Automate WordPress and Plugin Updates with Composer

Managing WordPress and WordPress plugins with Composer means that your project is locked onto specific versions and that updates can’t be made from the WordPress admin.

Bedrock, and other stacks that use Composer with WordPress, allow developers to manage WordPress and WordPress plugins as dependencies that are tracked in version control. If you make an update that breaks your site, reverting your changes is able to be done very quickly.

While this offers a lot of benefits, the downside is that core and plugin updates can take a little more work which can become tedious the more WordPress websites you manage. Do you script Composer updates to all your sites? Do you manually make the updates? Both of those solutions are typically performed once you’ve determined what needs to be updated, rather than being triggered when a new update is released.

Automated Composer dependency updates is an automated dependency update service, similar to Greenkeeper and Renovate. has something the other services don’t offer: support for PHP dependencies managed by Composer. monitors your repositories for updates and then submits pull requests with updates to the composer.json and composer.lock files with the latest versions of your dependencies. bot automatically updating WordPress

The configuration for allows you to determine which versions (major vs minor) to automatically update for each of your dependencies. bot automatically updating WordPress plugins

After signing up on and enabling the service on your repositories, configuring it is as simple as placing a file called dependencies.yml in the root of your repository:

# dependencies.yml
# See
version: 2
- type: php
  path: / # /site for a Bedrock & Trellis site
    - name: "roots/wordpress"
      versions: "Y.Y.Y"
    - name: ".*"
      versions: "L.Y"

If you deploy your WordPress site with a continuous integration workflow, then the updates from pull requests will be automatically deployed once you merge the changes. is a paid service, but the pricing is more than reasonable considering the benefits and time savings that come with not needing to touch your Composer files to make updates:

  • $4.99/mo for 1 repo
  • $19.99/mo for 5 repos
  • $59.99/mo for 20 repos
  • Custom pricing for up to 300 repos

Check out to save yourself some time — especially if you’re an agency or freelancer who manages multiple sites.

* did not ask for or pay for this post. I was looking to automate Bedrock’s WordPress updates and found this service and gave it a shot.

Join the discussion on Roots Discourse

Help support our open-source development efforts

Help grow Roots

Join over 6,000 subscribers on our newsletter to get the latest Roots updates, along with occasional tips on building better WordPress sites.

Looking for WordPress plugin recommendations, the newest modern WordPress projects, and general web development tips and articles?

“Easily the best WordPress email I get.” Colin OBrien

Follow us on Twitter @rootswp

Ready to checkout?