Best practice for keeping up to date local dev and production

Hello all,

In a perfect world you would have a local dev + staging + prod environment. Every deployments are moving in the same direction, from your staging to prod.
What if you are a web agency, you sell websites and your customer (who has admin access) installs a plugin ? This plugin won’t be versioned in git.

What are your recommendations ?
Should I just restrict plugin installations and theme modifications ?


The answer can be both technical and business oriented.


If you are using bedrock and wp-cli you can very easily list the plugins installed and compare with your local repo/composer.json

As far as pulling/pushing the database I use but you could very well use I generally always pull from staging/production rather than push to prod from local.

As far as getting their changes into your version control: if you are using git based deploys you can easily commit from the remote server and pull down the changes into your local environment. You can also do things like “git diff” and “git status” to see what has happened since the last commit.

In most cases I definitely disable plugin modification from the dashboard:


In my experience one HUGE advantage of user Composer/Git based deploys is it makes liability easy. If someone breaks the site you can very easily say “this site is verified working with these exact versions of the plugins and this exact git commit”. So if the client goes rogue and starts doing crazy stuff like hacking on plugins, core, or your theme it is trivial to diff and see what went wrong. If the site gets hacked/borked it is also very easy to just rollback and redeploy.

If the client is insistent on being able to hack on the site themselves or without a developer: each time they need something done will have to be a new project.


Thanks Austin.
I’ll discuss it with my coworkers but I think it’s a good idea to disable plugin and theme update. I don’t want shady plugins committed to git.