Introducing FAIR: A federated approach to strengthen the WordPress ecosystem

A new community-led initiative to extend WordPress distribution beyond a single point of control.

Last week, at AltCtrl.org, a community gathering focused on the open web, a large group of contributors from the WordPress Ecosystem introduced FAIR, a new federated approach to plugin and theme distribution in the WordPress ecosystem. FAIR, short for Fair And Independent Repositories, has been in the works for over six months, developed in collaboration with a broad coalition of open source contributors and organizations.

We are incredibly excited to share more about FAIR with you, the wider open source community. Many of you know us from our long-standing involvement in WordPress. Joost is the founder of Yoast SEO, a contributor since 2006, and now a Founding Partner at Emilia Capital. Karim is the CEO of Crowd Favorite and has worked with enterprise WordPress for over 15 years.

Why FAIR? Why now?

The WordPress ecosystem is vast and vibrant, but like any large community, it experiences its share of challenges. For us, a critical moment arrived last October. An incident involving a plugin slug takeover within the official repository directly impacted enterprise clients, raising serious supply chain security concerns. Phone calls were received from chief legal counsels of major corporations. They asked why they should use WordPress if one person could make such impactful changes unilaterally, without checks and balances.

This wasn’t just an isolated hiccup. It highlighted a fundamental vulnerability: The WordPress.org site,  which serves as the update server for WordPress core, themes, plugins, and translations, and also handles telemetry, acts as a single point of failure. Furthermore, many were surprised to learn that WordPress.org is privately owned, not part of the WordPress Foundation.

These events, coupled with subsequent community discussions (and some unfortunate accusations of us “forking” WordPress, which was never our intention), galvanized a significant portion of the community. Many of us, including numerous core contributors and various groups who had been working privately, realized something needed to be done to safeguard the ecosystem we all depend on.

Introducing FAIR: A federated future

So, if it’s not a fork, what is FAIR?

FAIR is a replacement for the distribution mechanism of WordPress.org. Think of it as a robust, independent package manager, much like those found in many other successful open source ecosystems. It’s designed to serve everything WordPress needs, updates, themes, plugins, and translations, but in a decentralized, federated manner.

This means we’re not just replacing one central server with another. Instead, FAIR enables a network of servers. Hosting companies can run their own update servers, taking responsibility for their customers’ uptime and security. Large organizations can run their own instances behind their firewalls, curating and controlling their own plugin and theme distribution.

Technically, for the end-user, FAIR can be implemented via a plugin that simply changes where their WordPress installation looks for these resources, all while running the same WordPress core code.

The power of collaboration and open governance

This hasn’t been a small effort. FAIR is the result of over six months of dedicated, volunteer work from a broad coalition, well over a hundred individuals and nearly ten distinct groups have contributed their time and expertise. If this were a commercial project, the investment would easily be in the six-figure range. But this is a gift, built by the community, for the community.

Crucially, to ensure FAIR remains a true open source project, guided by transparent and robust governance, we’ve partnered with The Linux Foundation. Their decades of experience in stewarding major open source projects provide the neutral, well-established framework needed. This ensures FAIR isn’t controlled by any single company or individual; it’s a resource for everyone.

Benefits beyond decentralization

FAIR offers more than just a decentralized distribution model. It brings several key improvements:

1. Enhanced security & enterprise readiness: With features like code signing, enterprises can have greater assurance about the source of their code. They can also manage their own approved plugin and theme repositories, which is critical for organizations with strict security protocols.
2. Improved General Data Protection Regulation (GDPR) compliance: We’ve identified and addressed areas where WordPress, by default, makes calls to WordPress.org that could be problematic under GDPR. For instance, FAIR implements browser compatibility checks locally, rather than sending data to an external server.
3. Cyber Resilience Act (CRA) preparedness: FAIR is built with upcoming regulations like the CRA in mind. This includes enabling clearer communication about plugin security, such as mandatory security contact information and better notifications if a plugin is closed for security reasons – a long-standing issue Joost has championed.
4. A healthier plugin economy: The current WordPress.org repository rules can make it cumbersome for developers to offer premium plugins. FAIR’s architecture can simplify this, potentially allowing a single plugin to unlock premium features seamlessly. This fosters innovation and makes it easier for developers to build sustainable businesses around their contributions.
5. Reduced operational costs: By distributing the load, individual hosts can manage their infrastructure more efficiently, potentially lowering the overall cost of maintaining the distribution network.

An offering to the entire ecosystem

We want to be crystal clear: FAIR is not in competition with WordPress.org. It is a tool for the WordPress project. All the code developed is in service of the greater open source WordPress project.

Our hope is that major players in the ecosystem, Automattic, WP Engine, GoDaddy, NewFold, and others, will see the benefits and adopt FAIR. Matt Mullenweg himself could spin up an instance to be one of the federators and we would welcome that.

This is about providing a robust, resilient, and secure foundation for the millions of websites, businesses, and livelihoods that depend on WordPress. It’s about ensuring the WordPress ecosystem can continue to thrive, free from single points of failure and governed by the community it serves.

We believe FAIR is a vital step towards a more stable, secure, and truly open future for WordPress. We’re excited to see how the community embraces and builds upon it.

The community response

The announcement of FAIR has been met with a wave of enthusiasm that confirms what we have felt for months: The community is ready for this conversation. Developers, in particular, have embraced the vision of a stronger, more secure software supply chain built on a decentralized model.

This has also opened a vital dialogue about the future of WordPress governance and distribution. We welcome all perspectives, including those defending the current system, as this entire effort is about finding the best path forward together. The groundswell of support shows that the desire for a more resilient and truly community-guided ecosystem is powerful. We are excited to continue this work, guided by the community’s passion.

Learn more

• FAIR Package Manager Project
• Additional thoughts from Karim
• Additional thoughts from Joost
• Official Linux Foundation statement

More from We Love Open Source

• 3 ways AI is changing how we build software in 2025
• Building a career with art, code, and community
• How to get involved with We Love Open Source

Co-author

Joost de Valk an internet entrepreneur from the Netherlands.