
Introducing FAIR: A Stronger, More Resilient WordPress Ecosystem
How a new, community-led distribution layer is answering the call for greater security, transparency, and resilience in WordPress.
For over 15 years, I’ve volunteered and contributed my time to the WordPress ecosystem. I’ve seen its power, its community, and its incredible ecosystem growth. However, like many who have been deeply involved for a long time, I’ve also seen where we, as a community, could and should do better. The whispers about governance, about centralization, about the “what ifs” have been around for years.
But for me, the defining moment, the one that pushed abstract concerns into urgent, undeniable action, came last October. An incident involving a plugin slug takeover within the official repository sent shockwaves, and those waves hit my clients, large enterprise organizations, hard. I remember the phone calls vividly. Multiple Chief legal counsel, from various large enterprises on the line, asking me point-blank: “Karim, why should we trust WordPress if one person can unilaterally make changes that jeopardize our supply chain, with no apparent checks and balances?” That question cut deep. It was then that I, along with Joost de Valk, decided to share our worries and thoughts about it last December.
This wasn't just an isolated hiccup for me or my clients; it was a symptom of a larger issue. An issue addressed in a powerful open letter from twenty core contributors, calling for governance reform. The message was clear: we needed a more robust, resilient, and transparent way forward. Joost and I decided it was essential to share our thoughts openly, with our names attached, when many were afraid to speak publicly, for fear of reprisal. After that, the conversations that had been happening in separate rooms and private direct messages started to converge, fueled by a shared sense of urgency. It became undeniable: the WordPress ecosystem, the foundation for so many businesses and livelihoods, including my own, needed a more resilient path.
That realization, shared by so many, was the seed that has now blossomed into moving forward with FAIR, Federated and Independent Repositories, with a “Group of Groups” that all came together from those conversations. And today, at the AltCtrl.org event in Basel, Switzerland, just down the street from WordCamp Europe, a dedicated group of us proudly introduced it to the world. After more than six months of intense, collaborative development, FAIR is no longer just an idea; it's real, and it's running.
So, if it's not a fork, what is FAIR?
I want to be crystal clear on this, especially given some of the initial (and entirely incorrect) accusations that we were “forking” WordPress, that was never our intention and still is not.
FAIR is a new distribution layer for WordPress. Think of it as a robust, independent package manager, much like those that are foundational to so many other successful open-source ecosystems. It’s designed to serve everything WordPress needs: updates, themes, plugins, and translations, etc., but in a decentralized, federated manner.
This isn't about replacing one central point of control with another. Instead, FAIR empowers a network of servers. Hosting companies can run their own update servers, taking direct responsibility for their customers' uptime and security. Large organizations can run their own instances behind their firewalls, meticulously curating and controlling their plugin and theme distribution. For the end-user, the experience can be seamless: a simple plugin can redirect their WordPress installation to look to FAIR for these resources, all while running the exact same WordPress core code they know and trust.
Benefits Beyond Decentralization
FAIR is about so much more than just decentralizing distribution. It’s about fundamentally strengthening the WordPress ecosystem:
- Enhanced Security & Enterprise Readiness: Boost enterprise security with code signing and enable organizations to manage their own curated plugin and theme repositories for stricter control.
- Improved GDPR Compliance: Strengthen GDPR compliance by processing data locally, such as browser compatibility checks, thus minimizing unnecessary external data transmissions.
- Cyber Resilience Act (CRA) Preparedness: Prepare for regulations like the CRA with clearer plugin security communication, including mandatory security contacts and transparent vulnerability notices.
- A Healthier Plugin Economy: Foster a healthier plugin economy by simplifying the pathway for developers to offer premium and commercial plugins, supporting innovation and sustainable businesses.
- Reduced Operational Costs: Lower operational costs for everyone by distributing the update and asset delivery load, enabling more efficient infrastructure management.
The Power of Shared Purpose and Open Governance
The journey to FAIR hasn't been a solitary one; it's been one of the most inspiring collaborative efforts I've ever been a part of. For almost the past six months, Joost and I, alongside well over a hundred individuals and nearly ten distinct organizations, have poured our hearts, minds, and countless volunteer hours into this. The energy has been palpable. This wasn't a corporate mandate; it was driven by a shared belief that we could build something better, together. If this were a commercial project, the investment would easily be in the high six figures. But this is a gift, built by the community, for the WordPress ecosystem.
From the very beginning, we knew that for FAIR to truly serve the ecosystem, its governance had to be impeccable, transparent, accountable, and neutral. That’s why partnering with The Linux Foundation was a non-negotiable step for us. Their decades of experience stewarding some of the world's most critical sustainable open-source projects provide the robust, well-established framework FAIR needs. This ensures that FAIR isn't controlled by any single company or individual. It’s a resource for everyone.
The technology's direction is set by the Linux Foundation's Standard “Technical Steering Committee” (TSC), with development contributions coming from across the WordPress ecosystem. To lead this effort, the TSC selected three highly respected community figures —Carrie Dils, Mika Epstein, and Ryan McCue —as its chairs. Working together, this group rapidly developed a suite of impressive features, including a decentralized way to manage packages, mirrors ready for federation, the ability to support commercial plugins, and secure cryptographic signing, alongside other advancements.
An Offering to Our Entire Ecosystem
My sincere hope, and the hope of everyone involved in FAIR, is that all major players in the ecosystem will see the immense benefits and choose to adopt and support FAIR.
This journey has been driven by a deep belief in the open web and in the potential of WordPress when its community truly comes together. FAIR is about providing a robust, resilient, and secure foundation for the millions of websites, businesses, and livelihoods that depend on WordPress. It’s about ensuring that the WordPress ecosystem can continue to thrive, free from single points of failure, and governed by the community it serves with true transparency.
I wholeheartedly believe FAIR is a vital step towards a more stable, secure, and genuinely open future for WordPress. The foundations are laid, the code is running, and the passion is stronger than ever.
There’s still plenty of work ahead, but the path is open. If you believe in this vision, if you believe WordPress deserves this, I invite you: join us. In the meantime, if you are part of Automattic, WP Engine, or any large organization team that could join us, please get in touch with me directly.
You can learn more and get involved at fair.pm and on GitHub.
If you would like to read more from other FAIR Team members on this:
- The Linux Foundation Fair Package Manager Press Release
- Joost de Valk – Founding Partner in Emilia Capital, Founder of Yoast
- Ryan McCue – Ryan Co-Chair for the Technical Steering Committee of the FAIR Package Manager for WordPress, and creator of the WordPress REST API project.