Dashboard Installation Deactivated
Bedrock disables Installation of Plugins from the Dashboard with:
DISALLOW_FILE_MODS
This PHP rule prevents the installation of other new plugins while allowing the listing of them. You have to install plugins by other means which we will discuss shortly. Also see https://github.com/roots/bedrock/blob/master/config/environments/production.php#L6-L7
Why is standard installation Blocked?
The standard installation of plugins – and themes by the way – is blocked so all installed themes and plugins stay in version control. Once you start adding plugins or themes on the production server they are no longer in version control. And every time you do a Trellis deployment you run the risk of losing plugins and themes as they are nog part of version control.
Plugin Installation with Composer
You can install plugins with Bedrock using Composer. You can also activate and deactivate them using Composer or WP CLI. You can also manage commercial plugins with composer with a custom composer serve. Either that or you can do it by adding them manually to your site and version control. You will need to remove them from the .gitignore list to get them versioned. You do this by using an exclamation mark like so for example:
!public/uploads/.gitkeep
Composer in practise
Composer allows you to download and install WordPress plugins from packages registered with Composer and also from WPackagist, which syncs with the WordPress plugins repository.
Just run a command to install the plugin like so:
composer install
This install all the plugins in your composer.json file in your Bedrock directory. At WPackagist they show you an example of themes and plugins added from their repo:
{
"name": "acme/brilliant-wordpress-site",
"description": "My brilliant WordPress site",
"repositories":[
{
"type":"composer",
"url":"https://wpackagist.org"
}
],
"require": {
"aws/aws-sdk-php":"*",
"wpackagist-plugin/akismet":"dev-trunk",
"wpackagist-plugin/captcha":">=3.9",
"wpackagist-theme/hueman":"*"
},
"autoload": {
"psr-0": {
"Acme": "src/"
}
}
}
Another way would be:
composer require wpackagist-plugin/wordpress-seo
Code Parity
This method of managing plugins is way better for keeping solid installations that are equal locally (Vagrant) on staging (Trellis server (recommended)) and on production (Trellis) . So this allows for code parity. No more “But it works on my computer”. All changes added with composer will be part of Git version control.
Therefore they will be the same in all environments. Even the plugins not added with composer will be added to version control. All installations that are not done with composer or not committed will be lost to our version control.
As the Roots theme stated:
Plugin Management ease
Composer Bedrock Example
Here the current composer.json as an example. It is one you will find with a standard Bedrock WordPress setup:
{
"name": "roots/bedrock",
"type": "project",
"license": "MIT",
"description": "WordPress boilerplate with modern development tools, easier configuration, and an improved folder structure",
"homepage": "https://roots.io/bedrock/",
"authors": [
{
"name": "Scott Walkinshaw",
"email": "scott.walkinshaw@gmail.com",
"homepage": "https://github.com/swalkinshaw"
},
{
"name": "Ben Word",
"email": "ben@benword.com",
"homepage": "https://github.com/retlehs"
}
],
"keywords": [
"bedrock", "roots", "wordpress", "stack", "composer", "vagrant", "wp"
],
"support": {
"issues": "https://github.com/roots/bedrock/issues",
"forum": "https://discourse.roots.io/category/bedrock"
},
"config": {
"preferred-install": "dist"
},
"repositories": [
{
"type": "composer",
"url": "https://wpackagist.org"
}
],
"require": {
"php": ">=5.6",
"composer/installers": "^1.4",
"vlucas/phpdotenv": "^2.0.1",
"johnpbloch/wordpress": "4.8.2"
"oscarotero/env": "^1.1.0",
"roots/wp-password-bcrypt": "1.0.0"
},
"require-dev": {
"squizlabs/php_codesniffer": "^3.0.2"
},
"extra": {
"installer-paths": {
"web/app/mu-plugins/{$name}/": ["type:wordpress-muplugin"],
"web/app/plugins/{$name}/": ["type:wordpress-plugin"],
"web/app/themes/{$name}/": ["type:wordpress-theme"]
},
"wordpress-install-dir": "web/wp"
},
"scripts": {
"post-root-package-install": [
"php -r \"copy('.env.example', '.env');\""
],
"test": [
"vendor/bin/phpcs"
]
}
}
- Bcrypt
- phpdotenv,
- codesniffer
and other goodies for better development.
WPackagist Additions
As you saw earlier you can add WPackagist plugins or themes using the composer command or by simply adding a line to the composer.json file.
For one setup we have for example this required block including multiple WordPress plugins using WPackagist:
"require": {
"php": ">=5.6",
"composer/installers": "~1.0.12",
"vlucas/phpdotenv": "^2.0.1",
"oscarotero/env": "^1.0",
"roots/wp-password-bcrypt": "1.0.0",
"wpackagist-plugin/antispam-bee": "*",
"wpackagist-plugin/autodescription": "*",
"wpackagist-plugin/imagify":"*",
"wpackagist-plugin/mailchimp":"*",
"wpackagist-plugin/popup-maker":"*",
"wpackagist-plugin/tawkto-live-chat":"*",
"wpackagist-plugin/wordpress-importer":"*",
"wpackagist-plugin/wp-basic-auth":"*",
"wpackagist-plugin/wp-subscribe": "*",
"wpackagist-plugin/yet-another-related-posts-plugin": "*",
"johnpbloch/wordpress": "4.8.2"
},
Deployment
For each installed plugin or WordPress installation a version is set. And for every update this has to be adjusted. Then you can commit it to version control and deploy it using Trellis’ deployment script ./bin/deploy.sh production domain.com . During deployment this file is checked and updates will be made. The latter fully automatically.
Bypassing Limitations
If customers do want to install plugin you can comment out the
DISALLOW_FILE_MODS
at bedrock-site/config/production. We sometimes use something like
<?php
/** Production */
ini_set('display_errors', 0);
define('WP_DEBUG_DISPLAY', false);
define('SCRIPT_DEBUG', false);
define( 'WP_MEMORY_LIMIT', '128M' );
/** Disable all file modifications including updates and update notifications */
//define('DISALLOW_FILE_MODS', true);
As you can see the DISALLOW_FILE_MODS has been commented out to allow the adding of plugins and themes.
Do however remember to exclude the plugins and themes you add from the .gitignore and to add them to the repository. Otherwise you run the risk of removing elements. Also make sure you enforce some parity by syncing from production another way. Either that or forget about version control altogether.
