# Composer HTTP Basic Authentication

Many paid WordPress plugins also offer Composer support. Typically, this is accomplished by adding the plugin repository to your composer.json file:

"repositories": [

The actual plugin download is protected behind a basic HTTP authentication layer. This allows the plugin developer to restrict access to the plugin via Composer by a username/password combination. The basic authentication credentials are stored in an auth.json file.

    "http-basic": {
        "example.com": {
            "username": "{COMPOSER_HTTP_USERNAME}",
            "password": "{COMPOSER_HTTP_PASSWORD}"

However, when using such plugins in a Trellis project, it is generally considered bad practice to implement this via deploy hooks or adding the auth.json to your version control.

Trellis now supports HTTP basic authentication for multiple Composer repositories, via the Ansible Vault functionality, on a per environment configuration.

# group_vars/<env>/vault.yml

      - { hostname: example.com, username: COMPOSER_HTTP_USERNAME, password: COMPOSER_HTTP_USERNAME }

Multiple private Composer repositories can be configured in this way.

This functionality does have a few requirements

  • The passwords should not be stored as plain text, as described in the Vault documentation
  • The password cannot be null, or an empty string
  • Currently, only HTTP basic authentication is supported