Skip to content
Roots
  • Home page

WP Packages is our new WPackagist replacement that's 17x faster and updates every 5 minutes

  1. Blog

WP Sec Adv: WordPress Security Advisories for Composer

Ben Word Ben Word

If you manage WordPress with Composer, you’ve probably noticed a gap: composer audit works great for PHP packages on Packagist, but it has no awareness of WordPress plugin and theme vulnerabilities. WP Sec Adv was built to bring security advisory support to WordPress packages installed via Composer.

WP Sec Adv is a Composer repository that brings WordPress security advisories that are sourced from the Wordfence Intelligence vulnerability feed.

Once configured, WP Sec Adv integrates with Composer:

  • composer audit reports known vulnerabilities in your installed WordPress packages
  • composer require and composer update will automatically block installation of packages with known vulnerabilities
  • Advisories include CVEs, severity ratings, and links to detailed vulnerability reports

The advisory data updates twice daily from Wordfence.

Getting started

Add the repository to your project:

composer repo --append add wpsecadv composer https://repo-wpsecadv.typist.tech

Composer will now check for WordPress vulnerabilities during install, require, update, and audit.

Package support

WP Sec Adv matches advisories to Composer packages by their slug. Some of the vendors supported out of the box:

Any unrecognized vendor will still attempt to match against known plugin and theme slugs, so custom mirrors and private registries work too.

Ignoring advisories

Not every advisory requires immediate action. Composer lets you acknowledge and suppress specific advisories with documented reasons:

{
  "config": {
    "audit": {
      "ignore": {
        "CVE-2026-3589": {
          "apply": "block",
          "reason": "Waiting for upstream fix in v1.2.3. Allow during updates but still report in audits"
        }
      }
    }
  }
}

This keeps your security posture intentional rather than reactive — every exception is tracked and reviewable.

CI integration

WP Sec Adv pairs well with automated workflows. A simple GitHub Actions step can audit your lockfile on every push:

- name: Audit
  run: composer audit --locked

This gives you continuous vulnerability monitoring with no additional tooling.

Why this matters

The WordPress ecosystem has historically been disconnected from the broader PHP security toolchain. If you use Bedrock or any other Composer-based WordPress setup, your PHP dependencies get audited, but your WordPress-based Composer packages have been a blind spot.

WP Sec Adv closes that gap.

WP Sec Adv takes the same vulnerability data that powers Wordfence and makes it available for WordPress developers using Composer.

Check out the project on GitHub and add the repository to your projects. If you’d like to support Tang Rufus’s work, you can sponsor him on GitHub.

Discuss this post on Roots Discourse

About the author

Ben Word

Ben Word has been creating WordPress sites since 2004. He loves dogs, climbing, and yoga, and is passionate about helping people build awesome things on the web.

Subscribe for updates

Join over 8,000 subscribers for the latest Roots updates, WordPress plugin recommendations, modern WordPress projects, and web development tips.

One last step! Check your email for a verification link.