GovPress Tools: how automation has helped us scale our WordPress offer

Automation has helped us scale our WordPress work, and keep our clients’ sites safer and more secure

The number of public sector and charity WordPress sites we host and support on the GovPress team has increased dramatically in the past couple of years – from around 20 to over 100. It’s been really exciting to see the team growing so quickly, but it’s also presented us with some challenges around how we manage and maintain such a large number of sites. 

Why we needed automation

For most of dxw’s life, the GovPress team has maintained our WordPress projects on a site-by-site basis. Each project was self-contained and managed completely independently. That worked well when we had a relatively small number of projects, but as that number grew we quickly found that the model didn’t scale. 

We were spending an increasing amount of time performing basic upkeep tasks and keeping plugins and WordPress core up to date. Even maintaining the list of repositories we were managing was becoming a laborious manual process!

The problem was hammered home a year or so ago, back when a serious security vulnerability was discovered in a plugin that some of our clients used. We had to manually check every site to see if they were running the plugin in question. And, if so, if they were running a vulnerable version.  All while we were up against the clock, and with the possibility of the vulnerability being exploited. 

It was a stressful day or so, and we realised we needed to look at automating the routine maintenance tasks involved in supporting a large WordPress estate.

Introducing GovPress Tools

GovPress Tools is a command line tool we’ve built to do just that. All of our client site repositories are on GitHub (or will soon be migrated there). They share a common file structure, based on our WordPress template repo,  and use Whippet to manage WordPress plugins as third-party dependencies. 

GovPress Tools takes advantage of that shared file structure to identify them as WordPress repos, and then uses GitHub CLI, GitHub’s GraphQL and REST APIs and GitHub Actions to help us quickly and easily:

These are all tasks that would have taken considerable manual effort previously.

Automating plugin security alerts

Perhaps most importantly, we use GovPress Tools to alert us about new vulnerabilities discovered in plugins we run on client sites. A scheduled GitHub action checks the full list of plugins we’re running against the WPScan vulnerability database multiple times a day, and immediately alerts our team Slack channel if it finds any vulnerabilities. 

This allows us to get plugin vulnerabilities patched within a few hours of them being discovered. And will usually mean the vulnerability is fixed before the full details and proof of concept have been disclosed. 

In the past 6 months alone, this has helped us to quickly identify and fix nearly 200 vulnerabilities, keeping our clients’ sites safer and more secure. Every new GovPress site we build or host automatically gets covered by that same alerting system, without us having to do any additional setup work.

Future plans

We’ve got more ideas for things we’d like GovPress Tools to do in future. Those include helping us manage Dependabot alerts, and automatically opening pull requests for us either when plugin updates are available, or when a major WordPress version is released.

The repo for GovPress Tools is private at the moment, as it contains a few dxw-specific bits of config that we’d prefer not to share more widely. But we’re hoping to abstract those out, either into user-configurable environment variables, or separate private repositories where needed. Then we’ll be able to share it more widely. Maybe it will help others who are facing similar challenges!