# Private or Commercial WordPress Plugins as Composer Dependencies

**URL:** https://discourse.roots.io/t/private-or-commercial-wordpress-plugins-as-composer-dependencies/13247
**Category:** bedrock
**Tags:** guide
**Created:** 2018-08-02T19:04:58Z
**Posts:** 30

## Post 1 by @MWDelaney — 2018-08-02T19:04:58Z

Originally published at: [https://roots.io/bedrock/docs/guides/private-or-commercial-wordpress-plugins-as-composer-dependencies/](https://roots.io/bedrock/docs/guides/private-or-commercial-wordpress-plugins-as-composer-dependencies/)  
   
Bedrock (and by extension Trellis) uses Composer to manage its dependencies, which includes WordPress themes and plugins. This is great for version control as many WordPress plugins are easily available via WordPress Packagist, but what happens when you need to add a private, commercial, or paid plugin to your site? This guide will explain a…

---

## Post 2 by @ThatGuySam — 2019-03-23T17:58:09Z

> **Note:** We recommend hosting private and commercial plugins in private Git repositories. GitHub [offers private repositories](https://github.com/pricing) at affordable prices and BitBucket includes them in its [limited free plan](https://bitbucket.org/product/pricing). The following guide assumes you’re using a GitHub private repository.

You may have heard: Github now offers free private repos.

---

## Post 3 by @RistoKaalma — 2019-05-19T10:01:18Z

What is the most convenient way to update a **private Git repository** plugin?

I mean when you decide to manage the versioning for a particular private plugin yourself, what is the process for adding a new version to git repo? I’v done some research on Google but can’t really figure it out.

Right now I just pull the latest version from git repo, manually delete all files except .git folder and composer.json file, download the zip for a new (particular version), paste the files to the plugin folder, git add \*, git commit, git tag and git push --tags. Can I do it better?

---

## Post 4 by @MWDelaney — 2019-05-19T11:25:39Z

This is covered in [the guide](https://roots.io/guides/private-or-commercial-wordpress-plugins-as-composer-dependencies/) on this subject. Check out the “tag the release” section.

---

## Post 5 by @TangRufus — 2019-05-19T11:45:17Z

`$ npx @itinerisltd/composify --vendor=<github-username> --name=gravityforms --zip=<the-signed-s3-url>`

see: [https://github.com/ItinerisLtd/composify#readme](https://github.com/ItinerisLtd/composify#readme)

---

## Post 6 by @trainoasis — 2019-06-14T12:30:03Z

I have a minor issue it seems: when trying to change the version in composer.json, it still pulls the first tag (v5.8.0) whereas I would expect it to pull v5.8.1.

In my composer.json:

`"myrepo/advanced-custom-fields-pro": "5.8.*"`

I see two tags in remote repo, v5.8.0 and v5.8.1

When I run `composer install` (or update) it pulls version 5.8.0. (even with `composer clear-cache` it still says`Installing myrepo/advanced-custom-fields-pro (v5.8.0): Cloning 34df65110d from cache`

Why would that be? I was thinking it pulls the version by tags. Tried helping myself with this [SO question](https://stackoverflow.com/questions/39974833/composer-the-requested-package-exists-as-but-these-are-rejected-by-your-constr). Tried playing around with different settings but to no avail unfortunately. Any help appreciated.

---

## Post 7 by @ng3 — 2019-06-14T12:34:29Z

What’s in the `repositories` section of your `composer.json`? Does `myrepo` have the 5.8.1 release?

---

## Post 8 by @trainoasis — 2019-06-14T12:51:27Z

In `repositories` section I have

```
"repositories": [
    {
      "type": "composer",
      "url": "https://wpackagist.org"
    },
    {
      "type": "vcs",
      "url": "git@bitbucket.org:myrepo/advanced-custom-fields-pro.git"
    }
  ],
```

and I never fiddled with releases, just tags. Not sure BitBucket even has releases such as GitHub. So It has two tags, v5.8.0 and v5.8.1. So this is expected not to work with tags only?

PS: **solved it**! I did not have composer.json and .lock files in GIT repo, seems this was the issue. Thank you! Glad this works with just tags :slight_smile:

---

## Post 9 by @cjezowicz — 2019-11-08T00:08:31Z

I’m trying to use this method to install WPForms and I can’t tell if I’m having issues with composer, WPForms, or a combination of the two. When I run `composer update` from the bedrock root it successfully downloads the files but when I enable the plugin I get a bunch of warnings and errors about missing classes:

```
Fatal error: Uncaught Error: Class 'WPForms\Admin\Pages\Community' not found in /srv/www/domain.com/current/web/app/plugins/wpforms/includes/admin/class-menu.php on line 142
Error: Class 'WPForms\Admin\Pages\Community' not found in /srv/www/domain.com/current/web/app/plugins/wpforms/includes/admin/class-menu.php on line *142*
```

Before I didn’t have the vendor directory checked in and was getting Autoload errors. Any help would be appreciated.

---

## Post 10 by @szepeviktor — 2020-02-21T10:16:34Z

Now you can install Envato Marketplace (ThemeForest‎‎, CodeCanyon) products (themes, plugins) as Composer packages.  
[https://packagist.org/packages/szepeviktor/composer-envato](https://packagist.org/packages/szepeviktor/composer-envato)

All the best!

---

## Post 11 by @ethanclevenger91 — 2020-02-25T01:47:16Z

@szepeviktor funny timing - I’ve just been working on something similar. Mine is a hosted solution that also solves for versioning. I’m looking for beta testers. Shoot me a message if you’d like to put it through its paces.

---

## Post 12 by @szepeviktor — 2020-02-25T11:06:38Z

I think PMs are not available for me

![kép](https://discourse.roots.io/uploads/default/original/2X/9/9949b2c19943cea297f4eb44f99bf25050b075fe.png)

my email address is [viktor@szepe.net](mailto:viktor@szepe.net)

---

## Post 13 by @mikesale — 2020-04-05T00:08:11Z

Am I mistaken, or are the following correct about the scope of the article?

1. One repo for one plugin
2. plugin is unzipped and commited in that format

---

## Post 14 by @ben — 2020-04-06T02:17:55Z

Yep, that’s the intended structure :+1:

---

## Post 15 by @tomkeysers — 2020-05-01T18:13:16Z

I just set up my bedrock with some private plugins according to the guide the op shared, and it’s working well.  
BUT my concern is now how I deal with those private plugins, which have an own repo logically, while I’m still developing them.

Creating some edits in a plugin and pushing this to itss repo, now leaves me with having to ‘composer update’ my bedrock repo to the newest plugin version I just pushed, right? But if I do that, my local private plugin repo is kinda f\*cked. I’m sure that can’t be the right way… But what is?

TL;DR: What is the recommended way of dealing with private plugin repo’s inside of a bedrock repo, while still developing those plugins?

---

## Post 16 by @ethanclevenger91 — 2020-05-14T17:46:37Z

Those repos should be on GitHub/BitBucket and referenced as custom repositories in your Bedrock project’s `composer.json`. [Docs here.](https://getcomposer.org/doc/05-repositories.md#loading-a-package-from-a-vcs-repository) If you have your SSH keys set up properly to push to those private repos, Composer should have no problem installing from them.

If you go to production/staging like that and try running `composer install`, you’ll have to also provide that server with a way to authenticate against GitHub/BitBucket as well. [Like this.](https://getcomposer.org/doc/06-config.md#github-oauth)

---

## Post 17 by @Steve_de_Niese — 2021-08-05T07:43:43Z

When I set up my own custom repos to pull from bitbucket, composer is cloning them in, with their git files and everything.

When I try to run composer update, this is creating some issues where the filemode setting on the plugins is making it think the files have been changed and preventing composer from running updates.

Is there a way to make it pull my private vcs bitbucket repos WITHOUT the git files?

---

## Post 18 by @sabelapaulo — 2022-02-04T01:00:59Z

**EDIT** : After hours of trying to figure out what was wrong, I solved the following problem. I made a typo (in my username!) in the composer.json _in the GitHub repo_. This seems kind of silly, but I’ll leave this up, embarrassing as it is, as the “name” field in the composer.json of the repo needs also to be an exact match which makes sense. I didn’t think to look there until hours went by.

Also, just so anyone else reading this in the future the tags work, and are great, but you can also use “dev-master” or any branch you choose to pull the latest if you don’t feel like using the tags.

* * *

Hmm… I do appreciate the guide and this is exactly what I’m looking for.

I’ve been following the instructions and started over several times so far though with no luck.

I keep getting stuck with this error:

```
$ composer update
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires sabelapaulo/mytheme, it could not be found in any version, there may be a typo in the package name.

Potential causes:
 - A typo in the package name
 - The package is not available in a stable-enough version according to your minimum-stability setting
   see <https://getcomposer.org/doc/04-schema.md#minimum-stability> for more details.
 - It's a private package and you forgot to add a custom repository to find it

Read <https://getcomposer.org/doc/articles/troubleshooting.md> for further common problems.
```

There are no typos and the repo is in repositories as instructed. The minimum stability is “dev”. As for the version, I tagged and released 1.0.0, but wasn’t able to get this exact (1.0.0), nor ^1.0, nor even “dev-master” to work.

I also tried composer require from the command line. Same results.

I’m using composer 2 if that matters.

Anyone have any ideas what I might be doing wrong?

---

## Post 19 by @MWDelaney — 2022-02-05T14:45:06Z

I have done this at least twice; once when I didn’t know better (as you did here) and at least once more when I thought I was being super clever. Nice job troubleshooting. You fixed it.

---

## Post 20 by @o0MSK0o — 2022-06-06T22:32:14Z

How do you deal with the `Your GitHub credentials are required to fetch private repository metadata ` message that comes with private repositories?

---

## Post 21 by @strarsis — 2022-06-06T23:29:32Z

Configure `composer` to use a GitHub auth token:

> **[Authentication for privately hosted packages and repositories - Composer](https://getcomposer.org/doc/articles/authentication-for-private-packages.md#github-oauth)**
>
> A Dependency Manager for PHP

---

## Post 22 by @M-Hoogie — 2022-12-05T16:49:24Z

Is this topic still up-to-date/recommended? Unfortunately I seem to be unable to expand the top post. Network tab says: `{"errors":["There was an error loading that post."]}`

---

## Post 23 by @ben — 2022-12-05T16:55:54Z

Sorry about that! Our guides are temporarily offline while we’re re-organizing our site and docs

~~In the meantime you can reach it from the archive~~

This guide is still relevant/applicable if you’re wanting to use a private git repo for a WP plugin and pull it into your project

**Update: This guide is back on our site at [Private or Commercial WordPress Plugins as Composer Dependencies | Bedrock Docs | Roots](https://roots.io/bedrock/docs/guides/private-or-commercial-wordpress-plugins-as-composer-dependencies/)**

---

## Post 24 by @xolotl — 2023-02-21T03:18:58Z

The private WordPress plugin I was hoping to add using a private GitHub repository has it’s own composer.json file at its root which would conflict with the composer.json file I would add following the guide: [Private or Commercial WordPress Plugins as Composer Dependencies | Bedrock Docs | Roots](https://roots.io/bedrock/docs/private-or-commercial-wordpress-plugins-as-composer-dependencies/)

I haven’t seen documentation for composer that suggests how to handle this situation.

---

## Post 25 by @xolotl — 2023-02-24T21:43:36Z

In case it’s of help to anyone else, I was able to resolve my issue as follows. I’ll note that I thought I would have to create my own private GitHub repository for the plugin I wanted to include as a dependency because I thought it was private, but it turned out that the plugin has its own public GitHub repository, and so I’m not sure if the resolution here would help with a private dependency (it might!).

Thanks to Daggerhart Lab for providing [this guide](https://www.daggerhartlab.com/composer-how-to-use-git-repositories/), which set me on the right track. Essentially, I was able to include this buddyboss-platform WordPress plugin as a dependency in a local WordPress installation using default Bedrock even though the plugin already has a composer.json file in its own root by treating it as a “package” of “type” wordpress-plugin. I’ll post the relevant part of my local composer.json below so you can see how it worked following Daggerhart’s guide.

```
"repositories": [
    {
      "type": "composer",
      "url": "https://wpackagist.org",
      "only": ["wpackagist-plugin/*", "wpackagist-theme/*"]
    },
    {
      "type": "package",
      "package": {
        "name": "buddyboss/buddyboss-platform",
        "version": "2.2.7",
        "type": "wordpress-plugin",
        "source": {
          "url": "https://github.com/buddyboss/buddyboss-platform.git",
          "type": "git",
          "reference": "2.2.7"
        }
      }
    }
  ],
  "require": {
    "php": ">=7.4",
    "composer/installers": "^2.2",
    "vlucas/phpdotenv": "^5.5",
    "oscarotero/env": "^2.1",
    "roots/bedrock-autoloader": "^1.0",
    "roots/bedrock-disallow-indexing": "^2.0",
    "roots/wordpress": "6.1.1",
    "roots/wp-config": "1.0.0",
    "roots/wp-password-bcrypt": "1.1.0",
    "wpackagist-theme/twentytwentythree": "^1.0",
    "buddyboss/buddyboss-platform": "2.2.7"
  },
```

---

## Post 26 by @ethanclevenger91 — 2023-03-13T22:19:45Z

At the risk of self-promotion, the recommended solution in this guide can be time-consuming to maintain, so I built [this repository template](https://github.com/sterner-stuff/private-wordpress-plugin-composer-provider) that uses GH Actions to keep your mirror up-to-date.

---

## Post 27 by @MWDelaney — 2023-03-14T13:13:52Z

This looks super cool, thank you!

---

## Post 28 by @MWDelaney — 2023-03-14T21:57:39Z

Hey man, I took a stab at the EDD challenge using your method and SearchWP, and ran into some road blocks. It seems that to get the EDD package link using the method [you mentioned](https://github.com/sterner-stuff/private-wordpress-plugin-composer-provider/issues/11), we would need either the exact entry name as it appears in the EDD admin, or the WordPress object ID, neither of which seems readily available from the front-end.

I tried `searchwp` as the entry name, but that gives me the final version of SearchWP 3, not SearchWP ^4 like I want.

If there’s some way to glean EDD’s ID for the file from the front-end, this is ready to work, otherwise maybe we could contact the SearchWP and FacetWP teams and ask for this detail?

---

## Post 29 by @ethanclevenger91 — 2023-03-14T22:24:45Z

Submit an in progress pull request and we can continue discussion there. Have you attempted to hit the REST API on those sites? It’s possible the EDD post type is public, which would give you the ID.

---

## Post 30 by @MWDelaney — 2023-03-30T20:52:33Z

I’m continuing to poke away at automatically updating private mirrors of premium plugins using @ethanclevenger91’s GitHub Actions method above, and I’ve hit a wall with WooCommerce addons.

If anyone knows how WooCommerce handles authorizing downloads and wants to take a look at this, that would be a great help! Meanwhile I’ll keep pushing.
