What is a Community Core Bundle?
Concept of Operations
Community Space Development and Sustainment Lifecycle
Conceiving a Community Space
Kickoff with the GeoPlatform Team
Creating/Updating a Community Space Information Assurance Scans and Remediation
Deploy to Production, Operations and Maintenance
The GeoPlatform is designed to make geospatial data and services publicly available to the general user, while also providing tools for content creation and curation to the advanced user or portfolio manager of geospatial assets (data, services, and informative content). Along with the asset portfolio management capability, the GeoPlatform supports collaboration among groups and individuals interested in specific topics of interest. One of the capabilities for collaboration is creation and management of a “Community Space” – a sub-site within the GeoPlatform of community-curated content, applications, data, and services.
These Community Spaces are specialized and self-managed sub-sites, instantiated using content management system (CMS) technology, designed to enable “Community Teams” to directly curate and modify the Web-accessible content, applications, services, and public-facing messaging for their community.
Within this document there are descriptions of the key actors, roles, concept of operations (CONOPS), and workflow from initial engagement, to development, through deployment and sustainment of a Community Space. The “Community Core Bundle” (CCB) is a prepared Content Management System (CMS) package, with demonstrations, integrated components, and guidelines, designed as a starting point for the creation of Community Spaces. The CCB is designed for use by the Community Lead and their technical team to create a site payload that will ultimately be hosted in the GeoPlatform.gov environment.
The Community Core Bundle (CCB) enables independent development of a self-contained community website (i.e., a Community Space) that operates on the infrastructure of the GeoPlatform.
Essential features delivered with the CCB include:
- GeoPlatform CMS engine core
- GeoPlatform Information Assurance (IA) security posture hardening
- GeoPlatform compliant themed webpage templates
- GeoPlatform demonstration pages, site page templates, and user generated content
- GeoPlatform integrated Maps and Map Galleries with sample unified page content
Key benefits of the CCB approach include:
- Content Developers can create and update community content independently of other components of the Geospatial Platform
- Community sites are self-contained such that changes to one have no impact on other communities or components of the platform
- Integration with the GeoPlatform comes in the form of curated content provided by tools such as Map Viewer, Map Manager, Survey, Performance Dashboard, and Identity Provider
- Integration with GeoPlatform Identity Management Provider allow credential passing to the Community site
- Access control, rights and restrictions for a Community site instance are managed by the Community Content Management Team
- Templates, style-guides, and best-practices are used to assist Content Developers and to ensure consistency across the GeoPlatform experience
- Standardized processes streamline testing, promotion to test and production environments
- Clear separation of responsibilities between content, operations, and IA teams
Development and deployment of a GeoPlatform Community Space requires various workflow steps, actors, and hand-offs between actors. The following section comprises a high-level description of the key actors, and their roles and responsibilities in the development, deployment, and maintenance of the Community Space.
The high-level actors in the workflow for producing and managing a GeoPlatform Community are as follows:Community Team (CT)
- Community Management Team
The Community Management Team is responsible for managing and approving site content. This includes coordinating with the GeoPlatform Management Team to coordinate project milestones, reporting, and other management tasks. The Community Management Team is responsible for designating a Community Lead, a person responsible as the primary point of contact for coordinating all communications and activities with the GeoPlatform Team. It is the responsibility of the Community Lead, or delegated members of the Community Management Team, to approve and manage members of the Community Space, including their roles and rights to access and modify content or make other customizations to the site.
- Community Content Team
The Community Content Team is responsible for creating site content, making spaces operational, administering, and maintaining the spaces. This includes coordinating with the GeoPlatform Technical Team to remediate all IA vulnerabilities reported by the Information Assurance team as well as to support technology refresh and patching as may be required.GeoPlatform Team (GT)
- GeoPlatform Management Team
The GeoPlatform Management Team is responsible for community site oversight and coordination of schedule and risk. This includes coordination of package hand-offs, release dates, and notification of required updates and/or IA patching. The GeoPlatform Management Team is responsible for designating a GeoPlatform Lead, a person responsible as the primary point of contact for coordinating all communications and activities with the Community Team.
- GeoPlatform Technical Team
The GeoPlatform Technical Team is responsible for maintaining the CMS Core Bundle baseline and providing package to the Community Team. The GeoPlatform Technical Team is also responsible for provisioning DOI Cloud resources to support deployment into test and production environments, along with instance monitoring. Lastly, the GeoPlatform Technical Team is responsible for remediating vulnerabilities identified by the Information Assurance Team at the Operating System and Application tiers while coordinating the remedial actions to be taken with the Community Content Team for any code related patches or post-patch corrections.
- Information Assurance Team
The Information Assurance Team members are responsible for scanning the GeoPlatform at periodic intervals, notably: before promoting updates to the CCB Core, upon receipt of a modified Community Core bundle and prior to deployment, prior to and post any remediation activity, along with a monthly scheduled scan.
- DOI Cloud Technical Team
The DOI Cloud Technical Team is responsible to apply remediation actions to the GeoPlatform production instances. Additionally, the DOI Cloud Technical Team is responsible for instance backup, monitoring, restoration, and other aspects of Operations and Maintenance for the production GeoPlatform environment.Community Users (CU)
- Public User
The Public User is the general consumer of information and resources available within the GeoPlatform and Community Spaces. This user may or may not be authenticated as a GeoPlatform user account. Restrictions can be added to prevent non-authorized users from accessing certain restricted content, data, services, and applications within the Community Space.
- Community Member
The Community Member is a specialized contributor and/or consumer of data, services, applications, and content within a Community Space with access to restricted content. Community Members may also have capabilities to create and update content. Community Members must always be authenticated with a GeoPlatform user account. A Community Member must be approved by the Community Lead and assigned a user role with optional and appropriate capabilities to create, modify, delete, and/or access resources within the Community Space.
The lifecycle of conceiving, developing, deploying, and sustaining a Community Space requires a “lifecycle process” to ensure that all stakeholder parties are engaged, informed and/or consulted at key steps in its development and maintenance. The basic lifecycle process is shown in the diagram below and described in the sections that follow.
The process begins when a Community Team (CT) has formed and identified the need for a new Community Space. The Community Team should be prepared with the following information prior to first contact with the GeoPlatform Team (GT).Business Requirements and Priorities:
- Statement of need
- Statement of the problem
- Root business requirement(s)
- Statement of business requirement(s)
- Who’s it for? (list types of organizations/users/roles)
- What information or capability do Community Users need?
- Why they need it?
- Value proposition (must be as tangible/measurable as possible)
- Describe what is to be gained (expected outcome and benefit)
- Describe the pain points to be alleviated
- Priority (choose one)
- Priority 1: Must have in Current Fiscal Year (yyyy)
- Priority 2: Needed in Current Fiscal Year (yyyy)
- Priority 3: Desired in Current Fiscal Year (yyyy), funding and schedule permitting
- Priority 4: Important need, but can be deferred to after Current Fiscal Year (yyyy)
- Priority 5: A Post-Current Fiscal Year (yyyy) “desirement”
- Impact/Cost/Risk Assessment (choose one)
- Major technical architecture change with high-cost
- Moderate technical architecture change with moderate-cost
- Low technical architecture impact with low-cost
A kickoff meeting is scheduled between the Community Team and GeoPlatform Team. Participants from both teams should include their respective management and technical leads.
The Community Space kickoff teleconference follows this agenda:
I. Brief Introductions
- Review the Business Requirements and Priorities
- Review the Community Space Lifecycle Process
- Community Space content
- Needed applications, services, and CMS plugins
- GeoPlatform integrations required
- Other key functional requirements (Responsive design, print-on-demand, etc.)
- Nature (content types and data volumes) and sensitivity of content to be managed?
- Community Member access and controls?
- Frequency and scope of future changes/updates?
- Dependencies on external (3rd-party) services?
- Dependency on infrastructure services (email, storage)
- Requirements, constraints and processes for Information Assurance (IA)
- Resourcing for sustainment
- Overall project
- Technical Teams
II. Discussion of project scope and expectations
VI. Review project timelines and key milestones
VII. Team Communications
The GeoPlatform Team maintains an up-to-date baseline of the CCB and will provision CCB instances into the GeoPlatform Production environment.
The CCB includes the following items:
- MySQL Database Initialization Script
- GeoPlatform WordPress Core files
- IA hardened WordPress Core
- Pre-configured plugins for GeoPlatform integration
- GeoPlatform WordPress Theme extension
- Extendable GeoPlatform Theme
- Based on Bootstrap
- GeoPlatform Sample Content
- Map Galleries
- Wiki Pages
- Curated page content
Generally, CCB instances are provisioned directly within the GeoPlatform.gov Production hosting environment where Content Technical Teams can begin to construct and customize their Community Space in-place.
The GeoPlatform Team can also make the CCB package available for download and install by Content Technical Teams into their own local/ private hosted environment for development and testing. Content Technical Teams can “fork” the CCB baseline to suit their needs. Creating a custom CCB instance is done the same way as downloading a CMS distribution (e.g., WordPress) directly from a vendor or public site and customizing locally. Experienced Community Content Teams that are well versed in the WordPress technology stack and processes for producing and maintaining websites following a DevOps approach should have little trouble adapting the CCB.
Community Content Teams that elect to “roll their own” CCB branch in their local development environment will be responsible for the following:
- Host / development environment setup and configuration for a web server capable of running WordPress CMS (generally LAMP stack or similar setup)
- Importing of the CCB files to the web server home directory
- Execution of the database initialization script
- Verification of site operation on the development infrastructure
NB. The FQDN for a Community Space is determined by prefixed domain (i.e. community_name.geoplatform.gov). This convention allows for proper integration with the GeoPlatform Identity Provider and a simple URL for hyperlinks, publications, sharing, etc. No underscores or other punctuation that may be filtered/ replaced by firewalls should be used for the subdomain part of the FQDN.Versioning and Updates of CCB and Community Content
The CCB baseline is maintained by the GeoPlatform Technical Team in the GeoPlatform GitHub repository. The project repository will be intermittently updated with security patches and WordPress engine updates. The GeoPlatform Technical Team will be responsible for the updates and maintenance of this core source repository along with the alerting of release changes. The Community Team will be responsible for subscribing to the appropriate WordPress feeds/ channels to detect when a WordPress baseline changes.
The Community Team will be alerted to changes to the parent repository. The CCB code will be updated on the testing environment for each community site for review by the Community Team. If there are any negative or undesirable impacts to the community site, the Community Content Team will provide updated code or functionality to fix the site. A backup of the test site can be made available so the Content Team can recreate the site on their development infrastructure.Integrated IDM/IDP Services (Mandatory)
Each Community Space will receive a sub-domain URL for GeoPlatform allowing the integration with the GeoPlatform Identity Provider/Identity Management (IDP/IDM) services along with a clean legible and easily shared and disseminated URL (e.g. communities.geoplatform.gov/[community-short-name]).
Authentication of credentialed users for a Community Site must be delegated to the GeoPlatform IDP/IDM services. The CCB Core package is bundled with the requisite plugins to authenticate users. The Community Management Team, using native WP facilities, will be responsible for managing the roles and rights for each member of the Community Space.
The CCB will be scanned prior to any baseline release or update. Community Teams are at liberty to perform self-scanning of their own software while the “in-progress” site is in their custody. After full development and transmission to the GeoPlatform Technical Team, a scan will be performed before host deployment to the test and production environment.
All customizations of CMS or other components of a community site instance must comply with IA Team policies including timelines for remediating identified vulnerabilities. Currently there are no requirements to perform a static source code analysis.
Monthly technology refresh and patching is required by IA, the patch process and outcomes will be periodically reviewed by the IA Team, the GeoPlatform Technical Team and coordinated with the Community Content Team in the event there are content or CMS code extensions responsible for the IA finding, or if the IA finding involves a baseline change to the CMS Core Bundle.
The GeoPlatform Production environment adheres strictly to the NIST guidelines for publicly accessible systems. Our Authority to Operate (ATO) includes planning, testing, execution, and auditing of various O&M plans and processes, such as:
- Information Systems Continuance of Operations Plan
- Risk Management Plan
- Audit and Authorization Logging
- Monthly IA Patching Cycle
During normal operations and update cycles, the GeoPlatform Team may request updates, additions, or removal of code, services, and plugins affecting the overall security posture of the Platform.
All GeoPlatform assets are hosted in the DOI AWS cloud. As such, the DOI AWS and GeoPlatform Technical Teams perform all operations and maintenance activities. Some performance metrics and alarms maybe configured to provide reporting to Community Content Management Team members on a periodic basis.
Production CMS Databases will be stored in AWS RDS to provide a clustered, redundant, and continuously managed environment.
Restoration processes for database specific data will follow the same process as a traditional backup is restored currently. The GeoPlatform Technical Team on extreme necessity will revert a Community site database to a prior backup.
Upon a baseline update to the CMS Core Bundle, The Content Team is responsible for installing / developing / modifying code to work in the updated baseline.
Upon completion of a development cycle, the Content Team should deliver the following to the GeoPlatform Team for deployment into the production environment:
- All CMS files (archived from the top-level directory that was originally pulled from the GeoPlatform public repository)
- Readme – To include any special installation requirements, plugins, and/or configuration notes
- MySQL Database backups
The delivered package is expected to run as delivered by installation into a LAMP server and restoration of the database to MySQL. If there were alternate modifications required to run the CMS the NGPI team will not accept the package.
Upon successful test of the CMS package, the Community site build will be stored and versioned in AWS S3.
|Provide CMS Core Bundle via Public Repository (GitHub)||GeoPlatform Technical Team||GeoPlatform Management Team||Information Assurance Team||Public – via www.geoplatform.gov portal|
|Maintain Updates to CMS Core public repository||GeoPlatform Technical Team||GeoPlatform Management Team||Information Assurance Team||Public – via www.geoplatform.gov portal|
|Extend / Develop Content based on CMS Core||Community Content Team||Community Management Team||None||GeoPlatform Management Team|
|Update CMS Core content||Community Content Team||Community Management Team||None||GeoPlatform Management Team|
|Patch / Update community CMS source code on GeoPlatform CMS Core Bundle updates||Community Content Team||Community Management Team||None||GeoPlatform Management Team|
|Deliver Site Bundle For Deployment||Community Content Team||Community Management Team||None||GeoPlatform Management Team|
|Deploy CMS Community site to Test Environment||GeoPlatform Technical Team||GeoPlatform Management Team||None||Community Management Team, Community Content Team|
|Scan CMS Community Site for IA compliance||Information Assurance Team||GeoPlatform Management Team||GeoPlatform Technical Team||GeoPlatform Management Team, GeoPlatform Technical Team, Community Management Team, Community Content Team|
|Remediate System Level IA findings||GeoPlatform Technical Team||GeoPlatform Management Team||Information Assurance Team||Community Management Team, Community Content Team|
|Remediate Application Level IA findings||Community Content Team||Community Management Team||GeoPlatform Technical Team||GeoPlatform Management Team|
|Deploy CMS Community Site to Production Environment||GeoPlatform Technical Team||GeoPlatform Management Team||DOI AWS Technical Team||Community Management Team, Community Content Team|
There are many ways to create and customize community content and to create dynamic user experiences for your community visitors. Refer to the recipes in the CCB Cookbook to understand what can be customized and how to do it.
The guidance presented here is for newbie Community Team members just getting into or planning to create a new community space. The following important topics are covered:
- WordPress User Roles — What Community Teams and Community Users can and cannot change in the community space.
- Managing Users — guidance for on-boarding, changing, and deactivating Community Users and members of Community Teams
- Security Best Practices — Policy, guidance, and practices for creating and maintaining safe and secure communities.
- Plugin Etiquette — Rules for using socially acceptable plugins.
Even seasoned WordPress pros should carefully review and understand the guidance found in in the material that follows!
To make customizations of any degree you must have been assigned a user role with the appropriate capabilities granted. Roles define what a user can and cannot do in the community space. If you need to be “on-boarded” as a Community Member or you are not sure of what role your account has been granted, please contact the Community Lead.
WordPress Primer: Members of the Community Team are assigned WordPress user “roles” (administrator, editor, author, or contributor roles) and each user role has been configured with permissions to perform specific tasks (also called “capabilities”). A user’s capability, and thus their ability to customize the community, depends on the role they have been assigned. Typically only WordPress Administrator and Editor users have capabilities to make significant customizations of the community content and user experience. Reference: https://codex.wordpress.org/Roles_and_Capabilities.
At the highest level, there are two kinds of Community Space users:
- Anonymous — users visiting and/ or consuming the open and publicly accessible information and services of a Community Space. In other words, these are “Public Users”. A Public User may have a GeoPlatform.gov user account and may have signed-in to GeoPlatform but is not authenticated as a credentialed member of the Community Space.
- Credentialed — users who are credentialed users of the Community Space as:
- Community Team members responsible for constructing/ maintaining the Community Space and/or
- Community Members who may contribute/ update content or access restricted content.
A credentialed user of a Community Space (a Community Member) must have previously established a user login account on GeoPlatform.gov. A Community Member can only update content or access restricted content of the Community Space after they have signed-in to the Community Space. What a Community Member is authorized to customize depends on the capabilities of the user role they have been assigned.
The GeoPlatform CCB baseline comes configured with these standard WordPress user roles and capabilities:
- Administrator – A user with access to administration features on a single CCB site.
- An Administrator is the most powerful user role. Users with the Administrator role can add new posts, edit any posts by any users on the site, and even delete those posts. They can install, edit, and delete plugins as well as themes. They can also access the appearance section of the dashboard, this includes capabilities such as the ability to edit the homepage top banner or menus. Most importantly an administrator user can add new users to the site, or delete existing users, including other administrators. Administrator users have full control of the WordPress site. Only Administrator users can add, edit, change roles, deactivate, or delete users.
- IMPORTANT: Due to government policy constraints, only authorized GeoPlatform Technical Team members are granted Administrator roles in the GeoPlatform Production environment, i.e., Community Team members are not granted Administrator roles in the Production environment. If a customization requiring Administrator capabilities is needed, please contact the GeoPlatform Technical Team using the service desk email (firstname.lastname@example.org) for assistance.
- Users with the Editor role have full control of the content of the community space. They can add, edit, publish, and delete any posts and pages on a WordPress site including the ones written by others. An Editor can moderate, edit, and delete comments as well. Editors do not have access to change your site settings, install plugins and themes, or add new users.
- Users with the author role can write, edit, publish and delete their own posts. When writing posts, authors cannot create categories however they can choose from existing categories. On the other hand, they can add tags to their posts. Authors can view comments even those that are pending review, but they cannot moderate, approve, or delete any comments. They do not have access to settings, plugins, or themes, so it is a fairly low-risk user role on a site with the exception of their ability to delete their own posts once they’re published.
- Contributors can add new posts and edit their own posts, but they cannot publish any posts not even their own. When writing posts they can not create new categories and will have to choose from existing categories. However, they can add tags to their posts. The biggest disadvantage of a contributor role is that they cannot upload files (e.g., they can’t add images on their own article). Contributors can view comments even those awaiting moderation. But they cannot approve or delete comments. They do not have access to settings, plugins, or themes, so they cannot change any settings on your site.
- Subscriber users can login to your community space and update their user profiles. They can change their passwords if they want to. They cannot write posts, view comments, or do anything else inside the WordPress admin area. This user role is particularly useful if you require users to login before they can read a post or leave a comment.
- WordPress Roles: https://codex.wordpress.org/Roles_and_Capabilities#Roles
- WordPress Capabilities: https://codex.wordpress.org/Roles_and_Capabilities#Capability_vs._Role_Table
- CCB Cookbook: https://www.geoplatform.gov/ccb-cookbook/
Due to government policy constraints, only authorized GeoPlatform Technical Team users are granted the Administrator role in the GeoPlatform Production environment. Community Team members and Community Users do not have Administrator capabilities in the Production environment. As a result, the GeoPlatform Technical Team is solely responsible for administering (activating, changing, deactivating, or deleting) the credentialed user accounts for all hosted Community Spaces.
If a customization requiring Administrator capabilities is needed (including managing user accounts), please contact the GeoPlatform Technical Team using the service desk email (email@example.com) for assistance.
Here are the basic procedures for on-boarding new users and managing the membership for your Community Space:
In all cases, the Community Management Team is responsible for:
- identifying and approving the Community Members (credentialed users) and their roles for a new Community Space
- approving changes to the list of Community Members (e.g., add user, deactivate user, change user role).
- notifying the GeoPlatform Technical Team of any changes
In the case when the Community Management Team is standing-up a new Community Space or wanting to carefully manage the community membership and user roles, these procedures should be followed:
- The Community Management Team submits a list of users and their roles in an email request to the GeoPlatform service desk (firstname.lastname@example.org).
- The request should include the following information about each listed user:
- Name of the Community Space to join
- User’s GeoPlatform account information: full name, organization/agency, email address.
- User’s role (Editor, Author, Contributor, Subscriber)
- Users who require Editor capabilities for administering web content should be limited to a relatively small number of trusted members of the Community Content Team.
- Users who require Editor or Author capabilities must review, sign, and return the GeoPlatform.gov Rules of Behavior (RoB) agreement to the GeoPlatform Technical Team. Find RoB forms here:
In the case when a Public User requests to join a Community Space, the following procedures are used:
- A Public User requests to join the Community Space by submitting an email to the GeoPlatform service desk (mailto: email@example.com). The user must already have a GeoPlatform user account. The request must include:
- Name of the Community Space to join
- User’s GeoPlatform account information: full name, organization/agency, email address.
- User’s role (Editor, Author, Contributor, Subscriber).
Our recommended best-practice for avoiding vulnerabilities caused by WordPress (WP) customizations basically boils down to common sense. Here’s a summary of the information assurance process and guidance for building/maintaining secure GeoPlatform Community Spaces:
- All Community Team members and Private Users will be authenticated using their GeoPlatform user account credentials. The Community Management Team will be responsible for managing roles and privileges for each user account using the standard WordPress user rights and roles management facilities. i.e., All users accessing restricted content within a Community Space must first be authenticated as a GeoPlatform.gov user.
- All plugins and customizations to your Community Space must be compatible with the GeoPlatform Identity Provider (IDP) plugins that are packaged as part of the CCB Core. The only way to ensure compatibility is to thoroughly test your Community Space to ensure all users successfully authenticate and there are no other defects in as-built capabilities or regressions in expected behaviors.
- Customizations of CCB content, themes, and plugins are allowed, provided they are: a) compatible with the CCB Core (see “What does the CCB consist of?” on the CCB Help page here: https://www.geoplatform.gov/ccb/) and b) secure.
- Please be sure that whatever WordPress plugins and customizations you choose to use are reputable, up-to-date, and actively maintained. We recommend limiting your search for WP plugins to the wordpress.org site. Here are criteria we recommend when selecting/ integrating customizations:
- How many times has it been downloaded? (what is the community size)
- How frequently has it been updated? (is it a dead / stale plugin)
- Who is the author? (dev shop, high school student)
- Is it a “freemium” plugin? (is there an added cost to it, do you need a license) — we strongly recommend avoiding these!
- Use the rating system of the plugin on wordpress.org to add weight to above criteria.
With thousands of plugins available to WordPress users, there are bound to be a few that clash together, don’t work with a regular core update, or have their owners stop maintaining them.
In addition to the best practices for security we have outlined above, we have assembled here resources that may be useful as guidance for selecting and vetting candidate plugins. Information includes well-documented cases of plugins not working as expected. Before installing, we encourage you to cross-reference the plugin you are considering against the information found in the articles below.
IMPORTANT: Whether you are building your own plugins or using those offered by 3rd-parties, they must follow the best-practices stipulated by WordPress here: https://developer.wordpress.org/plugins/the-basics/best-practices/
Note: the information below is periodically updated so please revisit this page often. We encourage Community Content and Management Teams to share their own lessons and best guidance.
- In summary, this article highlights some plugins that don’t incorporate the new IPv6 standard when capturing user comments and data when they interact with their plugin. Because of this, any user with a machine using IPv6 will have the data automatically wiped from the WordPress database when they interact with the plugin. They include a list of offending plugins in their article, which we will share below for your convenience.
- https://docs.google.com/spreadsheets/d/12pn2tEzEW4tGUjRUWZY7WuwvJpDOaHtBRzgCL TOQVE8/edit#gid=1224222312
- WP-Engine is one of the largest shared hosting providers for WordPress on the market. While these plugins aren’t exactly untrustworthy by themselves, since we use a similar setup as WP-Engine it would be wise to cross-reference a plugin you’re considering with this list, as we have a series of our own utilities handling these functions.
- This article is similar to the WP-Engine article above, but it also pulls its blacklisted plugins from 3 other large hosting providers: GoDaddy, MediaTemple and Imagely.
Need to customize your Community’s main theme? Want to tweak the experience for your users to make it just right? Use the CTK to extend and customize the CCB with GeoPlatform-specific or 3rd-party themes and plugins. Use plugins to add new functionality to your Community Space. To customize the look and feel you can edit the theme to make minor changes or, for major changes, you can clone or make a child theme.