A few days ago WordCamp Europe in Basel produced an unexpected headline: the FAIR Package Manager, an alternative to the WordPress.org plugin and theme ecosystem, launched. Built by longtime WordPress contributors and backed by the Linux Foundation, FAIR positions itself as a federated and independent repository of trusted plugins and themes — intentionally decentralized in response to recent governance concerns within the WordPress ecosystem.
Why FAIR exists
The name FAIR (federated and independent repository of trusted plugins and themes) was chosen deliberately. The project grew out of unease following last year’s high-profile disputes over plugin ownership and control — most notably the incident where Automattic assumed control of a plugin slug tied to WP Engine’s ACF. That episode prompted enterprise legal teams and agencies to question the resilience of WordPress’ supply chain and the concentration of authority that could allow unilateral changes.
FAIR’s founders spent six months collaborating with more than 100 contributors from 10+ organizations and sought neutral governance through the Linux Foundation. A technical steering committee includes well-known community figures: Carrie Dils, Mika Epstein, and Ryan McCue. The project aims to reduce centralization without changing WordPress core technology — it’s not a code fork, but an alternative distribution approach that removes reliance on WordPress.org for plugins and themes.
How to use FAIR today
FAIR is currently available in two forms:
– A plugin you can install on existing WordPress sites.
– A full WordPress distribution bundled with the FAIR plugin (targeted at hosting providers offering new installs).
To try the plugin you download a release from the FAIR GitHub releases page, install it via Plugins → Add Plugin → Choose File, then activate. Once activated you’ll see a FAIR settings option in the dashboard. At present the most visible feature is FAIR Avatars, which lets sites opt out of mandatory Gravatar usage. Admin screens will also display messages like “Updates served from the FAIR Package Manager and AspirePress,” indicating updates will come from FAIR (and partner projects) rather than WordPress.org.
AspirePress and related projects
AspirePress, which shares similar decentralization goals, appears to be working alongside FAIR; Aspire announced its own plugin around the same time. The two efforts seem aligned in aims and people, suggesting an ecosystem of federated update providers may emerge.
Who benefits and why
– Regular users: The immediate changes are mostly ideological. Installing FAIR won’t radically change daily use, but it’s an option for those who prioritize decentralization and alternative governance.
– Developers: FAIR promises practical benefits. Developers can package free and premium versions into a single cryptographically signed bundle, simplifying distribution and enabling new business models.
– Enterprises and hosts: FAIR addresses supply chain security, compliance, and risk management. Organizations can run FAIR behind firewalls, control available plugins/themes, align with GDPR and incoming cybersecurity regulations, and reduce single points of failure. FAIR also introduces code signing and cryptographic measures enterprises have requested.
Concerns and Matt Mullenweg’s response
WordPress co-founder Matt Mullenweg addressed FAIR hours after its launch, acknowledging the positive intent but raising technical and operational concerns:
– Security surface: While FAIR aims to improve supply chain security, decentralization creates more potential points of compromise. Mullenweg noted that breaching WordPress.org is rare, whereas many distributed providers could increase attack vectors.
– Operational complexity: Multiple mirrors bring uptime and consistency challenges, complicate phased rollouts (e.g., staged updates to a subset of users), and remove centralized analytics that inform platform support decisions.
– Trust and quality control: Decentralized repositories raise questions about review authenticity, moderation, plugin ratings, and compatibility signals that users rely on to trust plugins.
– Policy enforcement: Existing WordPress.org policies (e.g., around admin banners) rely on centralized enforcement; distributing repositories complicates that enforcement.
Despite those concerns, Mullenweg said he appreciated people shipping code instead of just discussing ideas and expressed interest in reviewing FAIR’s code before committing to collaboration.
The bigger picture
FAIR is the most significant push toward decentralizing WordPress’ distribution model since the platform’s founding. Backing from the Linux Foundation and involvement by respected community members give it credibility, and it directly addresses governance and supply chain questions raised after high-profile disputes. Technical issues Mullenweg highlighted are real and will need engineering solutions; conversely, FAIR addresses governance risks that motivated its creators.
Whether FAIR gains wide adoption remains uncertain, but its existence signals a shift in how the WordPress ecosystem considers control, trust, and resilience. If it matures to solve operational and security concerns while preserving trust signals and moderation, FAIR could reshape plugin and theme distribution for years to come.
Will you install FAIR on your sites?
