Skip to content

RETIRED: Manual code review

The goal of a manual code review is to provide feedback that addresses:

  • Security, which includes the security of a site’s access, data, and its users.
  • Performance, which includes how well a site can handle normal and peak traffic and how quickly a site’s content renders.
  • Manual code review can also provide feedback on development best practices such as maintainability, defensive coding practices, clarity, and more.


Manual code reviews can only be requested by a limited group of customers with legacy contracts and customers with a Premier Support package.

The value of manual code review

The customer should consider the value of a manual code review before requesting it. By definition, requesting a code review from WordPress VIP at the point of being ready to deploy the code is the most expensive time to get input from WordPress VIP.

VIP’s automated checks can help catch security, performance, and platform incompatibility issues, so any remaining issues that WordPress VIP may find in a manual code review will typically require more substantial architectural changes.

Customers benefit most from WordPress VIP’s input when it is requested earlier in the development cycle when the business cost of change is significantly lower. Code review requests for trivial changes or when the customer would be unwilling or unable to accommodate the suggestions have little value; they add an artificial workflow block to customers being able to deploy their code efficiently.


Manual code reviews are only available for:

  • A limited group of customers with legacy contracts and customers with Premier Support packages.
  • A pull request that contains custom application code. Pull requests for third-party plugin code will receive automated scans and feedback by the VIP Code Analysis Bot. Customers can also scan third-party plugin code locally with PHPCS.
  • A pull request that contains code that is complete and ready to merge. Draft pull requests cannot be reviewed.
  • A pull request that targets an application’s production branch and has a [VIP] Review Request label applied to it.
  • Manual code review focuses on performance and security considerations in PHP, custom JavaScript, and SVG files. Reviewers will ignore HTML, CSS, SASS, many popular third-party JavaScript libraries, or built JavaScript files.
  • Manual code reviews by WordPress VIP cannot be requested with an urgent priority. Some customer application repositories are configured to block merging of pull requests without a review. Users with Admin access to the GitHub repository have the ability to bypass this requirement and merge the pull request on their own. If the merging of a pull request is needed urgently, having an Admin user intervene and bypass the review requirement is the fastest method for the pull request to be merged and deployed.

Expedite the manual code review process

The following recommendations for creating pull requests can help expedite the manual code review process:

The duration of manual code review can vary depending on the complexity of the code. Premier Support customers can request assistance from their Technical Account Manager (TAM) to determine an appropriate timeline for a project.

Request a manual code review

All pull requests made to a wpcomvip GitHub repository for a WordPress application receive code feedback from automated scans by the VIP Code Analysis Bot.

Before requesting a manual code review from WordPress VIP, address as many errors and warnings reported by the VIP Code Analysis Bot scan as possible.

It is possible that after an automated scan a pull request will automatically be added to the manual code review queue. The VIP Code Analysis Bot will leave a comment on the pull request to indicate if this has occurred.

When a manual code review is an option for a pull request, the Bot will explain in a comment how to add a label to request a review. If this message appears and a review is needed, add the label [VIP] Review Request to the pull request.

The labels field can be found in the GitHub UI on the right sidebar of a pull request:

Pull requests against a review branch, that are not drafts, with the label [VIP] Review Request, will surface as a new review request in WordPress VIP’s internal review queue. The VIP Team will review the pull request directly on GitHub, and suggest any changes by leaving comments.

After the WordPress VIP team has reviewed a pull request, the customer’s team should review the feedback and make any necessary changes. If further feedback is needed, “dismiss” the review. This process continues until there are no outstanding issues, at which point the WordPress VIP team will “approve” the request.

Last updated: February 24, 2024

Relevant to

  • WordPress