The Bedrock Plugins Installation is set up differently. More efficiently too I daresay. That is why often beginners with Bedrock bump into the fact that they cannot install plugins from the Dashboard. In this post I will get into the reasons and benefits behind it. For a general overview of Bedrock see the post Bedrock Modern WordPress Stack.

Dashboard Installation Deactivated

Bedrock disables Installation of Plugins from the Dashboard with:


This PHP rule prevents the installation of other new plugins while allowing the listing of them. You have to install plugins by other means which we will discuss shortly. Also see

Why is standard installation Blocked?

The standard installation of plugins – and themes by the way – is blocked so all installed themes and plugins stay in version control. Once you start adding plugins or themes on the production server they are no longer in version control. And every time you do a Trellis deployment you run the risk of losing plugins and themes as they are nog part of version control.

Plugin Installation with Composer

You can install plugins with Bedrock using  Composer. You can also activate and deactivate them using Composer or WP CLI. You can also manage commercial plugins with composer with a custom composer serve. Either that or you can do it by adding them manually to your site and version control. You will need to remove them from the .gitignore list to get them versioned. You do this by using an exclamation mark like so for example:


Composer in practise

Composer allows you to download and install WordPress plugins from packages registered with Composer and also from WPackagist, which syncs with the WordPress plugins repository.


Just run a command to install the plugin like so:

composer install

This install all the plugins in your composer.json file in your Bedrock directory. At WPackagist they show you an example of themes and plugins added from their repo:

 "name": "acme/brilliant-wordpress-site",
 "description": "My brilliant WordPress site",
 "require": {
 "autoload": {
 "psr-0": {
 "Acme": "src/"

Another way would be:

composer require wpackagist-plugin/wordpress-seo
This grabs the file from packagist, composer repository and installs it for you.
NB see also
NBB It is possible with WP CLI, but not recommended as this way things are not kept in version control.

Code Parity

This method of managing plugins is way better for keeping solid installations that are equal locally (Vagrant) on staging (Trellis server (recommended)) and on production (Trellis) . So this allows for code parity. No more “But it works on my computer”. All changes added with composer will be part of Git version control.

Therefore they will be the same in all environments. Even the plugins not added with composer will be added to version control. All installations that are not done with composer or not committed will be lost to our version control.

As the Roots theme stated:

“Manage your WordPress install and plugins with Composer, a PHP dependency manager. Composer will make development more reliable, help with team collaboration, and it helps maintain a better Git repository.”

Plugin Management ease

On top of that the plugin and theme version can be managed easily. You can enforce a version to make sure the site does not break. Then locally on development you can test a new version by a small composer.json tweak and commit once you are satisfied it works

Composer Bedrock Example

Here the current composer.json as an example. It is one you will find with a standard Bedrock WordPress setup:


"name": "roots/bedrock",
"type": "project",
"license": "MIT",
"description": "WordPress boilerplate with modern development tools, easier configuration, and an improved folder structure",
"homepage": "",
"authors": [


"name": "Scott Walkinshaw",
"email": "",
"homepage": ""

"name": "Ben Word",
"email": "",
"homepage": ""
"keywords": [
"bedrock", "roots", "wordpress", "stack", "composer", "vagrant", "wp"
"support": {
"issues": "",
"forum": ""
"config": {
"preferred-install": "dist"
"repositories": [
"type": "composer",
"url": ""
"require": {

"php": ">=5.6",
"composer/installers": "^1.4",
"vlucas/phpdotenv": "^2.0.1",
"johnpbloch/wordpress": "4.8.2"
"oscarotero/env": "^1.1.0",
"roots/wp-password-bcrypt": "1.0.0"
"require-dev": {
"squizlabs/php_codesniffer": "^3.0.2"
"extra": {
"installer-paths": {
"web/app/mu-plugins/{$name}/": ["type:wordpress-muplugin"],
"web/app/plugins/{$name}/": ["type:wordpress-plugin"],
"web/app/themes/{$name}/": ["type:wordpress-theme"]
"wordpress-install-dir": "web/wp"
"scripts": {
"post-root-package-install": [
"php -r \"copy('.env.example', '.env');\""
"test": [
 As you can see hardly any plugins are installed yet, However there are a few other things installed such as:

and other goodies for better development.

WPackagist Additions

As you saw earlier you can add WPackagist plugins or themes using the composer command or by simply adding a line to the composer.json file.

WordPres Packagist

For one setup we have for example this required block including multiple WordPress plugins using WPackagist:

"require": {
"php": ">=5.6",
"composer/installers": "~1.0.12",
"vlucas/phpdotenv": "^2.0.1",
"oscarotero/env": "^1.0",
"roots/wp-password-bcrypt": "1.0.0",
"wpackagist-plugin/antispam-bee": "*",
"wpackagist-plugin/autodescription": "*",
"wpackagist-plugin/wp-subscribe": "*",
"wpackagist-plugin/yet-another-related-posts-plugin": "*",
"johnpbloch/wordpress": "4.8.2"


For each installed plugin or WordPress installation a version is set. And for every update this has to be adjusted. Then you can commit it to version control and deploy it using Trellis’ deployment script ./bin/ production . During deployment this file is checked and updates will be made. The latter fully automatically.

Bypassing Limitations

If customers do want to install plugin you can comment out the


at bedrock-site/config/production. We sometimes use something like

/** Production */
ini_set('display_errors', 0);
define('WP_DEBUG_DISPLAY', false);
define('SCRIPT_DEBUG', false);
define( 'WP_MEMORY_LIMIT', '128M' );
/** Disable all file modifications including updates and update notifications */
//define('DISALLOW_FILE_MODS', true);

As you can see the DISALLOW_FILE_MODS has been commented out to allow the adding of plugins and themes.

Do however remember to exclude the plugins and themes you add from the .gitignore and to add them to the repository. Otherwise you run the risk of removing elements. Also make sure you enforce some parity by syncing from production another way. Either that or forget about version control altogether.


Leave a Reply

Your email address will not be published. Required fields are marked *