VIP Go platform specific
This document is for sites running on VIP Go.
We review code on VIP Go to meet the security and performance objectives of our clients. We will give feedback about the security and performance of your code, and make recommendations for fixes.
The goal of our review is to make sure that your site will be:
- Secure, because pushing a site live with insecure code presents a liability to you and your whole user base.
- Performant, because going live and finding out that your code can’t handle the traffic levels that your site expects puts most of your launch efforts to waste.
- We also review for development best practices to make sure that your site will continue to live on without significant maintenance costs or major issues when WordPress is upgraded.
VIP performs a scheduled initial code review of the entire codebase. Once this initial review is complete, we’ll switch to a review workflow for incremental development.
What do we review? #
Before the initial code review #
Before code is submitted, there are a few things to make sure of:
- That unused or unnecessary code that does not need to be reviewed is removed from the
- All code has been run through PHP Code Sniffer using the VIP Coding Standards, and that as many blockers as possible are addressed;
- Submit the PHPCS output.
- Be ready to enter a code freeze during the code review process.
This will ensure the speediest review possible, and avoid reviewing known issues or non-production code.
Review slots are generally scheduled at least a week in advance, so VIP appreciates knowing as early as possible when code is expected to be submitted for review. Including us in your plans as early as possible will help make the initial review move faster and more smoothly.
The initial code review #
Full code review #
A Full review is best suited for clients who place a premium on security and performance. A developer will read every line of your code, including themes, custom plugins, and third-party plugins.
The duration of a full code review can vary depending on the complexity of the code. Your Technical Account Engineer will help you determine an appropriate timeline for your project.
Here’s a guide to what VIP looks for when performing a line-by-line review of your code. To expedite your review process, we strongly recommend looking at this document before submitting your code.
Enhanced code review #
Many aspects of the Full review are echoed with an Enhanced review, except that only the theme and custom plugins are reviewed. Third-party plugins will undergo automated scanning (see below).
Automated scans #
VIP manages an open-source PHP_CodeSniffer (PHPCS) ruleset to assist clients in identifying security and performance issues. For sites not receiving a manual code review, VIP will perform an automated scan of the codebase and provide an itemized review with descriptions of errors and warnings, including more in-depth feedback as necessary.
Please refer to this guide to PHPCS review feedback. We strongly recommend looking at this document before submitting your code to expedite your review process.
After the initial code review #
Once the initial codebase has passed review, we enable a workflow designed for incremental development.
Full and Enhanced review levels #
After the initial review, sites on these review levels will enter the GitHub Pull Request workflow. PRs will surface in a queue that is reviewed by VIP developers. We encourage writing good commit messages to help communicate changes.
Automated scans #
For sites not receiving a manual code review, we still recommend following a PR workflow. PRs on all VIP repositories have linting enabled via GitHub, running a PHPCS scan automatically via the VIP bot. We strongly recommend using a pull request workflow and reviewing and addressing any PHPCS errors and warnings flagged by the bot in its review, this will surface items that may have been missed during development.
Implementing code review feedback #
The VIP team strives to give valuable actionable feedback that improves the stability, performance, and security of our clients’ sites. However, we understand that every client has different needs and different risk profile. This is why, on VIP Go, code may be deployed without implementing our review feedback.
Any Github user with Admin permissions can deploy code on VIP Go without implementing feedback. By default, the main technical contact for each client is added as an Admin to the repository, and Admins can set other users to Admin if needed. If you have any questions about this, please contact your Technical Account Engineer.
If clients decide to deploy code without implementing the feedback, clients acknowledge taking responsibility for the risks, including:
- Security: VIP employs defensive programming to eliminate as many risks as possible. Deploying code without implementing our code review feedback carries the risk of account-related and other security breaches. In the event of a security incident, VIP may have limited ability to clean a site properly when code review feedback has not been implemented.
- Performance: VIP’s code review feedback is designed to keep sites up and performant under heavy traffic. Under heavy traffic, your site’s response time, availability to users, and overall speed may be compromised. Deploying code without implementing our feedback could lead to your site using more resources and possibly have an impact on SEO.
- Stability: If a client chooses to deploy code without implementing VIP’s code review feedback, there may be code that affects the site’s stability. If VIP needs to restore a site, we may need to break functionality, revert code, or revert the site’s database, to do so.
Regardless of whether our feedback is implemented, the VIP support team will be there to help you if such things occur, and we will always work to rectify the situation as quickly as possible.