What Is Bedrock and Why Use It in WordPress Projects?
Modernize your workflow, secure your codebase, and bring sanity to WordPress development.
The traditional way of working with WordPress – via FTP uploads, installing plugins from the admin panel, and handling updates manually – no longer meets the standards of modern WordPress development.
This outdated model doesn’t scale well, complicates team collaboration, hinders automated deployment, and leaves projects vulnerable to human error.
Bedrock for WordPress offers a modern alternative: a structured, secure, and maintainable project architecture based on best practices from the broader PHP and web development ecosystem.
In this article, we’ll explore:
- What Bedrock is and how it works
- The benefits it offers developers
- Its limitations
- And when it's the right choice for your WordPress projects
What Is Bedrock?
Bedrock is a modern boilerplate for WordPress, developed by the team at Roots.
It provides a more structured, secure, and maintainable foundation for building WordPress projects — aligning WordPress development with industry-standard practices.
What Bedrock is not:
- It’s not a theme or a plugin
- It’s not a replacement for WordPress itself
- It’s a way to organize and manage your WordPress project like real software
Why Bedrock Matters
Bedrock transforms the traditional WordPress project structure by bringing it closer to the standards of modern web development.
It introduces:
- Separation of application code and configuration
- Dependency management through Composer
- Environment-based configuration
- Secure file organization outside the web root
Simply put, Bedrock turns WordPress into a real software project.
It eliminates the clutter of a default WordPress install and provides a solid foundation where code, dependencies, and settings are managed using best practices — with version control, environment isolation, automation, and quality control built in.
Key Features of Bedrock
Composer-Based Dependency Management
Bedrock uses Composer to manage WordPress core, plugins, and themes.
All dependencies are declared in the composer.json file, which allows you to:
- Precisely control versions of WordPress, plugins, and themes
- Easily roll back changes or update components
- Avoid version conflicts in team-based workflows
No more downloading .zip files or installing plugins manually — everything is handled via one command.
Clean and Modern Project Structure
Unlike the traditional WordPress setup — where everything lives in the root folder — Bedrock introduces a clean, modern file architecture:
- web/ — the public web root
- config/ — configuration files for each environment
- vendor/ — Composer-managed dependencies
- .env — environment variables (dev/staging/production)
- composer.json — the dependency map for the project
This structure makes the project easier to navigate, more secure, and CI/CD-friendly — especially for modern development teams.
Environment-Specific Configuration
Bedrock uses a .env file to manage environment variables, allowing you to:
- Easily switch between development, staging, and production
- Avoid hardcoding sensitive values in wp-config.php
- Manage credentials (e.g., database passwords, API keys) securely
This setup is especially valuable for team workflows and automated deployments, ensuring consistency across environments.
Enhanced Security by Design
One of Bedrock’s key strengths is its security-focused architecture:
- Core WordPress files (wp/), wp-config.php, and vendor/ are placed outside the public web/ directory
- This minimizes exposure and reduces the risk of direct access to sensitive files
- Secrets and credentials are stored in the non-public .env file — not in the codebase
This structure aligns with modern web application security standards and makes WordPress projects significantly harder to exploit.
Support for Modern Development Tools
Bedrock integrates seamlessly with tools and workflows used in modern web development, including:
- Full compatibility with Git, WP-CLI, and Composer scripts
- Support for CI/CD pipelines: GitHub Actions, GitLab CI, Capistrano, Deployer, and more
- Automation of deployments, updates, builds, and tests
Bedrock transforms a typical WordPress site into a fully manageable software project, enabling developers to work with confidence, version control, and repeatable workflows.
It is often paired with Sage 10 — a modern starter theme from the same developers (Roots). Sage uses Blade templating, Laravel Mix, and Tailwind CSS, and is fully adapted to a component-based development approach.
Why Use Bedrock in WordPress Projects?
Security by Design
One of the main reasons developers adopt Bedrock is its architecture-level focus on security.
What makes Bedrock more secure:
- The wp-config.php file and the WordPress core (wp/) are moved outside the public web directory (web/), making it much harder for attackers to access sensitive system files — unlike in a standard WordPress installation.
- All sensitive data — such as database credentials, API keys, and SMTP settings — is stored in the .env file, which is not included in version control and never exposed to the browser.
This approach aligns WordPress with the security standards commonly used in modern frameworks like Laravel, Symfony, and others.
Reliable Deployment and Version Control
Bedrock is ideal for teams and developers who want to treat WordPress like real software.
- All project dependencies — WordPress core, themes, and plugins — are managed via Composer and locked in composer.lock. This ensures that everyone on the team and every server is running the exact same versions, with no manual updates needed.
- The project is fully version-controlled via Git, allowing you to create branches, track changes, and safely roll back when needed.
- Deployments can be automated — build, test, and push to staging or production using CI/CD pipelines.
This removes the chaos of “we updated a plugin and everything broke” — because the entire workflow is structured and reproducible.
Consistency Across Environments
Bedrock makes working across multiple environments (development, staging, production) transparent and predictable.
- All configuration values are stored in a .env file, allowing you to define different settings for different servers — without touching the codebase.
- Database credentials, debug mode, domain names, and path settings are all managed via environment variables, not hardcoded logic.
- This eliminates the classic problem: “It works on my machine, but not on production.” With Bedrock, environments are configured consistently — improving testing reliability and deployment confidence.
Scalable Team Collaboration
If you’re working in a team, Bedrock provides structure and predictability that’s hard to achieve with a traditional WordPress setup.
- All dependencies and configurations are explicitly defined in the project. No more “It broke because someone had a different plugin version.
- Any developer can clone the repository, run composer install, and get a fully working copy of the site — with the exact same setup.
- Git + Composer make team workflows possible: code reviews, CI/CD, automated testing, staging previews, and more.
This makes Bedrock an excellent foundation for agencies, product teams, and freelancers looking to level up their WordPress development process.
When Not to Use Bedrock
Despite its clear advantages, Bedrock isn’t a one-size-fits-all solution. In some cases, it may introduce unnecessary complexity or simply not align with the project format.
Requires Technical Skills
Bedrock is designed for developers who are comfortable working with Composer, Git, and the command line (CLI).
If you:
- Are unfamiliar with terminal tools
- Have never run composer install
- Worry about breaking your .env file
…it’s better to start with a more traditional setup and switch to Bedrock later, as your technical confidence grows.
No In-Dashboard Theme or Plugin Installation
One of the core principles of Bedrock is removing the ability to install or update themes and plugins from the WordPress admin panel.
Everything is managed via Composer. This means:
- No more “one-click install” from the dashboard
- Every update is done through the terminal
- You can’t hand off the site to a client who expects the standard WordPress interface
For developers, this is a win. But for non-technical site owners, it can be a dealbreaker.
Not Ideal for Quick or Visual-Builder Projects
If you’re working on:
- A one-page site built with Elementor in a few hours
- A last-minute freelance job with tight deadlines
- A project with no version control or structural requirements
Then Bedrock may be overkill.
It introduces an engineering layer that makes perfect sense for team-based, scalable, or production-grade development — but not for “quick-and-dirty” builds using visual tools.
Bedrock is a powerful tool — but it’s not for every project.
It’s a deliberate choice toward structure, stability, and automation — and it comes with a learning curve. But if you’re ready to adopt that mindset, it opens the door to a whole new level of working with WordPress
Real-World Use and Developer Opinions
Who Uses Bedrock
Bedrock is popular among:
- Freelancers who work with Git and Composer and want full control over their codebase
- Web studios and digital agencies that prioritize process consistency, version control, and environment reproducibility
- In-house product teams, where WordPress is part of a larger stack (e.g., headless or API-first architecture)
This tool is typically chosen by developers who treat WordPress not just as a CMS, but as a stable, scalable web application platform.
Where Bedrock Shines
- eCommerce projects — where plugin updates and deployments via Git/Composer reduce the risk of breaking the checkout process
- Multisite setups — one repo, many sites, with separate environments and configs
- Headless or API-first builds — where WordPress powers content, but the frontend is built in React, Vue, or Nuxt
- CI/CD-based deployments — with GitHub Actions, GitLab CI, Bitbucket Pipelines, or other DevOps tools
Bedrock isn’t mainstream in the WordPress ecosystem, but it has become the de facto standard for developers using WordPress in serious engineering environments — with Git, Composer, automation, and infrastructure as code.
Developer Opinions on Bedrock
Reddit: Developers on Reddit often highlight how Bedrock brings modern app architecture to WordPress and simplifies environment management:
“I use Bedrock and love it. Makes managing multiple environments (dev, staging, prod) way easier, keeps my git repositories lean, and I’ve wrapped the composer update and WP-CLI update into a single command I can run, commit, deploy. Easy.“
— r/WordPress
Teams appreciate how centralized management via Git and Composer makes collaboration more organized and reliable.
GitHub: The official Bedrock repository on GitHub has over 6.4k stars and is actively maintained. The project is influenced by the Twelve-Factor App methodology — a sign of its commitment to application-level architecture principles, including environment separation, version control, and dependency management.
Upsun blog: Bedrock solves the chaos found in standard WordPress projects by offering a more structured, secure, and scalable approach. It significantly simplifies life for developers, especially in team-based projects.
LinkedIn article: Describes how traditional WordPress development complicates working with Git, while Bedrock with Composer makes version control easier, reduces repository size, and simplifies updates. This gives developers more control and lets them focus on code instead of manually managing plugins.
Roots Discourse: In the developer community, Bedrock is noted for its logical and well-thought-out structure, though users also point out that it requires technical skills to use comfortably.
Bedrock vs Traditional WordPress
To understand how Bedrock differs from a standard WordPress installation, it’s enough to look at a few key areas: dependency management, folder structure, configuration handling, and security.
Below is a quick comparison across the main aspects:
Bedrock vs Traditional WordPress (Comparison Table)
Feature | Traditional WP | Bedrock |
Theme/plugin management | In dashboard | Through Composer |
Folder structure | Mixed / flat | Clean, separated |
Configuration per env | Manual per site | .env-based |
Version control | Partial | Full (Git + Composer) |
Security (file exposure) | Core in web root | Core outside web root |
How to Read This Table:
Theme/plugin management:
In traditional WordPress, themes and plugins are installed via the admin panel. In Bedrock, everything is managed through composer.json — this is safer and more convenient for team workflows.
Folder structure:
A standard WordPress setup mixes everything in the root folder. Bedrock separates the core (wp/), user code (web/app/), configuration (config/), and dependencies (vendor/), making the project cleaner and more maintainable.
Configuration per environment:
In classic WordPress, settings are hardcoded into wp-config.php. In Bedrock, they are moved to the .env file, which simplifies switching between dev, staging, and production environments.
Version control:
In traditional WordPress, Git typically covers only parts of the project. With Bedrock, you can version-control the entire project — including WordPress core and plugins — using Git and Composer for full control.
Security (file exposure):
One major issue with traditional WordPress is public access to system files via the browser.
Bedrock moves core files and configuration outside the web root, reducing the risk of attacks.
This table clearly shows how Bedrock brings WordPress projects closer to the level of a modern software product.
Bedrock is a tool for professional WordPress development.
It replaces chaotic structure with a clean, version-controlled, and maintainable setup. It’s ideal for developers, teams, and agencies using Git, Composer, and staging environments — those who value security, automation, and consistency. However, for beginners or quick client builds without CI/CD, Bedrock may be overkill.
You may also be interested in
How to Use ChatGPT for Search Terms Analysis in Google Ads
Using ChatGPT for Google Ads Campaign effectively doesn’t require advanced technical skills. You just...
SEO vs PPC - Which Strategy Is Better for Your Business?
If you’re promoting your business online, you’ve probably asked yourself: should I invest in SEO or PPC?...
Why You Shouldn’t Host Videos Directly on Your Website - 5 Reasons
Home Why You Shouldn’t Host Videos Directly on Your Website – 5 Reasons Constantin Nacul Digital...
How to Import LinkedIn or Facebook Ad Cost Data into Google Analytics 4
In this step-by-step guide, the DITS.agency team will show you how to import cost data from LinkedIn,...
Zero Search Results: What Your Site Visitors Are Searching For — but Not Finding
Every day, users type in valuable queries — product names, categories, content topics — and get zero...
Why You Should Avoid Using Large Images on Your Website
If image sizes aren’t controlled, that same visual content can turn against you — slowing down the site,...