How to upgrade Wordpress core and dependencies with Composer


Update WordPress to the latest version using Composer.



Keeping WordPress up to date is essential for security as well as for bug fixes and new features. Updating WordPress with one command lowers the burden of maintenance. Since WordPress doesn’t provide native Composer support, the template provided by depends on a community maintained package.


1. Make a branch for updating WordPress:

$ platform checkout wordpress-update

2. Update composer.json

Check that composer.json is set to track the latest WordPress version. It should have something like ^5.1 listed for wordpress-core.

  "require": {
    "php": ">=5.3.2",
    "johnpbloch/wordpress-core-installer": "^1.0",
    "johnpbloch/wordpress-core": "^5.1"

3. Run composer update.

composer update --with-dependencies
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 2 installs, 0 updates, 0 removals
  - Installing johnpbloch/wordpress-core-installer (1.0.2): Loading from cache
  - Installing johnpbloch/wordpress-core (5.1.1): Downloading (100%)         
Writing lock file
Generating autoload files

4. Check changes

Run git status to see which files have changed:

git status
On branch wordpress-update
Your branch is up to date with 'platform/wordpress-update'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

	modified:   composer.json
	modified:   composer.lock

no changes added to commit (use "git add" and/or "git commit -a")

5. Push changes

Now the project can be built properly by to provide the latest WordPress version.

Add, commit, and push.

git add composer.json 
git add composer.lock 
git commit -m "Updating WordPress"
git push platform wordpress-update

6. Update the Wordpress database

Update the WordPress database using the platform tool:

platform ssh 'wp core update-db'

Alternately, log into the admin area of the site an you will be prompted by WordPress to update the database.

Note that you will have to re-run the database update when you merge your code changes into other branches, e.g. into master when you deploy these changes to your live site.


Relying on a package manager such as Composer greatly simplifies the maintenance and security of WordPress sites.