little salty or something.
Amber: Not salty. But it’s softer.
Chris Hinds: Yeah.
Amber: This fancy water, there is a distinct flavor difference.
Steve Jones: Yeah. So like there’s a difference between like purified water and natural water, like spring, natural spring water. So a lot of times, natural spring water has a little bit more of a, a taste to it than purified water.
Amber: Because it has more minerals?
Steve Jones: Yeah, yeah.
Amber: That haven’t been filtered out.
Steve Jones: Right.
Chris Hinds: Yeah.
Steve Jones: Now I did the same thing, Amber. This is water from the great Miami Buried Valley aquifer. It is a massive, productive underground water source serving as the sole source of drinking water for over 400,000 people in the Dayton region. So we, we have this like natural aquifer, and you get this just beautifully like filtered, water. Like I’ve lived in areas, you know, around here, like where you get it from the water tower and it’s like real hard. It has the stuff in it. You have to have a softener.
Chris Hinds: Mm-hmm.
Steve Jones: So I’ll compare the two. Let’s see.
Chris Hinds: Yeah. While Steve tastes that I remember being in places or going to places where it’s like the, the water tastes like chemicals or lawn clippings out of the tap. It’s gross.
Amber: The Dallas, Texas area the lakes that they get their water out of, I always think it tastes like grass or something weird like dirt
Chris Hinds: What do you think Steve?
Steve Jones: So there’s…
Amber: yeah.
Steve Jones: Definitely a difference of taste like the Dayton Water tastes like tap water. Like, it has like a, don’t know if it’s ’cause it’s got, you know, they put fluoride in it or whatever, right? Like, I don’t reverse osmosis anything beyond what the refrigerator does, but this tastes like natural spring water to me.
Like if I was to go to the store and buy natural spring water in a bottle, that’s what this tastes like.
Amber: Do you like the flavor of the, like this water, the bottled water better than your tap water? Steve?
Steve Jones: Yes.
Chris Hinds: Hmm. I have no basis of comparison.
Amber: I don’t know if I do.
Chris Hinds: I like the water. I feel like as, as far as bottled waters go, it’s a little bit above average for what I would typically get, and I give them like an 11 out of 10 for their bottle design.
Like I love the bottle. It’s really cool.
Steve Jones: Yeah.
Amber: I like the bottle. I find their website hilarious because I always think it’s a little bit ridiculous when food and beverage companies make these like over the top health claims.
Steve Jones: I think as far as water goes, it’s water, but it’s pleasant to drink. Now, my suggestion would be to add a little bit of carbonation and cola flavoring and sweetener, and you end up somewhere around here, like around the Coke category. Then that would…
Amber: And then you’d like it better?
Chris Hinds: Yep.
Steve Jones: But overall, it’s pleasant to drink.
Amber: I’m not sure that if it had the additions that Coke has, if they could have the ripped dude on their website anymore.
Steve Jones: Diet Coke’s mostly water, so you still get the water benefits.
Amber: All right.
Chris Hinds: I’m one thumbs up on water. I don’t know about anybody else, but.
Amber: I mean, I’m always two thumbs up on water. I drink a lot of water all day long. I’m just in the middle about like, would I actually buy this again? Probably not. I don’t know. Maybe that’s actually one thumb down. It’s not bad, but it’s also like, would I go out of my way to get this water? No.
Steve Jones: Yeah.
Chris Hinds: Definitely prefer my water soaked and like some tea leaves or some, some ground up roasted beans for sure. That’s my…
Steve Jones: yeah, yeah.
Chris Hinds: …preferred water delivery system.
Steve Jones: Fermented in a barrel over many years.
Chris Hinds: Yeah. There you go.
A11y Court Case Dismissd as “Moot” in NY
Amber: Well, should we talk some current events?
Steve Jones: Let’s do it.
Amber: I saw we’ll put a link to this as always in the show notes that Seyfarth, which is a law firm that writes a lot about accessibility laws, had written an update about a lawsuit that got dismissed in New York federal courts, and it was dismissed as moot based on the defendant’s submitted evidence that it had taken what is considered commercially reasonable steps to make its website accessible. And the plaintiff had not proven otherwise.
Which I thought was really interesting because we talk a lot about these, oh, you always have to settle and that sort of thing. And then here’s an example of a case where they had a whole history of, we’ve been working on this since 2023. Here’s what we’ve been doing. When they reported problems, we went and fixed them. And so the judge just said, yeah, this lawsuit can’t move forward, which I thought was kind of a nice positive example.
Chris Hinds: Yeah, I mean, if you’ve done the work and you can prove you’ve done the work, you shouldn’t have to pay settlements just for the sake of, you know. I think we’ve covered this in prior episodes, right? It’s like, is there a real barrier or is it just like a, a slight quirk or a mild inconvenience?
Do you actually have standing or are you just there with your hand out asking for a few thousand dollars?
Steve Jones: Yeah. It’s when you ignore the problem is when you can really get in trouble. It’s where you acknowledge the problem, even if you acknowledge accessibility issues with your website and an accessibility statement that still shows that, you’re acknowledging it and, that you’re giving some timeline or some description on, what you’re planning to do and when you’re planning to do to remediate it. You know, this underscores too, like, the Accessibility Checker has an add-on called Audit History that allows you to track the accessibility of your website over time. So every day it’ll kind of take a snapshot of accessibility stats to see if have actually been working towards making your website more accessible. I just think it underscores the fact that this isn’t , an all or nothing thing. It just means that you need to be working in that direction and it really could save you when a claim comes up, whether it’s a valid claim or it’s, you know, one of these kind of, as they described, a copy and paste accessibility lawsuit.
Amber: Yeah, I mean I think for me, the biggest takeaway that I had on this is that documentation is really important. I mean, any website that we’re doing remediation on for our clients, we always have the audit history add-on, installed. We’re tracking and that gives you that peace of mind and the ability to see changes over time and compare versus just the, here’s what it is right now.
And I think that’s really what saved this company is because they were able to produce records that show what they’ve been doing. So whether you’re using our plugin or you’re just taking your own notes and screenshots over time or whatever, I think record keeping is probably really important.
Chris Hinds: Mm-hmm. Gotta be able to tell a story with evidence and examples and, and data that’s compelling.
Proposed California A11y Law Targeting Developers is Back in Committee
Amber: Yeah, so speaking of accessibility lawsuits, California, everyone’s so excited about this, I’m sure has an updated version of its previously proposed bill that would make web developers responsible for accessibility violations back in committee this year. So who knows what’ll happen if it’ll die in committee or if it will move forward?
This version actually goes beyond literal developers, it uses new language where it specifically references quote resource providers, which they define as an entity that in exchange for money or any other form of remuneration, constructs, licenses, distributes, or maintains for online use an internet website or resource to be used within or in conjunction with an internet website.
So this would apply to the third party theme and plugin developers that we’ve talked about. But more interestingly, I think it also applies to content creators or people who enter content on a website if they’re paid to do so. And it doesn’t exclude individuals if you read the language. I know we’ve talked a…
Chris Hinds: Seems like, sorry to interrupt. I was just gonna say, it also seems like really taking a square aim at like subdomain based or embeddable SaaS services, like the career platforms , and HR platforms , and other systems like that too.
Amber: Mm-hmm.
Steve Jones: It also sounds like it might open the door for hosting companies.
Amber: Well, yeah, that’s what’s I thought was interesting because it says or maintained.
Steve Jones: Mm-hmm. Oh.
Amber: Maintaining a website is a really, and like you’d, maybe you didn’t build it, but a client came to you and is like, Hey, can you run my plugin updates and manage my site for me on an ongoing basis? That’s maintaining a website, right?
Steve Jones: Yeah.
Amber: So, very interesting. I know of course we’ve talked a lot about the need to choose themes and plugins and third party embeds carefully.
But I’m thinking that with so many different accessibility problems that are coming from content, I think maybe we should today have a conversation about how to protect your website from your content creators. But first, let’s take a quick commercial break.
Brought to you by Accessibility Checker
Steve Jones: This episode of Accessibility Craft is sponsored by Equalize Digital Accessibility Checker, the WordPress plugin that helps you find accessibility problems before you hit publish. Thousands of businesses, nonprofits, universities, and government agencies around the world trust Accessibility Checker to help their teams find, fix, and prevent accessibility problems on an ongoing basis.
New to accessibility? Equalize Digital Accessibility Checker is here to teach you every step of the way, whether you’re a content creator or a developer, our detailed documentation guides you through fixing accessibility issues. Never lose track of accessibility again with real time scans each time you save, powerful reports inside the WordPress dashboard, and a front end view to help you track down hard to find issues.
Scan unlimited posts and pages with Accessibility Checker Free. Upgrade to Accessibility Checker Pro to scan your website in bulk, whether it has 10 pages or 10,000. Download Accessibility Checker today at EqualizeDigital.com/Accessibility-Checker. Use coupon code AccessibilityCraft to save 10% on any plan.
Protecting Your Website… From Content Creators?
Amber: All right, we are back. So on my note of protecting your website from your content creators, which sounds weird ’cause it’s almost like they’re who I want to edit my website, why am I protecting it from them? But unfortunately, I think we’ve figured out that people who enter content on websites are not always the most knowledgeable people.
Sometimes they are, but sometimes they’re not. And, if we’re going on this idea that content creators are a top source of accessibility issues on your website, what would you guys say is the best way to protect your website from them?
Steve Jones: I mean, that’s a really big question. Big organizations, universities and stuff sometimes will have some bit of governance guidelines around how they handle content. But, you know, most, most people don’t. And most people don’t have the time or the resources to really think about it all that much. I look at things from a technical standpoint a lot of times, and there’s things that you can do to try to build some kind of gating inside of your WordPress admin to try to control what content creators have access to and what they don’t have access to.
User permissions and user capabilities inside of WordPress can be modified to take certain capabilities away from certain roles. You know editors come with a certain set of capabilities outta the box, but you can actually modify that as well to kind of try to keep them where you want to keep them. In Accessibility Checker, we do a little bit in regards to this and we’ve had a lot of conversation about doing a lot more around governance and, you can you can block uploading PDF files. So that know, if, if you’ve listened to any of our previous episodes, we talk a lot about PDFs and how inaccessible PDFs can be. So if you just cut that off at its source where nobody can even upload a PDF, then you’ve, you’ve solved kind of the problem there.
Now you may be creating another problem outside of the website. How do you get that information from this PDF to the website? But that’s a whole nother thing. So we allow you to utilize that to kind of block uploading PDFs in a way to kind of create a little bit of governance. Like, you can’t do that because it may be inaccessible.
You need to go take that PDF, it through our service, that checks it for accessibility before it gets uploaded to the website.
Chris Hinds: Yeah, the other big one is training and because you know, we’re talking about protecting, accessibility outcomes or hedging against what people might do sometimes. But training can help hedge against a lot of this in a much bigger way. So teaching best practices around proper content entry or the common pitfalls or accessibility mistakes that people can make. Teaching the importance of accessibility to everyday people, why it matters, kind of giving people that more foundational insight because for some people it’s like, when it’s brought up just in professional conversations, it may have been the second or third time they’ve ever heard the word, at least, you know, in, in a digital reference.
I still hear, ‘What does that really mean?’ Questions all the time in conversations. A lot of people just need knowledge. And I, I did look up a couple of interesting stats that I thought were particularly revealing here. So the first one came from an organization called Fable that does a lot of accessibility, training and team upskilling services, but they did some studies. And in their study, 44% of organizations said that their teams lack, accessibility knowledge, like basic accessibility knowledge. And 67% originate in the design stage. So before, before things are even, you know, making it to the, the end of the production lifecycle. And if you think about, you know, even if it’s like someone just adding pages or modifying content on your website, there was probably a plan that was being formulated around that content before it even got entered.
And so if you can train people, they can even catch things before they even start typing their first character into the website editor.
Steve Jones: Mm-hmm.
Chris Hinds: And then the other one that I thought was particularly interesting came from Level Access, but they said that, organizations that had quote, highly effective accessibility training programs, were two and a half times more likely to approach accessibility proactively rather than reactively, which we’ve established ad nauseum on this podcast saves a ton of time and resources in generating accessible outcomes. Training’s essential.
Roles and Permissions: Your Secret Weapon for Accessibility
Amber: Yeah. And I mean, I do think that’s a big reason why we have Accessibility Checker to try and provide that hands-on training at the moment of content entry, but for sure having any of that beforehand. I’d like to circle back to what Steve talked about, about like roles and permissions and what you give access to because I actually think permissions is, I don’t know, maybe like the secret weapon or a really big thing that you need to consider.
Back when we used to build websites, like I was talking about earlier in our marketing agency day, we would hand them off to our clients and we would grant them administrator access on the website. And I don’t think I really thought about permissions much except for in the guise of, I was just thinking, this is their website. They own it. They should have full control.
And I always felt like it was wrong when I heard agencies that wouldn’t give full control. But now I’m finding myself actually thinking about that differently and wondering if that is actually a good idea. Mostly because we have gotten access to websites for auditing or remediation purposes where there have been 15 plus administrator accounts in the lingo of WordPress, like top level users that can do literally anything. And it seemed like on those websites, anytime they needed to add a user, they just gave them full control. Not just of editing content, but the ability to modify the headers, footers, and other global areas, plus the ability to add plugins, which is super scary if you think about that.
Chris Hinds: Yeah.
Amber: and so. Let’s dive into that. Is rethinking user roles and permissions on websites, the missing piece of the puzzle that will help organizations avoid adding accessibility issues to their website?
Steve Jones: Yeah…
Amber: What do you guys think?
Steve Jones: I don’t think it’s the missing piece, but I think it is one of the pieces of the puzzle. Oddly enough, I, you know, when I ran my own agency years ago and I would have support clients that I had on, we called ’em care plans and, I would not give them admin access outta the box. If they were on a retainer with me to maintain the website, because I took it from the standpoint, if you’ve hired me, to maintain this website, I’m responsible for the security. I’m responsible for the updates. There’s not really any need for the client to actually have admin access at that point.
Now, I will say there were the caveats where there were certain clients that would request to have that later on down the road, and, and I would grant that. But I, I think you’re totally right. And I think that not just around content entry and accessibility, you know making sure that they can only touch the content area, the areas that they should be touching, not the global elements of the page. ‘Cause global elements are duplicated throughout the whole website. So if you introduce an accessibility problem there, you, you’re probably introducing it hundreds, thousands, hundreds of thousands of times. Who knows?
Amber: Everywhere.
Steve Jones: Yeah. Yeah. But I, I think we’re actually moving in an even greater direction with AI and AI’s opening the door to like, security exploits, right? So if, if an AI can find security exploits even faster nowadays they’re go, there’s more of a issue with just installing any plugin, right? You don’t want, like a content creator going, oh, I wanted add this block. I need this block for this piece of content. I’ll just go install this plugin without validating the source that plugin came from.
Is this a trusted company? Do they have a long track record? Is there a lot of installs? Is there statements about security? Is there statements about accessibility of that plugin?
And, and not only that, I, we can even go a step further. So WordPress 7.0, it is bringing in a feature called realtime collaboration. So it’s kinda like Google Docs where two people can work on a post at the same time and you can kind of see what they’re doing and you won’t necessarily conflict with each other.
On the surface, that seems like, okay, that’s kind of cool for a content creation standpoint, but really what it’s for and think one of the big benefits of it’s going to be for AI to work in your website alongside of you. So now you’re gonna have to start thinking about website permissions and capabilities and restrictions, not just with humans, but with agents as well. And are those agents having the right security practices, the right accessibility practices as well. So you don’t want to just have an admin user that an agent is attached to just doing anything willy-nilly on the website the same as you probably don’t want to have a human doing that as well.
Chris Hinds: Yeah, we’re gonna have to get super granular and super specific about who or what in the case of an AI can do what on a website. Just like in, in like a real world situation, right? Like thinking back to my restaurant days. You wouldn’t take someone who’s like a porter who does general cleanup tasks and carries things around the kitchen, runs errands, and stick them on the grill at 7:00 PM on a Friday and ask ’em to start grilling steaks, right? It would…
Amber: mm-hmm.
Chris Hinds: … be an unmitigated disaster. It’s the same reason you don’t give a client admin privileges or you know your junior level person the ability to do anything on your website. Or in a different vernacular, you wouldn’t take a brand new guy on construction and stick ’em in as a, as a crane operator, moving multi ton objects around a downtown area with skyscrapers.
You know, it’s there have to be methods and processes and training steps and vetting and, and all of that stuff. So I think, like Steve said, it is a component may be one of the bigger components as we’re thinking through this or as I’m thinking through it. But it’s certainly not the only component.
Amber: Yeah, I mean, I definitely think too, especially if laws like this pass, if you are maintaining websites, whether they’re your own websites, whether they’re websites for clients or they’re just, you know, like you’re outta college or university, you’re in web services. Anyone who can add content could make you responsible.
If there’s not a good way of tracking who was the person who actually edited this thing, and I don’t know, maybe that’s when you gotta start, we’re talking about documentation. You gotta start adding employee and like stream or something on WordPress where you can say, who was the last person to edit this page, because the page author is not the same as the page editor.
If you’re the page author, you don’t wanna be held responsible legally for a mistake that a page auth editor made.
Chris Hinds: Yeah, or what if the AI does it, then who are you suing?
Steve Jones: Right.
Chris Hinds: That…
Amber: Yeah.
Chris Hinds: That starts to get really weird.
Steve Jones: Yeah, speaking of accessibility too, you know, we talked about our audit history, like if that number goes up considerable amount, you can track that. And we actually have a new feature coming to our plugin for from Free to Pro that will allow you to receive notifications to your inbox on the state of the accessibility on your website, and you can see that hey, I got this email today and it says my accessibility is up, you know, 10% what’s going on on the website? Go check it out.
User Roles and Permissions, Potential Impacts on Accessibility and Risk
Amber: So we’re all in agreement, it sounds like, that there’s probably a lot of users on websites who should not be administrators. What are the other role options in WordPress? Which I know sounds like a basic question except for I’ve gotten access to so many websites now that it seems like a lot of folks need a refresher on there other user roles than administrator, and here’s what they do and why you might use them.
Steve Jones: So if you’re running a multi-site, you have a role of super admin, which allows you to control all the websites at the network level. On a single site basis, you have an administrator, which can pretty much edit anything in the website. You have an editor which can edit all posts, correct? Yeah. And…
Amber: Mm-hmm.
Steve Jones: An author role, you can edit your posts but not others. And a contributor, you can write and edit your own post, but you can’t publish them. And a subscriber is one that can’t really do a whole bunch, they can only manage like their user profile, I think.
Chris Hinds: Yeah.
Amber: Tell me if I’m wrong about this. I think an editor can’t edit widget areas. Do you know?
Steve Jones: I think it is limited to posts and pages. Yeah.
Chris Hinds: It’s locked down…
Amber: Okay.
Chris Hinds: ‘Cause I remember sometimes getting into websites, and the user role being an Editor and I can’t like, configure any of the plugins or extensions. I can’t really go into site settings super deeply at all. Or even see like site health status. A lot of it gets locked down. Even one tier down from administrator.
Amber: Yeah. So one of the things that I’ve been thinking about this on being more granular with our control is I’m wondering if these out of the box capabilities are sufficient or if they actually need more separation. For example, if you have someone whose only job is to come and publish press releases, ’cause they’re on your PR team, but they also need to be able to edit a press release maybe that someone else published. So you make them an editor. But should they also be able to edit pages, which WordPress out of the box, I think editor means for all post types.
Steve Jones: Mm-hmm.
Amber: And do we think, should this change?
Steve Jones: I mean, it depends on your threat level really. And it depends on your organization, and it depends on the size of your team and a whole host of things. Now you can use a, a plugin like the User Role Editor plugin to modify these, to remove those permissions to different custom post types.
And I, I think you can do that with the free plugin. I’m not a hundred percent sure if the free User Role Editor plugin allows you to do it on a per custom post type basis, but it definitely lets you do it on the post and page basis.
Amber: You
Steve Jones: could start thinking about that, like, you know exactly what Amber said.
Do they need access to all the custom post types? Do they need access to the media library? Maybe they need to be able to put this press release in, but we don’t put media in there so we don’t put images and PDFs and stuff in our press releases, so they don’t really need access to that. So I think those are things are worth thinking about, but that, that takes, you know, a casual site I put that in quotes, and, and turns ’em into somebody that is a, a little more thorough in thinking about these things. From a little bit more of a governance standpoint and a little bit more of a security standpoint, only them to have access to what they should have access to.
Amber: Yeah, I know one thing we used to do when we were building custom sites was we would define all the colors that were brand colors in the brand palette. And then you, I think Steve, were doing something to hide the color picker so people couldn’t go pick random colors.
Which seems like, whoa, that’s so much control. But at the same time, it’s like, well that ensures contrast mostly, unless they pick two weird combinations from the brand palette, but also it keeps things on brand, which is nicer.
Steve Jones: Yeah, I think that, I think what you just said and what Chris said earlier about, you know, the stuff happening in the design phase, you know, and this is the whole shift left thing that we talk about all the time. I don’t remember what the stat was, like 60% or something of accessibility issues are introduced into the design phase.
Chris Hinds: Yeah.
Steve Jones: And those are likely, like contrast issues and maybe heading sizes and stuff like that. That’s probably where most of that comes from. Yeah, in WordPress you can kind of, you can remove the color picker, you can pick defined colors, but the color picker where you can pick any color can be removed from the block editor. And the block editor actually has a cool feature too now where if you do try to do what you described Amber, pick two colors from the the palette that actually do create a color contrast issue, it does alert you and tell you that it doesn’t meet color contrast.
Chris Hinds: Hmm. Yeah. And, and looking at like, I understand the logic and the order of thinking for how WordPress has structured its default user roles and like limiting things to the user because it’s just thinking about publishing, right? You know, if you’re a publisher putting content out there, you only want a very small number of people to be able to edit everything, and for people who are publishing, you know, there’s two different levels, which is one is like we trust them enough to publish their own content and update their own content. Then there’s a level below that, which is we don’t trust them to publish on their own. Someone has to approve it. And I understand like what they’re going for.
Going back to the question of are these user roles enough? Do we need to introduce other ones? The answer’s probably yes, but thinking about a situation where a website owner can’t or won’t, or doesn’t have the capability to introduce custom user roles currently in their current iteration of their website, I think maybe we should start treating Contributor, maybe Author, as the default or the starting place, because then at least you have a a blame mechanic, right?
Where it’s like we know that that individual can only control what is published under their user. And yes, there are maybe editors or administrators who can edit everything, but if you keep that to an incredibly tiny group of people or even maybe just one individual who has that capability, then you at least have a mechanism to prove that if there are accessibility deficiencies, like you can trace it to who it came from, if it’s in the content and not more systemic.
The “Blame” Game: Amber Throws a Curveball
Amber: So I know this is a curve ball, I did not have this in our show notes, but we’ve talked about this before, because we had a request from NASA where they were like, can you give us an Accessibility Checker report where we can see like who caused the problem? And we’re like, this is really difficult in WordPress because of that scenario that anyone can edit it.
And this has been a long time, so I don’t know how much more you’ve actually thought about it since our initial conversations with NASA about this, but how would we even begin if we wanted to be able to track that, knowing that it’s not always post author? Like, would that be possible for us to just create, I guess you almost have to create like a log of edits.
And maybe, I don’t know if you could you use the existing, what is the revisions or something in WordPress? Is that what it’s called? As long as you’re on a host that supports it.
Steve Jones: Yeah. If you’re on a, a host that supports revisions.
Amber: Opening can of worms. Close the top.
Chris Hinds: Yeah, I’m not smart enough to figure out that problem. That’s…
Steve Jones: What you’re describing is like in the code world we have it, it’s called blame, right? We call it blame all the time. Like when you find a bug in the software, what’s the first thing we do? We run and see what developer like actually wrote this, and who is the last one to modify it.
Amber: How productive is that actually?
Steve Jones: Fortunately in our company, I haven’t come across anything so egregious that I was like, like it’d be a fireable offense, right? Like you literally are trying to inject something malicious into our plugin. I sometimes it helps to back trace blame just to see, just to see who worked on it and to have them fix the problem, or because they may…
Amber: hmm.
Chris Hinds: Where a process broke, right?
Steve Jones: Yeah
Amber: Yeah, or if you need more training, like we were talking about earlier.
Steve Jones: The person where the issue originates from, and this is for like code, and this is probably for what we’re talking about here, like accessibility issues. That person has more context than you do, even if they are listed as the blame. So you want to elevate that if, if you do see an issue and bring it to that person, get the context of their thinking of why they implemented something a certain way. Or see if, you know, in on the accessibility side, are you even aware that what you’re doing is creating an accessibility issue every time you do this, this content behavior?
The second part of your question, talking about Accessibility Checker, and if we were to build in a blame, so we have kind of a soft blame already built in to the database where we do log the I don’t know if the ID is the author or is it the current logged in user? I’m not a hundred percent sure.
Amber: I thought when we logged that it was whoever scanned, so in the case of a full site scan, then it would just be whoever is running the scan. But if it’s a post, like an individual on post scan, then if it was on the editor’s side, then that probably is the person who created the content. ‘Cause they were editing the post when it got scanned.
Steve Jones: Yeah.
Amber: But I feel like there’s a gap in that, that we talked about and we were like, oh, maybe we could figure out a different way. You know, a thought on this is interesting though because maybe you could say for any post that it is always just the last user who edited it.
Because even if, like if I edit a post and I edit something down low and above, above where I’m editing, there’s an image that’s has empty alternative text that really should, and Accessibility Checker is flagging it. But I ignore that. And I’m like, well, I didn’t put that image there. I’m just gonna focus on my part.
Then It is still kind of my fault because I was like, last touch.
Steve Jones: Yeah.
Amber: Maybe that’s what we need.
Steve Jones: So really we have that data. So you have the user ID of the person that initiated the scan, gets stored on the issue. If an issue is dismissed that user will be logged on, that dismissal. Then we could cross reference. We have the post id, we can cross reference to the post ID to see who the last touch was. So we have the blame data in the database, maybe with a little bit of modifications or another column. We have yet to surface that data in a, UI for the end user.
But I do think that that probably is a really valuable feature to add.
Chris Hinds: I could really see that being interesting for very large websites with lots of contributors and authors being able to be like a report basically is like, here’s the average accessibility score across all content by author, right? So you can see which of your authors maybe would benefit from training. As well as the other things we already surfaced. ‘Cause then that concretely also takes accessibility as a best practice and relates it to the humans on your team and not just the modules of your website or how the thing is built or the particular solution. It makes it more about the people working on the website, which, I don’t know. Having reports that tie accessibility to the human beings working on the website is probably extremely valuable and maybe more operationally useful than some of the other stuff we’re doing.
Amber: Yeah, and on that note, that’s probably a good reminder to anyone listening to this podcast that does not have unique user roles for editors on their website that you should not share logins. For a variety of reasons. Tracking, accessibility issue causes is one of them, but there’s all kinds of other reasons that you should not do that.
Chris Hinds: We would probably also need to have like some kind of warning at the top of that report if we detected that more than 50% of the posts on the website had one author or something being like, Hey, you might be little skewed in your user roles unless, and take a closer look at this, otherwise this report might not be helpful.
Amber: Well, you could mathematically do it in where you come up with like a score that is also adjusted. It’s like what’s the average score for the number of posts that they provide? Because I did that on the page builder report because there were some components that some of those page builders don’t have.
And I’m like, it’s not fair to like ding them.
Steve Jones: Yeah.
Amber: Or not. So it’s kind of like…
Chris Hinds: …Really bad article and that’s the only thing they’ve ever published versus…
Amber: They have a 100% horrible score.
Chris Hinds: Yeah.
Amber: Versus somebody who has one really bad article and like 20 good articles. Okay, well then they’re not as bad as the person who did one thing horribly.
Steve Jones: So to both of those points, that’s where the Accessibility Checker kind of where it tracks who’s scanning is kind of better piece of data than the author of the post ’cause, I’ll say this, there’s posts that are generated in our own company that have my name as the author that I didn’t necessarily write.
Chris Hinds: Mm-hmm.
Amber: Yeah, you might’ve just like read it as a QA, but you didn’t write the whole thing. Yeah. Yeah.
Steve Jones: And that that’s not just unique to us. Most companies operate that way. They have content writers that are writing for certain people within the company and setting them as the author. You know, people could extend it and have two authors output on a single post. So tracking the author is probably good, but tracking actually who’s editing the post and how many times in the order, like the last touch, is probably more of a important piece of data when you’re trying to find blame. Now we gotta find a better word than blame, but.
Amber: Yeah. Training opportunities.
Chris Hinds: Yes.
Closing Remarks: Measurig Progress, Managing Risk, and Starting Small
Amber: That’s what we can label. It needs the most training sort of. So, okay. I feel like we should sort of wrap up ’cause we’re about at our time here on this episode. What would you say your number one recommendation is then on protecting websites from their content editors or authors?
Chris Hinds: Ooh, I don’t wanna go first. Can someone else go first? I wanna piggyback off of someone else.
Steve Jones: Yeah.
Chris Hinds: That’s a hard one.
Steve Jones: I mean, I probably would just summarize everything we’ve talked about. And, and this kind of hearkens kind of back to the accessibility thing in our little warmup where we talked about, be aware of accessibility, take steps towards it. Even baby steps can be monumental in saving you at some point in time if a lawsuit was to come across your desk. Do that and then go a a little bit further and start evaluating your threat levels and the potential for an employee, a content writer or a contractor that you’ve hired to come in and act in your voice and introduce possible litigation risk to your company. Think about the access that you give them.
If you wouldn’t give anybody just a key to your house to walk into your house all of the time, you know, you’d limit that access. You’d be like, you can come into my house when I’m there, or you can come into my house and acceptable to come into my living room and to utilize my bathroom, but it’s not acceptable for you to go into my master bedroom and start going through my dresser drawers, right? Pull back some of that access if they don’t need it, like reduce those user roles and see if anybody says anything.
Like if, if somebody screams, Hey, I used to have access to, the media library and now I don’t, or I used to be able to edit other people’s posts and now I don’t, then you can expand from there, but tighten it down as tight as you can. And then when you find needs in your company to where you need to open things up, open them up on a per user basis. But I think it’s like anything, you just need to start thinking about these things. I think in the AI age, these things are gonna become even more important. I think that, at, at the most basic level, make sure nobody is an administrator that really doesn’t need to be an administrator. ‘Cause you really don’t want people installing plugins, without proper vetting of those plugins in this day and age.
Chris Hinds: Mm-hmm. I also think going back to building knowledge and and training, I think one interesting approach might be instead of looking at the full body of work, like say you have a lot of accessibility done on your website, tons of legacy content that you have to deal with. Instead of looking at all of that as like this monumental task that’s really hard to wrap your head around. Maybe try to see if the next new piece of content you produce, if you can take that as far as you humanly possibly can with accessibility in your current makeup of whatever your site is built with, you know, get Accessibility Checker on there. The next article you write, see if you can solve everything in a new piece of content and save the draft and check the reports as you’re editing because you might learn more starting from scratch and building something new and trying to make it accessible than you are, than you would necessarily trying to look at this giant website and, oh, how do I fix everything? Like, and maybe, maybe in that process you would learn some best practices you can do going forward for anything new you create and then you can always retroactively apply that to old stuff when you build in the time and the capacity to do so.
Amber: Yeah, I think both of those are really great tips. My final thing of course would be is you can’t really manage what you don’t measure. And so, I do think our audit history is really helpful, but I also would say, I had mentioned Stream earlier. I think being aware of what the users on your website are doing and editing and when, and anytime we have had a client has a lot of people on their company or, occasionally we’ve had one where there’s just one or two, but they’ve done something weird, and then they come and they’re all like, why is this thing broken? And then we go, we’re like, we need to see what they’re doing, so we’ll go install that. I almost feel like almost every WordPress website now needs some sort of logging system to help you in debugging, because sometimes something comes up and it’s helpful to just know who did what when, and I think that’s really important.
Chris Hinds: And to piggyback on that before we wrap up, and I know we really have to wrap up, but this is too funny and I know we have a lot of agencies and like freelancers that listen to this. We have encountered a couple of situations. Amber, correct me if I’m wrong here, where a customer’s employee has done something really bad. Then has tried to turn it back on us and blame us for the thing that happened.
Amber: Like deleting the homepage? I’m sure that has happened before.
Chris Hinds: … proves that they did it. And that was the only reason we got out of a bad situation.
Amber: Or like breaking something with their membership software.
Chris Hinds: Yep.
Amber: Any website that has like e-commerce functionality, 100% needs to have Stream, which is a free WordPress plugin.
So, all right, well thanks everybody. Enjoy your health water full of silica and all the pH.
Steve Jones: Yeah.
Amber: We’ll see you back here in two weeks.
Chris Hinds: Bye.
Steve Jones: All right. See you guys.
Thanks for listening to Accessibility Craft. If you found this episode valuable, please help us reach more people by subscribing, reviewing, or liking the show, and sharing this with your colleagues. Accessibility Craft is a production of Equalize Digital Inc. Steve Jones composed our theme music. To learn how Equalize Digital can support you on your accessibility journey, visit us at EqualizeDigital.com.