WP Umbrella Logo

The FAIR Package Manager: Can WordPress Decentralize Itself?

Medha Bhatt

In September 2024, something unprecedented happened in the WordPress world: access to critical website updates was suddenly blocked for thousands of sites hosted on WP Engine.

Regardless of the debate that unfolded, one fact stood out: a substantial section of WordPress users were forced to update plugins and themes manually or seek other solutions. The incident exposed a deeper problem WordPress had been quietly living with for years: centralization. 

With plugin and theme updates controlled through a single distribution point, any disruption to that system immediately puts millions of websites at risk. If WordPress ever experiences downtime or a coordinated attack, countless sites could be left without access to critical updates.

It also raised an uncomfortable question: what happens when one person controls the infrastructure that millions of businesses depend on? The answer came a day before WordCamp Europe 2025, with the launch of the FAIR Package Manager project, a project that could fundamentally change how WordPress works.

What Is The FAIR Package Manager?

The FAIR Package Manager by the Linux foundation
Source: Linux Foundation

When the WordPress community faced those September disruptions, it became clear that relying on a single source for everything created a dangerous vulnerability. FAIR, which stands for “Federated and Independent Repository,” is the community’s answer to that problem.

Think of it this way: if WordPress is like having one massive grocery store for an entire city, FAIR creates a network of interconnected stores. If one goes down, you can still get what you need from the others. The shelves might look the same, and you’ll find the same products, but now you have options.

What makes FAIR particularly interesting is what it doesn’t change. This isn’t a fork of WordPress or an attempt to create WordPress 2.0. The core software remains identical. FAIR just provides alternative pathways for the ecosystem of plugins and themes that make WordPress sites functional.

The technical implementation of FAIR mirrors what Linux users have relied on for years: package management across multiple repositories. Web hosts can run their mirrors, developers can distribute through multiple channels, and users get redundancy without complexity.

The project was launched under the Linux Foundation, an organization that oversees nearly 900 open-source projects and has been managing distributed software ecosystems for decades. It’s governed by a three-person technical committee comprising longtime WordPress contributors and was developed over six months by up to 300 contributors, including veteran WordPress developers and familiar names in the space like former Yoast’s team Taco Verdo and Joost de Valk, who publicly criticized Matt Mullenweg and the governance of WordPress  since the WP Engine incident.

The FAIR Package Manager project paves the way for the stability and growth of open source content management, giving contributors and businesses additional options governed by a neutral community, said Jim Zemlin, Executive Director of the Linux Foundation.

How It Works: Getting FAIR On Your Site

For all the technical complexity behind FAIR’s federated infrastructure, the actual implementation for WordPress users is surprisingly straightforward.

Where to download the FAIR package manager plugin

At the time of writing this article, FAIR is a plugin that can be installed on any WordPress site. It allows users and hosting companies to connect to decentralized repositories for core, theme, and plugin updates, translations, news feeds, and other hard-coded services that typically rely on WordPress.

Once you’ve installed the plugin, your website can pull updates from multiple trusted sources rather than just WordPress. Your dashboard looks the same, and your plugins work the same, but the infrastructure supporting them is now distributed across a network rather than dependent on a single point of control.

Another way to switch to FAIR is as a complete WordPress installation with the FAIR plugin pre-installed. This option is mainly for hosting companies who offer new customers the option to install WordPress. Most users with existing WordPress sites can download and install the plugin like any other.

The Adoption Challenge: Why Great Technology Isn’t Enough

The question now isn’t whether FAIR can work technically; the Linux Foundation’s track record suggests it can. The question is whether the WordPress community will adopt it widely enough to create the resilience it promises.

FAIR faces several significant hurdles that could prevent it from achieving its goals:

1. The Network Effect Problem

FAIR faces the classic chicken-and-egg dilemma that has killed many promising technologies. It only becomes truly valuable when it reaches critical mass. 

A few thousand individual WordPress sites installing the plugin won’t create the resilience the project promises. What’s needed is widespread adoption by the entities that control WordPress distribution at scale.

That’s because an everyday user doesn’t typically wake up wanting more complexity in their update process; they want reliability and simplicity. For example, a small business owner using WordPress to run their website doesn’t care about federated repositories; they only care that their site works reliably.

This creates a paradox: the people who would benefit most from FAIR’s resilience are often the least equipped to understand why they need it or how to implement it. Unless larger players, such as hosting providers and agencies, adopt FAIR at scale, its promise of resilience may remain largely theoretical.

2. The Infrastructure Reality

Managing distributed repositories at WordPress’s scale presents genuine technical challenges. WordPress currently serves about 72,000 plugins and themes, totaling around 3.2 terabytes of data, excluding version history and other metadata.

If hundreds of mirrors begin synchronizing this data simultaneously, it could create a significant load on the very infrastructure FAIR is trying to protect. This highlights a fundamental tension: FAIR needs to mirror WordPress’ data to provide redundancy, but doing so at scale requires careful coordination to avoid overwhelming existing systems.

3. The Features vs. Fragmentation Trade-off

Centralized distribution has enabled sophisticated features that could become complicated in a federated system. Phased rollouts, where updates are deployed to small percentages of users before wider release, become much harder to coordinate across multiple repositories.

Similarly, the analytics and usage data that inform development decisions, like which PHP versions to support or which features are most used, could become fragmented or less reliable when spread across multiple distribution points.

4. The Distribution Moat

The biggest challenge FAIR faces isn’t technical—it’s the same distribution advantage that made WordPress dominant in the first place. WordPress succeeds because it’s installed by default on millions of hosting accounts. Users don’t choose WordPress as much as they inherit it.

FAIR needs hosting companies to either install it by default or actively promote it to customers. However, hosting companies have their own considerations, including increased complexity, potential support burden, and whether their customers will understand or value the benefits.

5. The Timing 

FAIR launches into a WordPress ecosystem already dealing with AI disruption, increased competition from site builders like Webflow and Framer, and ongoing questions about WordPress’s future relevance. The community’s attention and energy are finite resources.

Without hosting company buy-in, FAIR risks becoming what so many WordPress alternatives have become: a solution beloved by developers and ignored by the masses who actually power WordPress’s dominance.

Matt’s Reaction to FAIR

Within hours of FAIR’s announcement, Matt Mullenweg found himself fielding questions about it during his WordCamp Europe 2025 fireside chat. His response was predictably cautious but thoughtful.

While he acknowledged that shipping actual code beats endless debates, he raised legitimate concerns that anyone considering FAIR should think about. 

His main concerns centered on security risks from multiple potential breach points, operational complexity around coordinating updates across distributed systems, and questions about trust and quality control in a federated environment. 

Despite these reservations, he acknowledged the positive aspects: “I think it’s awesome that people are shipping code versus just arguing or talking or writing blog posts.” 

He didn’t dismiss FAIR outright, instead suggesting he’d need to review the actual code before making any commitments.

Who Benefits? FAIR’s Impact Across the WordPress Ecosystem

The adoption challenges of FAIR are real, but so are the benefits. They’re, however, distributed unevenly across the WordPress community.

Developers and enterprises gain immediate, tangible advantages. Hosting companies face both opportunities and new responsibilities. End users receive protection against scenarios they may never encounter.

This uneven distribution could be FAIR’s biggest adoption challenge: those with the most to gain (developers, enterprises) represent a small fraction of WordPress users, while those who need to implement it at scale (hosting companies) see mixed value propositions. Let’s look at this in more detail:

1. For Everyday WordPress Users

If you run a small business website or personal blog, FAIR’s benefits are largely invisible but potentially crucial. For regular users, the decision to adopt FAIR will be more ideological than pragmatic. The plugin won’t dramatically change how they use WordPress day-to-day.

The WordPress dashboard will look identical: plugins still update automatically, and themes are installed the same way. The difference is resilience: if WordPress experiences downtime or access issues, the site continues receiving updates from alternative sources. It’s like having website backup providers—no one will notice until they’re needed.

The trade-off is minimal but real: users will add another plugin to manage and introduce a small amount of additional complexity to their site’s infrastructure. For most of them, this represents insurance against problems they may never encounter.

2. For Hosting Companies

FAIR potentially changes the hosting business model in subtle but significant ways. Hosts can configure their own repository mirrors and toggle settings to gain unprecedented control over their customers’ WordPress experiences.

This creates several opportunities:

  • Improved Performance: Local mirrors mean faster plugin and theme updates for customers
  • Enhanced Security: Hosts can filter packages, block known vulnerabilities, or maintain curated repositories
  • Reduced Dependency: No longer reliant on WordPress’ uptime for basic customer services
  • Compliance Benefits: FAIR advances WordPress’s alignment towards GDPR to improve privacy and security by dramatically reducing automatic browser data transmission 

However, hosting companies also face new responsibilities. Running repository mirrors requires additional infrastructure, maintenance, and technical expertise. They’ll need to decide which packages to mirror, how to handle updates, and how to communicate these changes to customers who may not understand the technical details.

3. For Developers

FAIR offers developers the most immediate and tangible benefits. FAIR will allow developers to bundle both free and premium versions of their plugins into a single, cryptographically signed package. This could streamline user experience and create new business models.

Currently, developers offering both free and premium versions must navigate WordPress’ restrictions while maintaining separate distribution channels for paid features. FAIR eliminates this friction.

It allows premium plugins to appear directly in the WordPress dashboard, surfaces details when plugins have been closed or removed, and gives hosts and enterprises tools to filter packages by PHP compatibility or block known vulnerabilities. This creates new possibilities:

  • Unified Distribution: One package for free and premium features
  • Better Discovery: Premium plugins visible in standard WordPress interfaces
  • Enhanced Security: Cryptographic signing builds trust with enterprise customers
  • Multiple Channels: Distribute through various repositories rather than depending on WordPress approval

4. For Enterprises

Large organizations represent FAIR’s most compelling use case. For enterprises, FAIR addresses critical business concerns, including supply chain security, regulatory compliance, and risk management.

Organizations can run FAIR behind their firewalls, maintaining full control over accessible plugins and themes. They can now:

  • Curate approved plugin repositories for their organizations
  • Ensure compliance with internal security policies
  • Reduce dependency on external services for critical infrastructure
  • Implement more granular control over WordPress installations across the organization

5. For WordPress Agencies

WordPress agencies managing dozens or hundreds of client sites occupy a unique position. They have the technical knowledge to implement FAIR but need to balance its benefits against the additional complexity of managing another system.

For agencies, FAIR offers insurance against client site disruptions while potentially providing new service opportunities around security and compliance consulting. However, it also means explaining yet another technical concept to clients who may struggle to understand why they need protection against problems they’ve never experienced.

The Road Ahead

FAIR represents something we haven’t seen in WordPress before: a serious, well-funded alternative to the centralized infrastructure that’s defined WordPress for over two decades. 

Whether it succeeds depends less on the technology (which is solid) and more on whether enough of the WordPress community decides the insurance is worth the complexity.

For agencies and developers, the calculus is straightforward: install the plugin, see how it works, and decide if the benefits match your needs. For the broader WordPress ecosystem, FAIR poses deeper questions about governance, independence, and what kind of platform WordPress wants to be as it enters its third decade.

Last September’s disruptions that sparked this project lasted only a few weeks. But the conversations they started—about control, resilience, and the future of open-source infrastructure—are just beginning.