VIP Go platform specific
This document is for sites running on VIP Go.
We review code on VIP Go to meet the security and performance objectives of our clients. We will give feedback about the security and performance of your code, and make recommendations for fixes.
The goal of our review is to make sure that your site will be:
- Secure, because pushing a site live with insecure code presents a liability to you and your whole user base.
- Performant, because going live and finding out that your code can’t handle the traffic levels that your site expects puts most of your launch efforts to waste.
- We also review for development best practices to make sure that your site will continue to live on without significant maintenance costs or major issues when WordPress is upgraded.
VIP performs a scheduled initial code review of the entire codebase. Once this initial review is complete, we’ll switch to a review workflow for incremental development.
What do we review?
Full code review #
A Full review is best suited for clients who place a premium on security and performance. A developer will read every line of your code, including themes and custom plugins.
Initial code review timelines scale with the complexity of the code, and your Technical Account Engineer will help you determine an appropriate timeline for your project.
Here’s a guide to what VIP looks for when performing a line-by-line review of your code. To expedite your review process, we strongly recommend looking at this document before submitting your code.
Enhanced code review #
Many aspects of the Full review are echoed with an Enhanced review, except that only the theme and custom plugins are reviewed. Third-party plugins will go through a Standard review (see below).
Standard code review #
VIP manages an open-source PHP_CodeSniffer (PHPCS) ruleset to assist clients in identifying security and performance issues. For Standard reviews, we’ll provide an itemized review with descriptions of errors and warnings, including more in-depth feedback as necessary.
Please refer to this guide to PHPCS review feedback. We strongly recommend looking at this document before submitting your code to expedite your review process.
Before your initial code review
Before you submit the code, there are a few things to make sure of:
- That unused or unnecessary code that does not need to be reviewed is removed from the
- All code has been run through PHP Code Sniffer using the VIP Coding Standards, and that as many blockers as possible are addressed;
- Submit the PHPCS output.
- Be ready to enter a code freeze during the code review process.
This will ensure the speediest review possible, and avoid reviewing known issues or non-production code.
After your initial code review
Once the initial codebase has passed review, we enable a workflow designed for incremental development.
Full and Enhanced review levels #
After the initial review, sites on these review levels will enter the GitHub Pull Request workflow. These PRs will surface in a queue that is reviewed by VIP developers. We encourage writing good commit messages to help communicate changes.
Standard review level #
After the initial review, sites on Standard review will not have the PR workflow enabled. However, we still recommend following a PR workflow, as all PRs have linting enabled via GitHub, running a PHPCS scan automatically via the VIP bot.