WordPress in Composer: a more stable, reliable & secure website

• Introduction
• What is Composer?
• Why is WordPress in Composer a good idea?
• What are the benefits of using Composer with WordPress?
• How do we use WordPress with Composer?
• Are there any tradeoffs when using Composer?

WordPress is a hugely popular open-source CMS used by companies, charities and individuals of all sizes across the globe. It currently powers 43% of all websites on the internet making it by far the most popular web publishing platform in use today.

Part of WordPress’ popularity is due to its commitment to backwards compatibility. This has however meant that its codebase still reflects many of the best practices and approaches from 2003. In technology terms, almost two decades is like a lifetime and best industry practice and what organisations expect from their website has moved on a long way. WordPress has remained fairly easy to setup using their famous 5 minute install guide, however this isn’t always the case when working with a larger team across multiple environments where maintenance, security and stability are critical.

Ultimately site owners shouldn’t have to care about the underlying technology that powers their website, they just want it to be stable, secure and deliver on the organisation’s aims. Whilst technology can be a powerful enabler it can also unfortunately be a great cause of pain, when not used correctly, and hinder progress.

Common issues

• You experience a bug on the live site but it can’t be easily replicated by your development team so goes unresolved for longer that you’d like
• Your optimistically hit ‘Update’ on plugins and WordPress core in the admin panel of the live site only to find an incompatibility breaks the site
• A team member mistakenly disables a plugin that breaks some/all of your live site

Many of these issues stem from not being able to ensure that specific versions of plugins and WordPress core are being used at any given time.

What is Composer?

Composer is the package management tool for PHP (the programming language that WordPress is written in). It’s designed specifically to allow developers to define interdependencies between packages and to specify compatible versions. That might sound complicated but it basically lets developers create a list of required software versions.

Whilst common across PHP development as a whole the WordPress codebase hasn’t yet caught up to support it directly. Its use with WordPress has become much more common over recent years for reasons we’ll explain below.

Why is WordPress in Composer a good idea?

Your WordPress website is made up of:

1. WordPress core. This is the main WordPress install which contains all the CMS’s mainline functionality. This is versioned and regularly released as open source code.
2. A theme. This is the code that dictates the look and feel and general functionality of your site. Your theme is likely to be highly tailored to your needs and the main brain of your website.
3. One or more plugins. These are packages of code that extend the functionality of WordPress and your website. These typically aim to provide common, reusable functionality such as SEO, caching or forms etc.

Your site is the sum of all these parts and correct operation requires that they all work harmoniously. As the number of plugins increases, so does the complexity of the interdependence between all the moving parts.

The problem

• A theme almost always relies on plugins but how can you be sure you have the right version or that it’s enabled?
• If you find you have the wrong version, it can be hard to install a specific older version of a plugin from the WordPress UI
• New features are added to WordPress regularly but you can’t easily specify the supported versions of WordPress your site requires
• It’s hard to make sure your production, staging and development environments are all using the same versions of plugins and WordPress core so it can be hard to replicate bugs or issues. This can increase time spent diagnosing and subsequently cost more to get a resolution.

Composer to the rescue

As Composer is designed to specify and enforce versions it’s the perfect fit to make sure your WordPress site is always using the right versions of WordPress core and plugins.

Benefits of using Composer with WordPress

• Repeatable environments. As plugin and core versions are all defined in code all your environments will always be exactly the same. This reduces the risk of different behaviour between environments and reduces diagnostic times and costs.
• More reliable and consistent deployments. Deploying to your production and staging environments is now repeatable and consistent. Your developers will never need to use FTP again!
• More resilient to infrastructure failure. If there’s ever an issue with your server you can now easily get back up and running in exactly the same state as before
• Easier maintenance and security. Maintenance updates can be rolled out easily across all environments simultaneously, reducing the risk of missing security updates
• Enables larger teams to work together. Storing versions in code makes it easier for a team of developers to work on your site simultaneously without accidentally overwriting each others work
• Unlocks more automation opportunities. Codified versioning and repeatable builds makes it easier to add additional automation such as:
  • CI/CD
  • Automated security and code quality checking
  • Automated deployments – reducing the need to share secure keys and logins with the whole development team
• Access a wider pool of freely available code. As you’re now using Composer you can also start to rely on the hundreds of thousands of regular open source PHP packages available, including our open source WordPress framework Lumberjack. This wealth of well tested free code packages makes 3rd party integrations with CRM’s, databases and other API’s much easier, reducing the amount of bespoke code your developers need to write and maintain themselves. This in turn reduces the cost of development, increases the speed of delivery and reduces your ongoing technical debt.

By using WordPress in Composer you’re making your site more stable, more secure and easier to maintain over time. You also cut out many of the common issues of running WordPress across multiple environments, reducing non-value adding development overhead and therefore reducing overall ownership cost.

Is there a standard way to use WordPress in Composer?

Fortunately the tooling to achieve a stable WordPress install via Composer is now very mature. The leading way to setup a WordPress site with Composer is via the popular open source project Bedrock. At the time of writing Bedrock has been installed more than 265k times and is regularly maintained.

Bedrock is a standard, well documented approach that means you’re not tied to a niche or proprietary technology setup.

Additionally, once you’re using Bedrock you can also benefit from some complementary open source tooling called Trellis which makes configuring and deploying your website to a live server much more consistent.

Sounds great, what are the downsides?

So you’ve bought into the benefits of WordPress in Composer but thinking there must be a catch? The good news is that WordPress in Composer will have no user experience difference in either the user facing website or the admin portal when compared with a traditionally installed copy of WordPress. You’re also not tied in if you later decide to move back to a traditional install (we bet you won’t!).

As with all technology choices there are a couple of trade-offs to be aware of:

1. When using Composer it’s typical for plugin installation to be disabled in the admin panel. This may initially seem like a limitation but is actually the main benefit that this approach provides. If plugins could be installed and updated in an ad-hoc manner, you’d immediately lose the repeatable and consistent build characteristics that Composer gives you.
2. It may have an impact on how you host your website. Many commodity WordPress hosting providers are not geared up to support Composer and instead rely on the traditional approach, with all the downsides that are described above. If you’re already looking for a robust and stable solution to deploying WordPress this less likely to be an issue as you’re likely already looking for an appropriate hosting solution.