A few days ago, the annual WordCamp Europe meetup took place in the picturesque city of Basel, Switzerland. Normally, this event is considered among the top three WordPress events every year and it’s usually filled with lots of exciting announcements. As you might expect, these announcements are about WordPress and are often spearheaded by major players in the community.
This year was not all that different, except for one thing: the biggest announcement came from what is essentially an external threat to the WordPress.org theme and plugin ecosystem. That threat is the FAIR Package Manager – a project launched by longtime WordPress contributors and backed by the Linux Foundation.
So let’s talk about what FAIR actually is, what it looks like right now when you use it, and more importantly, should you even use it? Then we’ll wrap it up by taking a look at what WordPress co-founder Matt Mullenweg had to say about it.
Origin and purpose of FAIR
The FAIR acronym is not a coincidence, nor is its fully written out title – federated and independent repository of trusted plugins and themes. It’s a direct response to the fallout from last year’s #wpdrama, particularly the October incident when Automattic took control of WP Engine’s ACF plugin slug within the ecosystem.
As Karim Marucchi, CEO of enterprise agency Crowd Favorite and one of the project’s initiators, explained:
“I remember the phone calls vividly. Multiple Chief legal counsel, from various large enterprises on the line, asking me point-blank: ‘Karim, why should we trust WordPress if one person can unilaterally make changes that jeopardize our supply chain, with no apparent checks and balances?'” 1
Karim wasn’t the only one hearing concerns about “problematic governance” over the open-source WordPress project. There were plenty of other calls for a fairer alternative that doesn’t centralize power.
Hence, the birth of FAIR – federated and independent – or in other words, not centralized.
The project emerged from six months of collaborative work involving over 100 contributors from more than 10 organizations. To ensure neutral governance, the group approached the Linux Foundation. This is the same organization that oversees critical open-source projects like Linux and Kubernetes. In addition, three respected WordPress veterans were appointed to lead the technical steering committee: Carrie Dils, Mika Epstein, and Ryan McCue (creator of the WordPress REST API). 2
If FAIR does end up being widely adopted, it could reasonably challenge the vice grip that Automattic CEO Matt Mullenweg has had over WordPress since its inception. For this reason, many in the WordPress community see this moment as a potential fork in the timeline of WordPress history.
That’s despite the fact – and this needs to be emphasized – that FAIR is not a WordPress fork in the technological sense. It’s still 100% WordPress. It just removes the reliance on WordPress.org for plugins and themes. There’s more to it than only that, but that’s the main point.
If that resonates with you and you’d like to support the project – or even just check it out – here’s how…
Two options for switching to FAIR WordPress
As of the time of this writing, FAIR WordPress is available to use in two ways:
- As a plugin
- As a complete WordPress installation with the FAIR plugin bundled in (pre-installed)
The full WordPress installation is mainly for hosting companies who offer new customers the option to install WordPress. Most users with existing WordPress sites can just download the plugin and install it like any other plugin.
Using FAIR
To try the FAIR plugin, the first thing you need to do is head over to its GitHub releases page and download it:
Then, from your WordPress dashboard, go to Plugins → Add Plugin → Choose File. Find fair-plugin-0.2.0.zip (or a newer release if you’re reading this later) on your hard drive. Then click Install Now, followed by Activate Plugin:
After successfully activating the plugin, you’ll notice a new FAIR settings menu option in the lefthand sidebar:
There’s really only one feature there at the moment – which is the option to override the default setting of being forced to use Gravatar to set your user profile photo. It’s turned on by default (titled as “FAIR Avatars”). However, if you prefer Gravatar for some reason, you can always revert back to it.
Aside from that, you’ll also notice a subtle, but important message on the bottom right of the screen: Updates served from the FAIR Package Manager and AspirePress.
That same message will show up in other areas of your WordPress admin dashboard – like the plugins and themes pages.
It’s just letting you know that FAIR is working and any future updates to your themes and plugins won’t come from WordPress.org. Instead they will come from FAIR and AspirePress.
In case you’re wondering, AspirePress is another open-source project with similar goals and values to FAIR. And according to this Reddit post by someone who was directly involved with building FAIR, the Aspire team was part of the process. Aspire also announced their own similar plugin the day after FAIR announced theirs. So it seems the two are working in tandem.
What’s the incentive?
If you’re not a developer or a WordPress power user, you might be wondering – why should I even install this? It’s a fair question.
For regular users, the choice to adopt FAIR is going to be more ideological than pragmatic. The plugin won’t dramatically change how you use WordPress day-to-day. However, if you care about WordPress and you believe that moving towards a more decentralized system is beneficial, then showing your support by installing the plugin won’t harm your site.
For developers, the incentives are much greater because they affect plugin distribution – in a good way. That’s because FAIR will allow developers to bundle both free and premium versions of their plugins into a single, cryptographically signed package. This could streamline user experience and create new business models.
For enterprises and hosting companies, FAIR addresses critical business concerns such as supply chain security, regulatory compliance, and risk management:
- Organizations can run FAIR behind their firewalls, maintaining full control over accessible plugins and themes.
- FAIR offers better alignment with GDPR and upcoming regulations like the Cyber Resilience Act.
- It reduces single points of failure in critical business infrastructure.
The system also introduces code signing and improved cryptographic security measures. These are additional features that enterprise clients have been requesting.
All of this sounds wonderful, but there are counterpoints to consider as well. Counterpoints that WordPress co-founder Matt Mullenweg was quick to point out on stage at WordCamp Europe.
Matt’s reaction to FAIR
Just hours after FAIR’s launch announcement, Matt Mullenweg took the stage with WordPress Executive Director Mary Hubbard in a “fireside chat” and was asked directly about potential collaboration with the project. His response revealed both diplomatic openness and significant technical concerns.
“Of course we consider everything,” Mullenweg said, “but even in what you said, I think there’s a lot of challenges to it.”
His main concerns centered on several key areas:
- Security: While FAIR aims to improve security, Mullenweg argued it could create new vulnerabilities. “Right now a supply chain attack needs to breach WordPress.org, which has never been hacked,” he noted. “But now all of a sudden there’s N places that could potentially be compromised.”
- Operational complexity: He highlighted challenges including multiple mirrors with potential uptime issues, difficulty implementing phased rollouts (like testing updates with 5% of users first), and the loss of centralized analytics that inform decisions about PHP versions and database support.
- Trust and quality control: Mullenweg argued that users aren’t necessarily asking for more download locations, but rather trust indicators: “How do I know this is trustworthy? How do I know these reviews are real? Who’s moderating? Who’s checking the IP on these different reviews? What’s the plugin rating? What’s the compatibility for it?”
- Enforcement issues: He questioned how existing policies, like restrictions on admin banners, would be enforced across a distributed system.
Despite the above, Mullenweg acknowledged the positive aspects: “I think it’s awesome that people are shipping code versus just arguing or talking or writing blog posts.” He further emphasized that he’d like to review the code before making any commitments about collaboration and mulled over the possible directions the project could take.
In my opinion, and given the short time window in which he had to process the announcement, I think it was a good response. The points he raised were also fair – pun intended.
The bigger picture
The FAIR project represents the most significant attempt to decentralize WordPress infrastructure since the platform’s creation and its implications could be far-reaching.
Whether it gains widespread adoption remains to be seen. However, its existence alone – backed by the Linux Foundation and developed by respected community figures – signals a shift in how the ecosystem thinks about governance, control, and the future of the platform that powers 43.4% of the web.
The technical challenges Mullenweg raised are also real and weren’t merely deflection points. They will need solutions. On the flip side, so are the governance and supply chain security concerns that prompted FAIR’s creation. How these competing priorities play off of one another may well shape WordPress’ future for the next decade.
What do you think about FAIR? Will you install the plugin on your WordPress sites?
…
Don’t forget to join our crash course on speeding up your WordPress site. Learn more below:
