# Testing All checks run inside Docker containers. ```bash docker compose run --rm --no-deps wordpress php -l /opt/azionelab/theme/functions.php docker compose run --rm --no-deps wordpress php -l /opt/azionelab/theme/front-page.php docker compose run --rm --no-deps wordpress php -l /opt/azionelab/azionelab-content.php docker compose run --rm --no-deps proxy nginx -t docker compose -f docker-compose.yml -f docker-compose.test.yml up --build -d db wordpress proxy docker compose -f docker-compose.yml -f docker-compose.test.yml --profile tools run --rm wp-cli /scripts/bootstrap.sh docker compose -f docker-compose.yml -f docker-compose.test.yml --profile test run --build --rm functional-tests docker compose -f docker-compose.yml -f docker-compose.test.yml --profile test run --rm security-tests docker compose config --quiet LETSENCRYPT_ENABLED=1 docker compose config --quiet ``` The normal stack uses host-based bind mounts under `./runtime` by default. The test override replaces database and WordPress state with isolated Docker volumes, maps `azionelab.org` to the internal proxy, and never publishes an extra port. Browser tests cover content and section order, contact actions, mobile overflow/navigation, semantic landmarks, image alternatives, admin routing, security headers, blocked sensitive routes, blocked uploaded PHP requests, and unknown virtual hosts. Security checks also assert that WordPress does not publish host ports and that Apache hardening remains installed in the WordPress image. Subjective visual review and a real-device accessibility audit remain manual release checks.