Composer for WordPress: Package Management Done Right

Q: Can I use Composer with an existing WordPress site?

Yes, though it requires restructuring. You'll need to move to a Composer-managed installation and configure paths correctly. It's easier with new projects, but migration is possible with careful planning.

Q: What about plugins not on Packagist or WPackagist?

You have several options: add the plugin's repository directly to composer.json, create a private Satis repository, use a path repository for local plugins, or as a last resort, manage those specific plugins manually outside Composer.

Q: Does Composer slow down deployment?

Initial setup takes longer, but ongoing deployments are faster and more reliable. Running composer install is quick, and you can optimize with --no-dev and --optimize-autoloader flags for production.

Q: Should I commit vendor directory to git?

Generally no. Commit composer.json and composer.lock, then run composer install during deployment. This keeps your repository clean and ensures reproducible builds. Some hosting environments require vendor in the repo—adjust accordingly.

Overview

Why Composer for WordPress?

Traditional WordPress development means downloading plugins from WordPress.org, uploading via FTP, and hoping everyone on the team has the same versions. It works, but it doesn't scale. Composer changes this fundamentally.

With Composer, your entire WordPress installation—core, plugins, themes—becomes a declared set of dependencies. Version controlled. Reproducible. Professional.

The Problems Composer Solves

"Works on my machine": Lock files ensure identical versions everywhere
Update chaos: Controlled updates with semantic versioning
Deployment uncertainty: Reproducible installations every time
Plugin sprawl: Clear dependency documentation
Team coordination: Everyone installs the same thing

The Mindset Shift

Composer isn't just a tool—it's a different way of thinking about WordPress. Plugins become dependencies with version constraints. Updates become intentional decisions, not automatic surprises. Your site configuration becomes code.

Concepts

Core Concepts

Before diving into implementation, understand these fundamentals:

composer.json

Your project's dependency manifest:

Declares what packages your project needs
Specifies version constraints for each package
Defines autoloading configuration
Contains project metadata and scripts

composer.lock

The exact versions installed:

Records precise versions of all dependencies
Ensures reproducible installations
Should be committed to version control
Updated only when you intentionally change dependencies

Version Constraints

Control which versions are acceptable:

^1.0: Compatible with 1.x (recommended for most cases)
~1.0: Allows patch updates only (1.0.x)
1.0.*: Any 1.0.x version
>=1.0 <2.0: Explicit range
dev-main: Development branch (use cautiously)

Semantic Versioning

Composer assumes packages follow semver: MAJOR.MINOR.PATCH. Major versions may break compatibility, minor versions add features safely, patch versions fix bugs. The ^ operator respects this, allowing minor and patch updates while preventing major version jumps.

Setup

Setting Up Composer for WordPress

There are several approaches to Composer-managed WordPress. Here's the most practical:

Using Roots Bedrock (Recommended)

Bedrock provides a pre-configured Composer structure:

composer create-project roots/bedrock my-project

Bedrock gives you:

WordPress as a Composer dependency
Organized folder structure (web root separation)
Environment-based configuration (.env files)
Better security defaults
Autoloader configuration

Folder Structure

my-project/
├── composer.json
├── composer.lock
├── .env
├── config/
│   ├── application.php
│   └── environments/
├── vendor/
└── web/
    ├── app/
    │   ├── mu-plugins/
    │   ├── plugins/
    │   ├── themes/
    │   └── uploads/
    ├── wp/
    ├── index.php
    └── wp-config.php

Key Configuration Points

Add WPackagist repository
WPackagist mirrors WordPress.org plugins and themes as Composer packages. Add it to your repositories array to access any plugin by name.
Configure installation paths
Tell Composer where to install WordPress plugins and themes using installer-paths configuration.
Set up environment variables
Use .env files for database credentials, salts, and environment-specific settings. Never commit sensitive data.
Configure autoloading
Set up PSR-4 autoloading for your custom code. This enables modern PHP class organization.

Packages

Managing Plugins and Themes

Once set up, managing WordPress plugins becomes straightforward:

Installing Plugins

# Install a plugin from WPackagist
composer require wpackagist-plugin/advanced-custom-fields

# Install a specific version
composer require wpackagist-plugin/wordpress-seo:^20.0

# Install a theme
composer require wpackagist-theme/developer

Updating Plugins

# Update all packages
composer update

# Update specific plugin
composer update wpackagist-plugin/advanced-custom-fields

# Check for available updates
composer outdated

Removing Plugins

composer remove wpackagist-plugin/plugin-name

Premium Plugins

Commercial plugins require additional configuration:

ACF Pro: Available via their Composer repository (requires license key)
Gravity Forms: Requires custom repository setup
WP Migrate DB Pro: Offers Composer support with authentication
Others: May need private Satis repository or manual management

Example composer.json Repositories Section

"repositories": [
    {
        "type": "composer",
        "url": "https://wpackagist.org",
        "only": ["wpackagist-plugin/*", "wpackagist-theme/*"]
    },
    {
        "type": "composer",
        "url": "https://connect.advancedcustomfields.com"
    }
]

Plugin Compatibility

Some plugins assume standard WordPress directory structure. When using Bedrock's modified structure, test thoroughly. Most well-coded plugins work fine, but some may need path adjustments or may not work at all.

Deployment

Deployment Workflow

Composer changes how you deploy WordPress:

Development Workflow

Clone repository
Get the codebase including composer.json and composer.lock.
Run composer install
Installs exact versions from lock file. Everyone gets identical setup.
Configure environment
Set up .env file with local database credentials and settings.
Develop and test
Work on your changes with confidence that dependencies are correct.
Commit changes
Commit code changes and any composer.lock updates.

Production Deployment

# Clone/pull latest code
git pull origin main

# Install production dependencies
composer install --no-dev --optimize-autoloader --no-interaction

# Clear caches if applicable
# Run any database migrations

Deployment Options

Git + Composer on server: Pull code, run composer install
Build artifacts: Run composer locally, deploy built files
CI/CD pipeline: Automated builds and deployments
Platform-specific: Some hosts have Composer integration

composer install

Installs exact versions from composer.lock. Use for deployments and setting up existing projects. Reproducible and fast.

composer update

Resolves dependencies and updates composer.lock. Use when intentionally updating packages. Always review changes before committing.

Custom

Custom Plugin Development

Your custom plugins and themes can also use Composer:

Plugin with Dependencies

Your custom plugin can declare its own dependencies:

{
    "name": "your-company/custom-plugin",
    "type": "wordpress-plugin",
    "require": {
        "php": ">=8.0",
        "monolog/monolog": "^3.0"
    },
    "autoload": {
        "psr-4": {
            "YourCompany\\CustomPlugin\\": "src/"
        }
    }
}

Modern PHP in WordPress

Composer enables modern PHP practices:

PSR-4 autoloading (no more require statements everywhere)
Namespaces for code organization
External library integration
Type declarations and modern syntax

Example: Using a Library in a Plugin

// With Composer autoloading, just use the class
use Monolog\Logger;
use Monolog\Handler\StreamHandler;

$log = new Logger('my-plugin');
$log->pushHandler(new StreamHandler('logs/plugin.log'));
$log->info('Plugin initialized');

Autoloader Loading

Remember to load the Composer autoloader in your plugin. If using Bedrock, it's already loaded. For standalone plugins, include vendor/autoload.php at the appropriate point.

Issues

Common Issues and Solutions

Composer with WordPress isn't without challenges:

Memory Limits

Composer can be memory-hungry:

# Increase memory for composer command
php -d memory_limit=-1 /usr/local/bin/composer install

Slow Updates

Large dependency trees take time:

Use --prefer-dist to download archives instead of cloning
Consider composer install --no-scripts if scripts aren't needed
Run updates locally, commit lock file, install on server

Plugin Update Notifications

WordPress admin shows update notices even for Composer-managed plugins:

Use a plugin to hide update notices for managed plugins
Restrict admin access for non-technical users
Educate team that updates happen via Composer, not admin

File Permissions

Composer-installed plugins may have different permissions:

Ensure web server can read all files
Configure proper ownership during deployment
Some hosts require specific permission setup

Issue	Symptom	Solution
Memory exhausted	Composer crashes	Increase PHP memory limit
Slow updates	Commands take forever	Use --prefer-dist flag
Version conflicts	Requirements couldn't be resolved	Review and adjust constraints
Missing autoloader	Class not found errors	Run composer dump-autoload
File permissions	Permission denied errors	Fix ownership and permissions

Team

Team Adoption

Introducing Composer to a team requires change management:

For Developers

Document the new workflow clearly
Provide example commands for common tasks
Pair program through first few projects
Create troubleshooting guide for common issues

For Non-Technical Team Members

Explain that plugin updates now go through developers
Create process for requesting plugin installations
Clarify that admin update buttons shouldn't be used

For DevOps

Ensure Composer is available in deployment environment
Configure CI/CD pipelines to run composer install
Set up proper caching for vendor directory
Document rollback procedures

The Learning Curve

Composer has a learning curve, but it's a one-time investment. Once your team understands the workflow, WordPress development becomes more predictable and professional. The initial friction pays dividends in reduced deployment issues.

Conclusion

Is Composer Right for Your Project?

Composer isn't necessary for every WordPress project. Consider it when:

Good Fit

Multiple developers on the project
Custom plugin development with external dependencies
Deployment automation requirements
Need for reproducible environments
Professional development workflow expectations

Maybe Not Necessary

Simple sites with few plugins
Solo developer projects
Hosting that doesn't support Composer
Team without PHP/command line experience
Sites managed primarily through WordPress admin

For professional WordPress development, especially in agency and enterprise contexts, Composer has become standard practice. The investment in setup and learning pays off in maintainability, reliability, and team efficiency.

Start with a new project to learn the workflow before attempting to migrate existing sites. Once comfortable, you'll wonder how you managed without it.

Frequently Asked Questions

Can I use Composer with an existing WordPress site?