The recent travails of WordPress have caused consternation among the web community that relies on the platform, which powers more than four in ten websites online today. Now, a coalition of prominent WordPress contributors and the Linux Foundation is unveiling a federated update and plugin-distribution network aimed at eliminating what they describe as a critical “supply chain security” vulnerability at the core of the world’s most widely used website system.
The FAIR Package Manager project, to be announced at a conference in Switzerland later today, enables web-hosting companies and large organizations to run their own mirrors of WordPress’s core update, plugin, theme, and translation servers. This setup would replace reliance on WordPress.org—a domain controlled by Automattic CEO Matt Mullenweg.
Supporters say the new system will strengthen security, reduce costs, and open new commercial opportunities for software that millions depend on for web hosting.
The project emerged earlier this year in response to controversial moves by Mullenweg. In September, he cut off access to WP Engine—a popular WordPress hosting provider—accusing it of extracting hundreds of millions of dollars in value from the open-source platform without adequate contributions in return. He also alleged that the company breached WordPress trademarks, creating confusion. Amid the fallout, around 150 employees exited Automattic after Mullenweg offered buyouts to those who disagreed with his handling of the situation.
“In October, when Automattic took over the slug of WP Engine’s product within the ecosystem, we received phone calls from the chief legal counsels of some of our clients—these are large corporations—saying, ‘this is a supply chain security issue,’” says Karim Marucchi, CEO of enterprise agency Crowd Favorite and one of the project’s initiators.
Around the same time, Joost de Valk, founder of Yoast SEO, was attempting to communicate with Mullenweg. While de Valk shared the view that more equitable contributions to WordPress were needed, he disagreed with Mullenweg’s methods. “We stopped talking pretty much after that, because I didn’t agree with him,” de Valk says.
One central concern is that every WordPress site depends on WordPress.org for updates and extensions. “When we started looking at this, we realized there’s a lot of things in this whole ecosystem that we don’t control,” de Valk says. “One of the things that everybody’s eyes were opened on was that WordPress.org was, in fact, not part of the WordPress Foundation, but owned by Matt privately, and that he used it as his private website in many ways.”
WordPress executive director Mary Hubbard notes that users have always had control over how their sites are updated and where updates originate—flexibility that has existed since WordPress’s early days. “The beauty of WordPress and open source is that people have complete control to run it how they please and modify how it works,” she tells Fast Company.
The FAIR system offers an alternative that remains fully compatible with WordPress but operates independently from WordPress.org. “It’s still all WordPress,” says de Valk. “It’s just a different distribution.” Rather than forking WordPress, FAIR provides server components that anyone can run. Over 100 contributors from more than 10 organizations have been involved in building it over the past six months, according to Marucchi. The group has asked the Linux Foundation to provide neutral oversight.
Hubbard pointed out that some large hosts like Newfold/Bluehost have implemented custom mirrors in the past, and emphasized that WordPress’s update system has always allowed users to modify where their updates come from. “The important thing is that users know where their updates are coming from and have a choice to change it, regardless of their host,” she says.
“WordPress is a critical piece of infrastructure for communication and for organizations that rely on it for their website, for content management, for blogs and media,” says Mike Dolan, SVP of legal and strategic programs at the Linux Foundation. “And in order to sustain something like that, you need to have a reliable backend behind it.”
To avoid centralization, the Linux Foundation has created a technical steering committee cochaired by long-time WordPress leaders Carrie Dils, Mika Epstein, and Ryan McCue. McCue, the architect of the WordPress REST API, called FAIR “a platform to power the next decades of WordPress,” and noted that the community had “fractured” and needed to be brought back together.
Dolan echoed the sentiment. “I think the interesting part about this is the organic nature of this,” he says. “This is something that is coming out of the community. It’s people who have lifelong and career-long engagement in the WordPress community who are saying we need to go and build this, and they want to work on it together.”
Jory Burson, VP of standards at the Linux Foundation and a participant in the project, hopes it will lead to a “reintroduction and reenergization of the community.” She adds that morale is currently low. “I think this is going to be very exciting for people, and hopefully move some folks past this negativity and drama. We want to get people focused on the very positive future that we think WordPress still has.”
Although FAIR was created out of frustration with Automattic’s control over WordPress.org, its backers insist it’s not a competing fork. “When we get up on stage on Friday, literally the words that are going to come out of our mouth are: ‘We’re offering this code to Automattic, WP Engine, GoDaddy, Newfold—everyone,’” says Marucchi.
If widely adopted, the network could allow developers to ship both free and premium versions of plugins in a single signed package—something currently prohibited by the official WordPress repository. “That opens up innovation,” de Valk says, “making it easier to build businesses around plugins and to provide good user experiences.”
Still, Hubbard emphasizes that fragmentation of WordPress’s core infrastructure could create more problems than it solves—disrupting update processes, inflating server loads, and breaking plugin telemetry used for ensuring compatibility. “If this work leads to improvements like signed updates or better fallback systems, we’re open to that,” she says. “But it has to be done with the same long-term care that got us here.”
The FAIR repository is already live on GitHub and accepting contributions. Whether Automattic will participate remains uncertain; regardless, the project team plans to move forward. “You’re dealing with a community that has had some trust challenges in the past, and they’re looking for stability,” says Dolan. “They’re looking for neutrality. They have business that they want to get done.”
The extended deadline for Fast Company’s Brands That Matter Awards is this Friday, June 6, at 11:59 p.m. PT. Apply today.
