Keeping WordPress Clean Inside Git


WordPress sites can become massive very quickly. They can also be a treasure trove for potential adversaries looking to compromise your site. Following some simple steps will ensure that your codebase stays safe and organized.

Don’t Store Core Files

There’s no reason to keep the core WordPress files under version control because of two main reasons:

  1. They never contain user or developer changes
  2. Isolating WordPress core is important to keep the app you’re developing separate

Don’t Store Sensitive Information

Even if your repository is private, it’s never a good habit to store vulnerable information. WordPress has certain pressure points that if pressed, will cause pain. Never store your wp-config.php, generated server logs, or even your .htaccess file. Keep these private.

Don’t Store Uploads

One of the reasons uploads shouldn’t be stored in a repository is because they change so quickly. If you have three separate environments (dev, staging, prod) you will start to notice that each environment will have the tendency to have different media uploads at any given time. Always trying to remember what environment has the latest uploads is a major waste of mental energy.

More importantly, you shouldn’t keep uploads under version control because of the eventual file size. Github won’t allow you to push a file larger than 100mb 1, and will throw a warning starting at 50mb.

A great way to keep your uploads synced between environments is by using the plugin WP Migrate DB Pro.

Store Theme

Obviously you should store your theme files. This will be where the majority of your user and developer related changes happen and should be tracked. If you’re using a package manger like NPM, add the npm_modules and any build related log or config files to your .gitignore to keep things clean.

Store Plugins

This one is more of a preference as it could go either way. You can either keep your plugins up-to-date by doing all the updates within each environment through the admin updater, or you can store them in your git repository and sync them that way. Either one will work. I prefer the git approach myself. However if you have a lot of plugins, you might want to consider the accumulated file size before implementing that strategy.


I think having file management keeps a development workspace sanitary not to mention secure. I encourage more WordPress developers to think twice about storing /clientname/public_html again.