DEV Community

Cover image for Running Your Own WordPress Plugin Update Server Using GitHub
Kyle Niemiec
Kyle Niemiec

Posted on

Running Your Own WordPress Plugin Update Server Using GitHub

#wordpress #php #opensource #webdev

WordPress plugins typically receive automatic updates through the official WordPress plugin repository.

But many developers build plugins that aren’t meant for the public directory. These might be:

  • internal company plugins
  • premium plugins
  • client-specific functionality
  • plugins distributed privately through GitHub

In these cases, developers still want the convenience of the native WordPress update system.

The challenge is that WordPress expects updates to come from the WordPress.org infrastructure.

To solve this problem, I built a plugin that allows a WordPress site to act as its own plugin update server, using GitHub repositories as the source of truth.

The Problem With Private Plugin Updates

When WordPress checks for plugin updates, it builds a site transient called:

update_plugins
Enter fullscreen mode Exit fullscreen mode

This transient contains information about available plugin versions.

WordPress also calls the plugins_api() endpoint to populate the plugin details modal that appears when you click View Details in the admin.

A screenshot of a custom plugin's information

If you're distributing plugins outside the official repository, you need to replicate this behavior yourself.

That usually means building:

  • an API that serves update metadata
  • a way to serve plugin ZIP packages
  • a system for generating plugin information (description, changelog, icons, etc.)

Turning WordPress Into an Update Server

The WP Plugin Update Server plugin allows a WordPress site to act as a lightweight update server.

Instead of building a separate service, the plugin uses WordPress itself to:

  • store hosted plugin metadata
  • manage update information through the admin interface
  • expose update data through REST endpoints

Hosted plugins are managed as a custom post type:

Plugins → Hosted Plugins
Enter fullscreen mode Exit fullscreen mode

Each entry represents a plugin that the server manages.

A single

How The Update Flow Works

The system involves two parts:

  1. the update server plugin
  2. a client helper library installed in the plugin receiving updates

When a WordPress site checks for updates:

  1. The helper library intercepts the update_plugins transient.
  2. It queries the configured update server.
  3. The server returns update metadata if a newer version exists.
  4. WordPress adds the update to the normal plugin update list.

When a user clicks View Details, the helper calls another endpoint that returns the plugin metadata normally provided by WordPress.org.

REST Endpoints

The update server exposes two REST endpoints:

/wp-json/wppf/api/plugin-updates/transients
Enter fullscreen mode Exit fullscreen mode 
/wp-json/wppf/api/plugin-updates/plugins-api
Enter fullscreen mode Exit fullscreen mode

These endpoints return the data WordPress expects when checking for updates or displaying plugin details.

This allows the WordPress admin experience to remain completely native.

GitHub Integration

The plugin integrates directly with GitHub repositories.

When a hosted plugin is requested, the server:

  1. Looks for the latest GitHub release.
  2. Falls back to the latest tag if no release exists.
  3. Retrieves the plugin’s main file from GitHub.
  4. Parses the plugin headers to extract metadata.

The resulting response includes:

  • the latest version number
  • the download package URL
  • plugin metadata
  • icons and banners
  • changelog and description sections

This allows developers to manage updates simply by publishing new releases on GitHub.

Supporting Private Repositories

For private repositories, the server can use a GitHub access token.

The token is encrypted before being sent to client plugins and is used during the download process to authenticate the request.

This makes it possible to distribute private plugins securely without exposing credentials.

Why This Approach Is Interesting

Most custom update systems rely on a separate API service or a static manifest file.

This project takes a different approach:

It uses WordPress itself as the update server.

That means:

  • plugin metadata can be managed through the admin UI
  • update endpoints are automatically available
  • GitHub repositories become the source of truth for releases

For developers already comfortable with WordPress, this makes the system easy to manage.

Try It Out

If you're interested in running your own update server, you can explore the project here:

Repository:

https://github.com/kyle-niemiec/wp-plugin-update-server

You can install it like a normal WordPress plugin and begin hosting updates for your own projects.

Part of the WPPF ecosystem:

  • WordPress Plugin Framework
  • WPPF Test Plugin
  • Plugin Update Server
  • WPPF Update Helper

Documentation:
https://wp-plugin-framework.codeflower.io

Top comments (1)

Collapse
 
kyle-niemiec profile image
Kyle Niemiec

If you’re interested in the client-side side of this system, the next article will cover the Update Helper that runs inside plugins and connects them to the update server.

Together they allow private plugins to integrate with the native WordPress update system.