How to Setup and Use Composer PHP Dependency Manager

Composer is a dependency manager for PHP — and it’s one of the first things I set up on every WordPress project. It manages the linting, static analysis, and testing tools that keep code clean and standards-compliant. In the DevWP series, I walk through this exact setup and explain why each tool matters.

Install Composer on Windows

This walkthrough covers the full Windows installation from download to verification.

Go to the official Composer Download page and download the Composer-Setup.exe installer for Windows. You should already have XAMPP or a similar solution installed on your system, and Composer will attempt to locate the php.exe file.

In your downloads folder, double-click the Composer-Setup.exe to start the installation process and follow the on-screen prompts. Use Composer globally, so you can type out the shorter command of just composer.

Once installed, verify it works:

composer --version

Install Composer on macOS

This walkthrough covers the macOS installation using the command-line installer.

Use the code snippet from the official Composer Download page. Copy and paste it into your terminal, then move it into your path:

# Move composer into your path
mv composer.phar /usr/local/bin/composer

# If you get a permission denied error, use sudo instead
sudo mv composer.phar /usr/local/bin/composer

# If needed, make it executable
chmod +x /usr/local/bin/composer

# Verify installation
composer --version

Composer Packages for WordPress Development

These dev-dependency packages handle linting, static analysis, and testing for WordPress themes.

• Dealer Direct PHP CodeSniffer Composer Installer: Allows easy installation of PHP_CodeSniffer coding standards — no more symbolic linking or manual configuration. Packagist
• PHP Insights: Instant PHP quality checks from your console. Packagist
• Phan: A static analyzer for PHP. Packagist
• PHP Parallel Lint: Checks the syntax of PHP files about 20x faster than a serial check. Packagist
• PHPCompatibility WP: Analyze the codebase of a WordPress-based project for PHP cross-version compatibility. GitHub
• PHPMD (PHP Mess Detector): Detects code smells — overly complex methods, unused parameters, naming violations, and other maintainability issues. Packagist
• PHPStan: PHP Static Analysis Tool. Used with szepeviktor/phpstan-wordpress for WordPress-specific analysis. Packagist
• PHPUnit: The PHP Unit Testing framework. Version 9.6 works best with WordPress’s testing setup — later versions dropped some APIs WordPress still relies on. Packagist
• Roave Security Advisories: Ensures your application doesn’t have installed dependencies with known security vulnerabilities. GitHub
• Psalm: A static analysis tool for finding errors in PHP applications. Used with humanmade/psalm-plugin-wordpress. Packagist
• WP-CLI: Command-line interface for WordPress — manage posts, plugins, users, and databases without a browser. See the WP-CLI guide for details. Packagist
• WordPress Coding Standards: PHP_CodeSniffer rules (sniffs) to enforce WordPress coding conventions. Packagist

The composer.json below also includes supporting packages — WordPress stubs, the PHPStan extension installer, WP PHPUnit test library, and Yoast PHPUnit polyfills — that the main tools depend on.

If you create the composer.json file in the root of the theme and paste in the code below, you can install everything with one command:

composer install

Full composer.json File

{
  "name": "pixemweb/devwp",
  "description": "DevWP is a WordPress theme focused on helping people learn how to develop themes using _s and Bootstrap along with additional resources.",
  "type": "wordpress-theme",
  "license": "GPL-3.0-or-later",
  "homepage": "https://www.pixemweb.com/devwp-wordpress-development-training-theme/",
  "require": {
    "php": "^7.4 || ^8.0"
  },
  "config": {
    "platform": {
      "php": "7.4"
    },
    "allow-plugins": {
      "dealerdirect/phpcodesniffer-composer-installer": true,
      "phpstan/extension-installer": true
    }
  },
  "require-dev": {
    "dealerdirect/phpcodesniffer-composer-installer": "^1.0.0",
    "nunomaduro/phpinsights": "^2.11",
    "phan/phan": "^5.4.3",
    "skaut/wordpress-stubs": "^2.8.1",
    "php-parallel-lint/php-parallel-lint": "^1.4.0",
    "phpcompatibility/phpcompatibility-wp": "^2.1.5",
    "phpmd/phpmd": "^2.15",
    "phpstan/phpstan": "^1.10.67",
    "phpstan/extension-installer": "^1.3.1",
    "szepeviktor/phpstan-wordpress": "^1.3.4",
    "phpunit/phpunit": "^9.6.19",
    "wp-phpunit/wp-phpunit": "^6.5.2",
    "yoast/phpunit-polyfills": "^2.0.1",
    "roave/security-advisories": "dev-latest",
    "vimeo/psalm": "^5.24.0",
    "humanmade/psalm-plugin-wordpress": "^3.1.1",
    "wp-cli/wp-cli-bundle": "^2.10.0",
    "wp-coding-standards/wpcs": "^3.1.0"
  },
  "extra": {
    "phpstan": {
      "includes": [
        "extension.neon"
      ]
    }
  },
  "scripts": {
    "lint:php": "parallel-lint --exclude .git --exclude vendor --exclude node_modules .",
    "lint:wpcs": "phpcs",
    "fix:wpcs": "phpcbf",
    "make-pot": "./vendor/bin/wp i18n make-pot . languages/devwp.pot",
    "phpstan": "phpstan analyse . --memory-limit=2048M",
    "phpmd": "phpmd . text phpmd.xml",
    "phpphan": "./vendor/bin/phan --allow-polyfill-parser",
    "phppsalm": "./vendor/bin/psalm",
    "psalmcache": "./vendor/bin/psalm --clear-cache",
    "phpinsights": "./vendor/bin/phpinsights --flush-cache && ./vendor/bin/phpinsights analyse",
    "unittest": "./vendor/bin/phpunit"
  }
}

Running Composer Scripts in Your Theme

Run any script defined in composer.json with composer script-name. Make sure you have run composer install first to install all required dependencies.

# Lint and check coding standards
composer lint:php
composer lint:wpcs

# Auto-fix coding standard violations
composer fix:wpcs

# Static analysis
composer phpstan
composer phpmd
composer phpphan
composer phppsalm

# Run unit tests
composer unittest

What Are the Most Useful Composer Commands?

# List installed coding standards
vendor/bin/phpcs -i

# Update dependencies
composer update

# Update Composer itself
composer self-update

# Refresh the lock file
composer update --lock

# Show installed packages
composer show

Composer FAQ

Do I need all of these packages?

Not necessarily. Start with WordPress Coding Standards and PHPStan — those two catch the most issues with the least setup. Add the others as your workflow matures and you want deeper analysis.

What’s the difference between composer install and composer update?

composer install reads the lock file and installs the exact versions recorded there — this is what you want for consistent environments. composer update resolves the latest versions that satisfy your constraints and rewrites the lock file. Use install for deploys, update when you intentionally want newer versions.

Can I use Composer globally instead of per-project?

You can install packages globally with composer global require, but per-project installation keeps version requirements isolated. One project might need PHPStan 1.x while another needs 2.x — per-project handles that cleanly.

Official Composer Documentation & Links

• Official Composer Website
• Official Getting Started Guide
• Official Documentation
• WordPress Coding Standards Video

Once you have Composer and these packages set up, you’ll catch issues in your code before they ever reach production. I run these tools on every project now — they’ve saved me from shipping embarrassing bugs more times than I’d like to admit. If you want to see how I use this exact setup in a real theme, check out the DevWP project. If you haven’t set up your other dev tools yet, the companion guides for setting up Git and setting up Node.js cover the rest of the stack.

Share This On: