Managing dependencies in WordPress projects has historically been complex. A mature codebase often relies on a mix of public packages, commercial vendors, yet there is no standardized way to distribute and manage these dependencies cohesively.
As projects grow, teams are forced into fragmented workflows. Some extend Composer with mixed repositories, while others rely on bespoke scripts to fetch archives during CI runs. These approaches are often fragile, difficult to audit, and challenging to maintain in a modern zero-trust environment.
wpm is the answer to this fragmentation.
WordPress powers over 40% of the web, yet it lacks the unified package distribution and supply-chain security tooling found in other major software ecosystems.
wpm is a package manager and registry designed specifically for WordPress. It treats plugins and themes as first-class packages, establishing a foundation for verifiable distribution. The goal is to make dependency management predictable, auditable, and scalable, eliminating the need for fragile, custom workflows.
wpm is built around two core layers:
A registry designed for the WordPress ecosystem, supporting:
- Public and private packages for flexible distribution.
- Verifiable artifacts to ensure code integrity.
- Attestations and provenance to support modern supply-chain security standards.
A platform-agnostic tool that treats plugins and themes as first-class citizens, enabling:
- Deterministic installs (lockfiles).
- Clear dependency graphs for better visibility.
- Unified tooling that works identically in local development and CI/CD.
The wpm ecosystem consists of the following components:
| Project | Description |
|---|---|
| cli | The core package manager CLI. Handles installation, updates, and dependency resolution. |
| wp-to-wpm | A migration tool to publish plugins/themes from SVN to the wpm registry via GitHub Actions. |
| setup-wpm | A GitHub Action for configuring the wpm CLI in your CI/CD pipelines. |
wpm is developed in the open. We actively encourage participation, whether you are contributing code, improving documentation, or engaging in technical design discussions.
We are particularly interested in feedback regarding package distribution, supply-chain security, and CI/CD practices within the WordPress space.
"WordPress" is a registered trademark of the WordPress Foundation. wpm is an independent project and is not affiliated with, endorsed by, or sponsored by the WordPress Foundation.