2016-05-21 #wordpress

Using Composer With WordPress

In this tutorial we're going to investigate using composer as the dependency manager for WordPress.

What Is Composer?

Composer is a dependency manager for PHP which allows you to easily manage any third party libraries within your application. You can specify an exact version you want to use on any of the third party packages. Composer will then look up the tag version of this package and download that version into your application. When developing with WordPress you are dependent on multiple third party libraries for your website to work, things like the core WordPress code and the specific version you're running. Third party plugins from can change the functionality of your website so you're dependent on these running the latest version. This is the reason why composer can be used to manage the updates of your plugins, themes and the core WordPress code on your WordPress site. As this is a dependency manager for PHP you don't have to limit yourself to just WordPress plugins you can use composer to manage generic PHP libraries. Using composer within WordPress will mean when developing the application you don't need to commit any third party libraries to your own source control, reducing any bloat in your project.

Installing Composer

To install composer on Linux or UNIX system follow the instructions on the link below. Install On Linux If you have a Windows system use the following link for instructions on how to install composer. Install On Windows## WordPress Packagist

This is a site that mirrors the plugin and theme directories and allows you to use them as a composer repository. By using WordPress Packagist you can get access to any plugin or theme on from using composer. To use this all you have to do is add this as a new repository in your composer.json file.

    "name": "acme/brilliant-wordpress-site",
    "description": "My brilliant WordPress site",
    "require": {
    "autoload": {
        "psr-0": {
            "Acme": "src/"

To install WordPress core you need to add the repository "johnpbloch/wordpress": "4.5.2" in the require config in composer.

    "require": {
        "johnpbloch/wordpress": "4.5.2",

By adding the extra config you can specify where composer installs packages, allowing you to move WordPress into a different location on your server to help improve the security of your application. The below will install dependencies in these locations: - Must use plugins - web/app/mu-plugins

  • Plugins - web/app/plugins
  • Themes - web/app/themes
  • WordPress core - web/wp

"extra": {
    "installer-paths": {
      "web/app/mu-plugins/{$name}/": ["type:wordpress-muplugin"],
      "web/app/plugins/{$name}/": ["type:wordpress-plugin"],
      "web/app/themes/{$name}/": ["type:wordpress-theme"]
    "wordpress-install-dir": "web/wp"

WordPress Packagist

Bedrock Roots Project

If you're looking at running composer on your WordPress projects the best place I've found to get started is the Bedrock project by Bedrock is a boilerplate for new WordPress development processes with composer used for the dependency management. Some of the features include: - Better folder structure

  • Dependency management with Composer
  • Easy WordPress configuration with environment specific files
  • Environment variables with Dotenv
  • Autoloader for mu-plugins (use regular plugins as mu-plugins)
  • Enhanced security (separated web root and secure passwords with wp-password-bcrypt)


Updating WordPress Plugins

When WordPress needs to update a plugin from the admin area it will require you enter your FTP settings into the admin area. Having FTP enabled like this can be a security loophole on your server so you might be in the situation where this is closed down on some server. This is where using composer can make it very easy to update your plugins. With composer you can login to your server via SSH and run the command

composer update

This will then download the version of the plugin specified in your composer.json file.


Reliable uptime monitoring and instant alerts for any website downtime.

  • Uptime Monitoring
  • Performance Monitoring
  • SSL Certificate Alerts
  • Domain Monitoring
  • DNS Checker
  • XML Sitemap Monitoring