PHPackages                             benoitchantre/wp-composer-auto-updates - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. benoitchantre/wp-composer-auto-updates

ActiveWordpress-muplugin[Security](/categories/security)

benoitchantre/wp-composer-auto-updates
======================================

Enables minor core auto updates even when DISALLOW\_FILE\_MODS is set to true.

v1.0.0(3y ago)815.2k1GPL-3.0-or-laterPHPPHP &gt;=7.0CI passing

Since May 2Pushed 4mo agoCompare

[ Source](https://github.com/benoitchantre/wp-composer-auto-updates)[ Packagist](https://packagist.org/packages/benoitchantre/wp-composer-auto-updates)[ RSS](/packages/benoitchantre-wp-composer-auto-updates/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (4)Dependencies (3)Versions (5)Used By (0)

[![Coding Standards](https://github.com/benoitchantre/wp-composer-auto-updates/actions/workflows/coding-standards.yml/badge.svg)](https://github.com/benoitchantre/wp-composer-auto-updates/actions/workflows/coding-standards.yml)

WP Composer Auto Updates
========================

[](#wp-composer-auto-updates)

WordPress MU-Plugin to enable maintenance and security updates when the site uses version control and `DISALLOW_FILE_MODS`.

When `DISALLOW_FILE_MODS` is not set or false, WordPress will behave as if there was no VCS: plugins and themes can be installed or updated from the dashboard. In this scenario, `composer.lock` will get out of sync. It can be used to hand-off a project to a client.

Installation
------------

[](#installation)

This package can be installed in the `mu-plugins` directory with `composer/installers`. As WordPress only load php files inside `mu-plugins` directory, it needs to be included required by a file or autoloaded using `roots/bedrock-autoloader` or similar solutions.

Example of a `composer.json` to manage a WordPress site with Composer:

```
{
  "require": {
    "php": ">=7.0",
    "benoitchantre/wp-composer-auto-updates": "^1.0",
    "composer/installers": "^1.0",
    "johnpbloch/wordpress": "^5.5",
    "roots/bedrock-autoloader": "^1.0"
  },
  "extra": {
    "wordpress-install-dir": "public/wp",
    "installer-paths": {
      "public/wp-content/mu-plugins/{$name}": [
        "type:wordpress-muplugin"
      ],
      "public/wp-content/plugins/{$name}/": [
        "type:wordpress-plugin"
      ],
      "public/wp-content/themes/{$name}/": [
        "type:wordpress-theme"
      ]
    }
  }
}
```

###  Health Score

38

—

LowBetter than 85% of packages

Maintenance51

Moderate activity, may be stable

Popularity31

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity50

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 52.8% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~215 days

Total

4

Last Release

1189d ago

Major Versions

v0.2.0 → v1.0.02023-02-08

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/1521015?v=4)[Benoît Chantre](/maintainers/benoitchantre)[@benoitchantre](https://github.com/benoitchantre)

---

Top Contributors

[![benoitchantre](https://avatars.githubusercontent.com/u/1521015?v=4)](https://github.com/benoitchantre "benoitchantre (28 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (25 commits)")

---

Tags

auto-updatesecuritywordpresswordpress-mu-plugincomposerwordpressupdates

### Embed Badge

![Health badge](/badges/benoitchantre-wp-composer-auto-updates/health.svg)

```
[![Health](https://phpackages.com/badges/benoitchantre-wp-composer-auto-updates/health.svg)](https://phpackages.com/packages/benoitchantre-wp-composer-auto-updates)
```

###  Alternatives

[bringyourownideas/silverstripe-maintenance

Toolset to help with the day by day maintenance work.

32221.8k4](/packages/bringyourownideas-silverstripe-maintenance)[bringyourownideas/silverstripe-composer-security-checker

Provides information if your SilverStripe application uses dependencies with known vulnerabilities.

11103.9k2](/packages/bringyourownideas-silverstripe-composer-security-checker)[dgtlss/warden

A Laravel package that proactively monitors your dependencies for security vulnerabilities by running automated composer audits and sending notifications via webhooks and email

8745.6k](/packages/dgtlss-warden)[brain/nonces

OOP package for WordPress to deal with nonces.

26227.1k1](/packages/brain-nonces)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)