10 tips for getting started with WordPress in version control

DevOps | WordPress

If you are new to using Version Control and WordPress be it with SVN, GIT, or another system then some of the things you used to do are going to have to change. However, the benefits do outweigh any initial inconvenience. So here are my 10 many tips for people who might be in the process of switching to using version control.

1. Disable automatic updates

One of the most important things is that the site in version control is the same as the one deployed, or at least a branch of it is. While you do want to do timely updates to WordPress core, you want to do that from a local copy, which is then managed via version control and deployed.
WordPress Core is pretty smart, and if it spots you are are using a version control system because you have a folder (.svn, .git, .hg, .bz) in either your root path (for core updates), plugins folder (For plugins) or one level up from these then it will disable automatic updates and instead email the admin user. This is fine on local and maybe staging environments but on production servers you may have deployed and these folders haven’t been carried over. To stop automatic updates all together (including the email firing) you can use the following in your wp-config.php


This has disabled all the WordPress automatic updates. Bear in mind you should only do this if you updating via version control and if for some reason you stop using version control (maybe you’re parting ways with a client) that you remove this define.

2. No File Editor please, we are British

You might not be (British that is) but the file editor is evil and with version control you have absolutely no excuse to be using the file editor to modify plugins or your themes. Hopefully this wouldn’t have been an issue as you would have not made such files writable by WordPress in the first place. Regardless as we don’t need this functionality it’s best to disable it.

define( 'DISALLOW_FILE_EDIT', true );

3. Stop users from uploading plugins/themes directly

I suspect you can see a trend, but the ability to install plugins directly from WordPress goes against using version control. Again we want to disable it, and the simplest way is to use:

define( 'DISALLOW_FILE_MODS', true );

Which also disables the File Editor and Automatic updates, so basically you can skip the last two steps and jump straight to this one. Again it’s important to emphasise that if you don’t use version control this can leave a site vulnerable and using version control only works if you do actually update WordPress!

4. Separate WordPress core from plugins and themes into different repos

|--> core

This will make updates much simpler, and WordPress feel much more logical. I have written an article on how I structure WordPress projects, and one of the big advantages of doing this is that you can load in the WordPress core as sub module (or equivalent in your version control of choice). This means you hold a separate repository for WordPress core and your sites. You then only need to have WordPress core repo once and update it once for it to be updated across all your sites. Just remember whatever deployment system you use it has to cope with sub modules and deploy the latest version on the branch specified of them too.

You can expand this to include other items in sub modules, for example if you have a default parent theme you use across multiple sites, you might want to have it’s own repo and include it as a sub module. Likewise plugins used on multiple sites are another perfect candidate to working with sub modules. Be careful, while deployment systems should be able to cope with sub modules, some might not be able to cope with sub module in sub module and things can get complex quickly sometimes it’s easier to have repetition between codebases to keep things simple.

5. Separate out a local config version

I guess this tip isn’t specifically a version control tip, but if you are deploying to multiple sites then you will probably be interacting with different databases, using different keys and generally have different config options along the way. One option is to ignore the wp-config file and simply allow each site to have its own wp-config.php, but I prefer to put the shared information (all the bits in the wp-config that will be the same) into wp-config.php then create a local-config.php an idea originally found in Mark Jaquith’s skeleton structure. I can then ignore (or put it outside of version control entirely) this local-config that includes server specific content.

6. Automate your build processes

So when people think of version control, they tend to think of it for teams. Most of my projects these days are solo affairs yet I still use version control, still branch when developing a new feature and still regularly commit. One of the reasons for this is habit, and it’s also a good backup policy, but also because of the next step after I push my changes, automated builds both on staging and production. Automated Builds (Deployments) allow you to deploy changes made in a version control branch to a specific server (staging, production) and run any associated tasks, for example compiling sass files, or tests along the way. There are dozens of tools and services out there such as Jenkins, Travis, PHPCI and services like DeployHQ, and these allow you to deploy code and run additional tasks on the server post deployment.

Deployment systems will normally allow you to run additional tasks, such as working with WP-CLI to auto-activate plugins or update WordPress database when needed, a good deployment setup is one where no one has to get involved and you have the confidence that everything will update without any interference or even need to manually check (but take a peek and check anyway). However it should also be simple enough that any member of staff can use it.

7. Run your tests before you build (aka write some tests)

Speaking of running tests, why not run them before they get on to the server? Version control systems like Git have hooks that can be used to run other tasks. For example a commonly used Git hook is pre-commit-hook which allows you to run a task prior to the commit being stored. If you have critical features you may wish to run tests of this hook to make sure your commit is not going to break anything. An alternate test suite hook location might be pre push (Only available in Git 1.8.2+), and this fires before you push your changes to others. Depending how you are using Git this might be a more appropriate time to test.

8. Never Let broken code through

Even if you are not using pre-commit-hook or its equivalent for running tests (shame on you) what you can do is make sure you don’t commit bad code. Most languages have what’s called a linter and in PHP you call it via the CLI version of PHP using:

php -l myfile.php

What it does is run through the file and spot any fatal errors, warnings etc. being picked up and displays them to the screen. It doesn’t however execute the file, just reads it and checks for errors. Most languages have a linter or one has been developed for them, so you can build a script to go through your common languages, check the files for issues and notify you when you try to commit. For PHP you can start with this simple gist or for multiple languages take a look at One commit hook to rule them all. Bear in mind that linters normally use local version of the language. If you develop using Vagrant or similar but commit on your local machine, then the pre-commit-hook will run using the local machine not the Vagrant version of the language.

9. Enforce Standards

WordPress has a coding style and standards and while sadly they have chosen to not adopt what the rest of the PHP world is doing at least it’s consistent. However, unless you work in WordPress 100% chances are you are going to have habits and style that are different. It’s up to you how much this might bother you, but if you are working on a public WordPress project you may wish to enforce the WordPress coding standards on commits. This is easy enough to do using PHP Codesniffer, a Pear/Composer package that like the linter tools reads files but instead of looking for errors looks for incorrect placing of curly brackets. You can specify what particularly to look for and how your code should be styled. You can grab a ruleset for WordPress from Github. For a generic PHP project Zumba have a good step by step guide to setting Codesniffer with Git.

10. Pick a branching strategy

This will probably be unique to your organisation but there are lots of tutorials on good branching strategies. Most involve having 1 or 2 main trunks (for dev and production) and then individual developers work on a specific feature. I use a variant on Vincent Driessen’s Branching Model.

11. (because these list never have just 10) Still backup uploads

This might seem like a bit of a weird one. If you have been used to doing “full site” backups of all your files then the good news with version control is that you don’t need to backup the files in version control as well – it’s in version control (unless you are insanely paranoid, in which case do the backup through git rather than your site). You do however still need to backup the database and your uploads folder (which won’t be in version control). When setting up a backup regime it’s easy to forget that user uploads are not in your version control repository, and if you stop doing file based backups can easily be forgotten entirely.

Finally a couple of non WordPress specific bonus tips

You don’t need to use VI

At least on a Mac, when you merge changes the wonderful vi/vim opens up and for many users the nightmare begins. But you can change the editor simply by doing:

git config --global core.editor "nano"

In that case it globally changes the core editor to the much more user friendly nano, of course you could always learn the dark art’s of working with VIM.

Searching your commit messages

Assuming you write intelligent commit messages, this command is really useful

git log --grep="message in commit"

Never let the boss have sftp access

If you are automating deployments, then no one barring system administrators should have direct access to servers. In larger organisations this means you should be revoking credentials for almost everyone in the company who perhaps in the past had ssh or worse FTP credentials, even the boss. If you don’t then the temptation to go around the build process will be high and the moment someone makes a “hot fix” the whole system is broken.

Put it all together

Version control systems only work if they are at the heart of your workflow not simply somewhere to store code, but once you start to build a workflow around them they become an incredibly powerful tool that can be tailored to almost any development environment. I would love to hear your tips and how you are using version control systems in your workflow, especially if it’s something you are just getting started with, what issues are you facing?

Helping you and your customers stay safe

WordPress Security Consulting Services

Power Hour Consulting

Want to get expert advice on your site's security? Whether you're dealing with a hacked site or looking to future-proof your security, Tim will provide personalised guidance and answer any questions you may have. A power hour call is an ideal starting place for a project or a way to break deadlocks in complex problems.

Learn more

Site Reviews

Want to feel confident about your site's security and performance? A website review from Tim has got you covered. Using a powerful combination of automated and manual testing to analyse your site for any potential vulnerabilities or performance issues. With a comprehensive report and, importantly, recommendations for each action required.

Learn more

Code Reviews

Is your plugin or theme code secure and performing at its best? Tim provides a comprehensive code review, that combine the power of manual and automated testing, as well as a line-by-line analysis of your code base. With actionable insights, to help you optimise your code's security and performance.

Learn more

Or let's chat about your security?

Book a FREE 20 minute call with me to see how you can improve your WordPress Security.

(No Strings Attached, honest!)