Within hours of FAIR’s launch at Alt Ctrl Org in Basel, reactions from across the WordPress community began rolling in — via blog posts, Slack threads, comment sections, and even on stage at WordCamp Europe.

The Linux Foundation-backed project aims to decentralize WordPress plugin and theme distribution through a federated system of trusted repositories. Supporters say it’s a long-overdue step toward better governance and supply chain security. Critics worry it could fragment trust, complicate moderation, and weaken the ecosystem’s cohesion.

FAIR’s backers insist the project isn’t a fork, but a parallel infrastructure layer designed to complement WordPress, not compete with it. But in a community already frayed by disputes over leadership and accountability, FAIR has quickly become more than a technical proposal — it’s become a litmus test for how much change the WordPress ecosystem is willing to embrace.

FAIR’s origins: From slug seizure to supply chain security

FAIR — short for Federated and Independent Repositories — emerged from private conversations that escalated following the takeover of Advanced Custom Fields in October 2024, and later Matt Mullenweg’s decision to shut down WordPress.org during the Christmas holidays. Those actions, and the contributor bans that followed, pushed longstanding frustrations about centralization into public view.

Following FAIR’s launch last Friday, five people closely involved with the project — Joost de Valk, Karim Marucchi, Ryan McCue, Siobhan McKeown, and Samuel Sidler — published blog posts over the weekend explaining their involvement with FAIR and why they believe it’s essential to WordPress’s future.

“I remember the phone calls vividly,” wrote Marucchi in his post Introducing FAIR: A Stronger, More Resilient WordPress Ecosystem. “Multiple chief legal counsel, from various large enterprises on the line, asking me point-blank: ‘Karim, why should we trust WordPress if one person can unilaterally make changes that jeopardize our supply chain, with no apparent checks and balances?’”

Marucchi and de Valk proposed FAIR in December 2024 as part of a broader call for governance reform in the WordPress project. Since then, as many as 300 people, including many veteran core committers and contributors, have built FAIR.

“The FAIR Package Manager is built to complement and work alongside the WordPress central project, ensuring that users, contributors, hosts, and business owners have a choice, and have a secure and decentralised option with a sustainable and reliable form of governance,” says Siobhan McKeown, who wrote about her involvement in A way forward with FAIR.

McKeown, one of the signatories of last year’s open letter to Mullenweg calling for governance reform, describes FAIR as a space to rebuild trust: “We have the beginnings of a new space where open source contributors can scratch their itch, where dissent and challenge are welcomed and celebrated.”

Mullenweg responds at WCEU: “A lot of challenges to it”

During the closing Q&A at WordCamp Europe, longtime Documentation Team co-rep Milana Cap asked Mullenweg whether he would consider collaborating with the FAIR project.

Mullenweg’s response was cautious. “Of course we consider everything,” he said, “but even in what you said, I think there’s a lot of challenges to it.”

He raised concerns about security and reliability across distributed mirrors, and questioned how FAIR’s design might impact phased rollouts, plugin telemetry, and moderation enforcement. “Right now a supply chain attack needs to breach WordPress.org, which has never been hacked,” he said. “Now all of a sudden there’s N places that could potentially be compromised.”

Still, he acknowledged the effort: “I do think it’s awesome that people are shipping code versus just arguing or talking or writing blog posts.”

Executive Director Mary Hubbard echoed a similar view in comments published by Fast Company, emphasizing that WordPress has always allowed site owners to configure where their updates come from. “If this work leads to improvements like signed updates or better fallback systems, we’re open to that,” she said. “But it has to be done with the same long-term care that got us here.”

Centralization or stability?

On LinkedIn, Jesse Friedman, Head of WP Cloud at Automattic, framed FAIR as a potential risk to user safety. “We have all said to beginners: make sure you download your plugins at WordPress.org; it’s the safest, most secure place to extend WordPress,” he posted. “I am seriously concerned with how diluting that source of truth will lead to confusion and malicious actors.”

The comments section offered a snapshot of the divide.

“Linux is served from mirrors. So is PHP, MySQL, NGINX, Apache, Python, Node, Docker images, Helm charts, Composer packages, pip, npm, and nearly every tool in the modern open source stack,” wrote consultant Robin Scott. “WordPress was never the App Store. Open source works because it’s decentralized — not in spite of it.”

“With all due respect man I have found compromised plugins in the org repository,” posted SEO consultant Joe Hall. “Generally speaking security is top of mind to the plugin team, but I have counted at least three or four issues of injecting links… This is a trusted source of open source professionals that have been managing distributions at the same scale as WordPress for a long time.”

“It’s unreasonable to expect 42% of the internet to update their software solely from the personal website of some guy from Texas,” added developer Brent Toderash, who is involved with both FAIR and AspirePress. “In the world of risk management, this is completely unacceptable.”

“This is not an action that is without a cause. It is a step that the community has chosen to take to safeguard against similar actions in the future,” posted Zash Stepek, Director of Agency Operations at BigScoots. “When one person wields a button that can shut off updates to an entire host’s customer base because they disagree with how they conduct their business, that doesn’t just hurt the host, it hurts the customers and erodes trust in a platform that powers a significant portion of the web.”

Others struck a more measured tone. At WordCamp Europe 2025, Katie Keith, CEO of Barn2 Plugins, was optimistic. “A lot of good people, very important and loyal to the WordPress community, have got together and built this thing,” she said in an interview. “They’ve got some great backing from organisations like Linux, which is really impressive… For me, the key thing is, will it get mass adoption? And with the backing it’s got, I hope it does, because I think that’s essential to help it reach its potential.”

Matt Medeiros from The WP Minute welcomed FAIR as a smart move toward decentralization, calling it an “insurance policy” for WordPress sites if something happens to WordPress.org. But he raised concerns about adoption and messaging, particularly for agencies and power users, in Why I’m Not Jazzed About FAIR.

“There’s a marketing, a branding, and a messaging challenge,” he said. “What does this really mean for us power users and agency owners?”

He described the rollout as coordinated but club-like, and cautioned that the FAIR team must meet the same expectations the community has placed on WordPress leadership. “Anyone working on an initiative like FAIR must be open to the same criticisms we’ve given Mullenweg and Automattic,” he said.

“We needed to start building the future ourselves”

Ryan McCue, one of FAIR’s technical steering committee co-chairs and a longtime WordPress core committer, said the project delivers on the structural reforms called for in last year’s open letter, which he also signed. “Until we fix this problem, WordPress remains vulnerable,” he wrote in Building a Stronger Ecosystem. “Accordingly, we’re taking action.”

FAIR’s governance model, he wrote, was designed to prevent the kinds of unilateral decisions that have rattled contributors in recent months. FAIR’s charter limits company representation, separates funding from technical decision-making, and gives contributors a clear path to influence policies. “It’s the first step to truly uniting the community to build the next 20 years of WordPress.”

For those with concerns about FAIR’s approach to security, Patchstack CEO Oliver Sild gives the best assurance yet, describing FAIR as a path toward compliance with the EU’s Cyber Resilience Act. “FAIR is most likely the only way the WordPress ecosystem can become compliant with CRA in time. We don’t have a lot of time,” he posted in Post Status Slack.

Former Audrey Capital and Automattic staffer Samuel Sidler, who wrote about his involvement with FAIR in Why I joined FAIR, put it more bluntly: “WordPress has a problem — an existential threat. And, if we don’t act, WordPress as we know it… won’t survive.”

Open discussion and an open invitation

In the days since the launch, FAIR contributors have been actively answering questions on social media, in Post Status Slack, and in GitHub threads.

“We wanted to launch without having all the answers, so we can collaborate on them as a community,” McCue wrote in response to Some initial questions about FAIR by longtime core committer Aaron Jorbin.

That open posture, paired with technical ambition and Linux Foundation backing, has helped FAIR avoid some of the polarization that has plagued past reform efforts. Still, it’s clear that not everyone agrees on the risks, or the path forward. Whether FAIR gains broad adoption or remains a niche initiative, it has already changed the conversation from what WordPress is, to what it could become.

“This is not a protest,” de Valk reiterated in his post, A new path forward for WordPress, and for the open web. “It is a contribution.”

Image credit: Kostas Fryganiotis.