VIP Go platform specific
This document is for sites running on VIP Go.
We review code on VIP Go to meet the security and performance objectives of our clients. We will give feedback about the security and performance of your code, and make recommendations for fixes.
The goal of our review is to make sure that your site will be:
- Secure, because pushing a site live with insecure code presents a liability to you and your whole user base.
- Performant, because going live and finding out that your code can’t handle the traffic levels that your site expects puts most of your launch efforts to waste.
- We also review for development best practices to make sure that your site will continue to live on without significant maintenance costs or major issues when WordPress is upgraded.
VIP may perform a scheduled initial code review of the entire codebase. Once this initial review is complete, we’ll switch to a review workflow for incremental development.
What do we review? #
Before the initial code review #
Before code is submitted, there are a few things to make sure of:
- That unused or unnecessary code that does not need to be reviewed is removed from the
- All code has been run through PHP Code Sniffer using the VIP Coding Standards, and that as many blockers as possible are addressed;
- Submit the PHPCS output.
- Be ready to enter a code freeze during the code review process.
This will ensure the speediest review possible, and avoid reviewing known issues or non-production code.
The initial code review #
Automated scans #
For all customers on VIP Go, when you open a PR in the GitHub your entire codebase will be automatically scanned against VIP Coding Standards by the VIP Code Analysis bot. Please refer to this guide to PHPCS review feedback. We strongly recommend looking at this document before submitting your code to expedite your review process.
If you have questions about how to address specific errors or warnings, you can open a Zendesk ticket with our team.
Manual code review #
For clients with Application Support, you may also request specific developer feedback on your codebase (including themes and custom plugins) by adding the “[VIP] Review Request” label to your PR in
master. Before adding the label, ensure that you’ve addressed as many errors and warnings from the automated scan as possible.
Where possible, we recommend keeping PRs small by breaking them down into atomic commits. If the changeset is larger than 1000 lines of code, it will need to be scheduled for a review. The duration of manual code review can vary depending on the complexity of the code, and your Technical Account Manager will help you determine an appropriate timeline for your project.
Here’s a guide to what VIP looks for when performing a line-by-line review of your code. To expedite your review process, we strongly recommend looking at this document before submitting your code.
After the initial code review #
After the initial code review, you can continue to follow the same workflow for automated scans on new PRs, or manual code review for new PRs opened in the
master branch of GitHub.
Implementing code review feedback #
The VIP team strives to give valuable actionable feedback that improves the stability, performance, and security of our clients’ sites. However, we understand that every client has different needs and different risk profile. This is why, on VIP Go, code may be deployed without implementing our review feedback.
Any Github user with Admin permissions can deploy code on VIP Go without implementing feedback. By default, the main technical contact for each client is added as an Admin to the repository, and Admins can set other users to Admin if needed. If you have any questions about this, please contact your Technical Account Manager.
If clients decide to deploy code without implementing the feedback, clients acknowledge taking responsibility for the risks, including:
- Security: VIP employs defensive programming to eliminate as many risks as possible. Deploying code without implementing our code review feedback carries the risk of account-related and other security breaches. In the event of a security incident, VIP may have limited ability to clean a site properly when code review feedback has not been implemented.
- Performance: VIP’s code review feedback is designed to keep sites up and performant under heavy traffic. Under heavy traffic, your site’s response time, availability to users, and overall speed may be compromised. Deploying code without implementing our feedback could lead to your site using more resources and possibly have an impact on SEO.
- Stability: If a client chooses to deploy code without implementing VIP’s code review feedback, there may be code that affects the site’s stability. If VIP needs to restore a site, we may need to break functionality, revert code, or revert the site’s database, to do so.
Regardless of whether our feedback is implemented, the VIP support team will be there to help you if such things occur, and we will always work to rectify the situation as quickly as possible.