# WP Sec Adv: WordPress Security Advisories for Composer

If you manage WordPress with Composer, you've probably noticed a gap: `composer audit` works great for PHP packages on Packagist, but it has no awareness of WordPress plugin and theme vulnerabilities. [WP Sec Adv](https://github.com/typisttech/wpsecadv) was built to bring security advisory support to WordPress packages installed via Composer.

WP Sec Adv is a Composer repository that brings WordPress security advisories that are sourced from the [Wordfence Intelligence](https://www.wordfence.com/help/wordfence-intelligence/v3-accessing-and-consuming-the-vulnerability-data-feed/) vulnerability feed.

Once configured, WP Sec Adv integrates with Composer:

- `composer audit` reports known vulnerabilities in your installed WordPress packages
- `composer require` and `composer update` will automatically block installation of packages with known vulnerabilities
- Advisories include CVEs, severity ratings, and links to detailed vulnerability reports

The advisory data updates twice daily from Wordfence.

## Getting started

Add the repository to your project:

```
composer repo --append add wpsecadv composer https://repo-wpsecadv.typist.tech
```

Composer will now check for WordPress vulnerabilities during `install`, `require`, `update`, and `audit`.

![](https://roots.io/app/uploads/wpsecadv-example-1024x677.png)## Package support

WP Sec Adv matches advisories to Composer packages by their slug. Some of the vendors supported out of the box:

- [WordPress plugins and themes Composer packages](https://wp-packages.org/)
- [WordPress core Composer packages](https://wp-packages.org/wordpress-core)

Any unrecognized vendor will still attempt to match against known plugin and theme slugs, so custom mirrors and private registries work too.

## Ignoring advisories

Not every advisory requires immediate action. Composer lets you acknowledge and suppress specific advisories with documented reasons:

```
{
  "config": {
    "audit": {
      "ignore": {
        "CVE-2026-3589": {
          "apply": "block",
          "reason": "Waiting for upstream fix in v1.2.3. Allow during updates but still report in audits"
        }
      }
    }
  }
}

```

This keeps your security posture intentional rather than reactive — every exception is tracked and reviewable.

## CI integration

WP Sec Adv pairs well with automated workflows. A simple GitHub Actions step can audit your lockfile on every push:

```
- name: Audit
  run: composer audit --locked

```

This gives you continuous vulnerability monitoring with no additional tooling.

## Why this matters

The WordPress ecosystem has historically been disconnected from the broader PHP security toolchain. If you use Bedrock or any other Composer-based WordPress setup, your PHP dependencies get audited, but your [WordPress-based Composer packages](https://wp-packages.org/) have been a blind spot.

WP Sec Adv closes that gap.

WP Sec Adv takes the same vulnerability data that powers Wordfence and makes it available for WordPress developers using Composer.

Check out the project on [GitHub](https://github.com/typisttech/wpsecadv) and add the repository to your projects. If you'd like to support Tang Rufus's work, you can [sponsor him on GitHub](https://github.com/sponsors/tangrufus).