Once thing I have learned from years of working with WordPress is that there is no shortage of different development practices. One thing that stood out for me early on was that as a an independent contractor there are some processes that should be universal. The following are some of the concepts I have collected and adopted along the way.
DO
- use SSH and SFTP to remotely connect directly to the server shell
- use PHP7
- use version control (I recommend git via GitHub)
- perform code reviews
- establish a personal coding standard
- HTTPS everything
- use more than one administrator account
- perform BACKUPs
- maintain a site doc with details records
Strongly encouraged
- setup a proper dev and staging test environments
- turn off file edits and mods in the wp-config
- use a deployment system linked to your VCS
- employ unit testing
- test the backups
DO NOT
- use FTP (no I am serious NEVER)
- host client systems on your personal servers
- forget to bill
The lists above are short and easily digestible however some items bear further explanation. Therefore I shall go through them in greater detail below.
SSH and SFTP when properly setup are very secure and allow you a safe way of accessing your server systems. I personally refuse to host anything with providers who do not offer these services.
PHP7 is fairly self explanatory however there are those that do not understand how important it is to run WordPress on the fastest PHP engine available.
Version control is absolutely essential. I put each of my client’s sites in their own repository so that I know exactly what has been deployed to each individually. This has several added benefits. Should a site get hacked you can easily restore the database from backup and redeploy all of the code to a know state. In addition moving a site between providers become trivial.
Most version control systems like GitHub have built in mechanisms that aid in the code review process. Even if you are a one person consulting shop having that step where you reflect on the changes you’ve made to the code can help you catch bugs before the code is shipped.
While WordPress has an official coding standard and some would like you to just drink from that juice box I urge you to consider adopting it but enhancing it with your own flare. For instance in the WordPress CS Yoda conditions accepted they are, but in my CS prohibited they be. Having your own standard truly is personal and it helps you to maintain a consistency in the code improving it’s maintainability.
HTTPS is pretty much an essential fact of web hosting these days and thanks to systems like Let’s Encrypt relatively easy to setup. I strongly suggest that you do not even provide regular http access.
I always create different accounts. One for the client and one for myself. Depending on the client’s skill level I may even create them one with reduce capabilities for safety reasons. This depends on the support agreement.
Backups. Honestly if your don’t understand the necessity for backups by now nothing I can say will sway you.
Document everything. Document the hosting setup and provider account information. Document overtime you chat with the client. Document all of your work. Record keeping is essential to ensuring that you maintain a strong consulting business as well as a satisfied customer. The number of times I have been contacted after years by former clients who forgot a password or some other critical system data. Digging through my records is billable time and they are always grateful to pay when I get them out of a jam. Usually I land new referrals in the process.
I think that’s enough for now as the strongly encouraged and DO NOT NEVER EVER sections are fairly self explanatory. I hope that you have found this helpful