Tip, tricks and Pivotal news


Wordpress - Deploying untested code to prod since 2004

As a web development agency, we love Wordpress (surprised to hear that after reading the title?) and reach for it regularly. Why? Here's a few of the primary reasons:

  • Clients love it and ask for it
  • It's very customisable for projects small and large
  • Easy to hire for
  • Cost effective - works on 'cheap' hosting, extensive options for themes and plugins

Why the harsh article title?

One of biggest issues we have with Wordpress stems from the fact that any 'Joe Blow' with Wordpress Admin access, can install, update and even write server side code (eg. install plugins, update the core CMS and using the editor, even write PHP code on the live site). Yes, our 'Joe Blow' character may be a trusted user but do they have the development expertise to really know what server-side code they're implementing?

This causes a number of issues, so let's explore.

Issue 1. Un-tested code

Would you have a developer simply drop code into your live website, without testing it on your site? Even if the developer had tested their code with their website, consider that it may conflict with the 10 other plugins you've got installed, or your theme may have something which it doesn't like or maybe it's not tested with your version of Wordpress.

Issue 2. Un-managed dependencies

With the ability to install plugins and update the Wordpress core, comes the issues of:

  • Not knowing which dependencies (eg. Wordpress plugins) are required to make the website function correctly
  • Not being able to lock down the specific versions of plugins/themes/core

When the developer first built the site, they may have installed "Plugin A" in order to have a menu display in a certain way. Without dependency management, there's no way of telling that this site needs that plugin in order to function correctly.

The developer may also know that "Plugin A" version X.Y.Z is not compatible with "Plugin B" version Z.Y.X. Or perhaps "Plugin C" version A.B.C should not be upgraded to version D.E.F because it functions in a completely different way. Without the ability for a developer to define 'this website can only use up to version X of plugin Y' - issues can and do arise, often out of no where and on the live website.

Issue 3. Un-tracked Code

Standard software development practice is to track any code developed, in a version management system. When Wordpress provides the ability for an admin to edit server side code - not only does it open the site up to security flaws, it also means there's no source of truth or way to track down when/where/who has introduced any regressions or what those changes were.

Issue 4. Out of sync environments

The development workflow can get very sloppy with Wordpress. Consider the scenario that a website is:

  • Live on a production server
  • Staged on a staging server (for the client to review any work before it goes 'live')
  • Setup on 3 different developer's computers as they work on different features

The fact that Wordpress allows plugins to be installed and updated + Wordpress core to be updated - means no one can be sure that each of those 5 machines have exactly the same code (aka versions of each dependency). This is an issue because when it's time to go live, there's no confidence that the new hand-crafted code will be 100% compatible with the live version's code.

Issue 5. Security

Whilst you can argue that the ability to auto-update code can enhance security, the opposite is also true. Think about that random little sidebar plugin you've installed. It was likely built by an individual who you don't know from a place you've never heard of. By installing their code and letting them push updates to your site, you've given them open access to put whatever they like (whether it's intentionally shady code or not) onto your server. Does this practice sound secure?

How do we 'Make Wordpress Great Again'?

Bedrock for Wordpress

The great thing is that these problems have been solved, all with the help of a free tool called Bedrock for Wordpress.

What does it provide?

Advantage 1. Disable Wordpress Code Modification

By default, it'll turn off the ability (in staging and production):

  • To install plugins
  • For Wordpress to update itself
  • To edit the website's code

Advantage 2. Dependency Management

Bedrock introduces a widely used and endorsed (by PHP developers) tool called Composer to install, manage, update and remove dependencies (the Wordpress core, plugins and themes).

You can then simply commit the code you've written (i.e. Wordpress theme/s and plugin/s) to the Git repo and then add dependencies to specific versions of plugins and core, via WP Packagist.

Advantage 3. Environment Management

Out of the box, you'll receive 3 sensible environments - development, staging and production. You can define separate wp-config for each environment + secure sensitive data (like your Database credentials) in an .env file which is securely placed above the document root.

Advantage 4. A Definitive Way to Git-Track Your Wordpress Project

Git tracking and then deploying Wordpress projects is difficult. Do you commit the Wordpress Core? Plugins? Uploads? Of course not, but by default you need to create these crazy .gitignore files every time your setup a project.

Bedrock comes Git-ready with best practice, out of the box.


As an agency, we then offer our clients the professional service of keeping their website up to date for them. Think of it as 'servicing' for your website.

Each month or quarter, we review the website, perform any core or plugin updates, test and release to a staging environment where our clients can review, and finally we'll deploy these patches once approved.

The Trade Off

Ok, so we now know how to transform Wordpress into a safer, more stable platform - but why wouldn't you do the above?

There are Wordpress product owners who love the fact that Wordpress gives them the ability to (dangerously) tinker. Perhaps this risk-taking tinkerer just signed up to a new CRM and wants to add a big popup sign up form to their home page - there's probably a Wordpress plugin for that. This thrill-seeking individual may want to install that plugin themselves without paying a developer. To them, I'd ask the following questions:

  • How often are you installing new plugins?
    • If it's once a quarter - is it worth putting your whole website at risk for a small plugin installation fee?
    • If you're installing plugins on a weekly basis - well, you're introducing a lot of bloat into your site which will slow it down and likely introduce more security holes. Please don't do this.
  • Would you feel more confident knowing that your site is being tested before any code changes are made?
  • Are you comfortable with the fact that your site may just go down over night without you knowing? Because we've seen that happen time and time again as Wordpress and its plugins auto-update over night.
  • Would you feel more secure knowing that the money you've invested into the initial website, isn't at a high risk of being hacked?


Need Wordpress guidance? Get in touch.

Our team of developers work with Wordpress on a daily basis, so we know what it takes to build a safe and secure Wordpress website.

Related Articles

Tags: Wordpress, Web Development

Back to Articles