Private or Commercial WordPress Plugins as Composer Dependencies

Configure composer to use a GitHub auth token:

1 Like

Is this topic still up-to-date/recommended? Unfortunately I seem to be unable to expand the top post. Network tab says: {"errors":["There was an error loading that post."]}

Sorry about that! Our guides are temporarily offline while we’re re-organizing our site and docs

In the meantime you can reach it from the archive

This guide is still relevant/applicable if you’re wanting to use a private git repo for a WP plugin and pull it into your project

Update: This guide is back on our site at Private or Commercial WordPress Plugins as Composer Dependencies | Bedrock Docs | Roots

1 Like

The private WordPress plugin I was hoping to add using a private GitHub repository has it’s own composer.json file at its root which would conflict with the composer.json file I would add following the guide: Private or Commercial WordPress Plugins as Composer Dependencies | Bedrock Docs | Roots

I haven’t seen documentation for composer that suggests how to handle this situation.

In case it’s of help to anyone else, I was able to resolve my issue as follows. I’ll note that I thought I would have to create my own private GitHub repository for the plugin I wanted to include as a dependency because I thought it was private, but it turned out that the plugin has its own public GitHub repository, and so I’m not sure if the resolution here would help with a private dependency (it might!).

Thanks to Daggerhart Lab for providing this guide, which set me on the right track. Essentially, I was able to include this buddyboss-platform WordPress plugin as a dependency in a local WordPress installation using default Bedrock even though the plugin already has a composer.json file in its own root by treating it as a “package” of “type” wordpress-plugin. I’ll post the relevant part of my local composer.json below so you can see how it worked following Daggerhart’s guide.

  "repositories": [
      "type": "composer",
      "url": "",
      "only": ["wpackagist-plugin/*", "wpackagist-theme/*"]
      "type": "package",
      "package": {
        "name": "buddyboss/buddyboss-platform",
        "version": "2.2.7",
        "type": "wordpress-plugin",
        "source": {
          "url": "",
          "type": "git",
          "reference": "2.2.7"
  "require": {
    "php": ">=7.4",
    "composer/installers": "^2.2",
    "vlucas/phpdotenv": "^5.5",
    "oscarotero/env": "^2.1",
    "roots/bedrock-autoloader": "^1.0",
    "roots/bedrock-disallow-indexing": "^2.0",
    "roots/wordpress": "6.1.1",
    "roots/wp-config": "1.0.0",
    "roots/wp-password-bcrypt": "1.1.0",
    "wpackagist-theme/twentytwentythree": "^1.0",
    "buddyboss/buddyboss-platform": "2.2.7"

At the risk of self-promotion, the recommended solution in this guide can be time-consuming to maintain, so I built this repository template that uses GH Actions to keep your mirror up-to-date.


This looks super cool, thank you!

Hey man, I took a stab at the EDD challenge using your method and SearchWP, and ran into some road blocks. It seems that to get the EDD package link using the method you mentioned, we would need either the exact entry name as it appears in the EDD admin, or the WordPress object ID, neither of which seems readily available from the front-end.

I tried searchwp as the entry name, but that gives me the final version of SearchWP 3, not SearchWP ^4 like I want.

If there’s some way to glean EDD’s ID for the file from the front-end, this is ready to work, otherwise maybe we could contact the SearchWP and FacetWP teams and ask for this detail?

Submit an in progress pull request and we can continue discussion there. Have you attempted to hit the REST API on those sites? It’s possible the EDD post type is public, which would give you the ID.

I’m continuing to poke away at automatically updating private mirrors of premium plugins using @ethanclevenger91’s GitHub Actions method above, and I’ve hit a wall with WooCommerce addons.

If anyone knows how WooCommerce handles authorizing downloads and wants to take a look at this, that would be a great help! Meanwhile I’ll keep pushing.