FAIR Package Manager Aims to Bolster WordPress Security

⁢ ‍​ Updated June 07, 2025
​ ⁣

A new initiative, teh FAIR Package Manager,‍ seeks to ⁢address security vulnerabilities​ within ​WordPress, the ‍popular ⁢content⁤ management system powering over ⁣40% of websites. Backed by ‍prominent WordPress contributors⁢ and the Linux Foundation, the project aims to create a federated network for distributing WordPress updates and plugins.

The FAIR Package manager allows hosting companies and large organizations⁤ to operate their own mirrors of WordPress core updates, plugins, themes, and translation ​servers. This would reduce reliance on WordPress.org, which is controlled by Automattic CEO Matt Mullenweg.‌ Supporters argue this system will enhance security,lower costs,and unlock‍ new commercial opportunities within the wordpress ecosystem,improving ⁢WordPress security.

the project emerged following controversial actions by Mullenweg,‌ including restricting WP Engine’s access to WordPress.org.​ Karim ⁢Marucchi,⁣ CEO of Crowd⁤ Favorite, noted that large corporations raised supply chain security concerns after Automattic took ⁢over WP ⁤Engine’s product slug. Joost de‌ Valk, founder of Yoast SEO, also expressed disagreement with Mullenweg’s⁤ approach to ⁤contributions.

A key ⁢concern is the dependence of every WordPress site⁣ on‌ WordPress.org ⁢for updates and extensions.De Valk emphasized the lack of control over the WordPress ecosystem, highlighting​ that WordPress.org is privately owned by Mullenweg, not‌ the WordPress Foundation.

Mary Hubbard, WordPress executive director, stated that⁤ users ⁤have always had control over update sources. The ⁣FAIR system offers a compatible option, ​independent⁣ of WordPress.org. According to‍ Marucchi,⁢ over 100 ⁤contributors from more than 10⁤ organizations have contributed to FAIR over ​the past six‌ months. The Linux Foundation is providing neutral oversight.

Mike Dolan, SVP at the Linux Foundation, emphasized ⁣wordpress’s critical role in communication and content ⁤management.He stated that a reliable⁣ backend is necessary to sustain it.‌ The Linux Foundation has established a technical steering committee, co-chaired by carrie Dils, Mika⁢ Epstein, and Ryan McCue, to avoid ​centralization. McCue called FAIR⁣ “a platform to ⁢power the next decades of WordPress.”

Jory Burson, VP of standards at the Linux Foundation, hopes the project will revitalize the WordPress community. ‌the FAIR Package Manager is not intended ‌as a competing fork but rather ⁢as ⁢a contribution to the entire WordPress ecosystem.

De ‌Valk said the network ‍could allow developers‌ to⁢ ship both free and premium ​versions of plugins in a single signed‌ package, which is currently prohibited. ⁤This could foster innovation ‍and improve user experiences.

Hubbard cautioned‍ that‍ fragmenting WordPress’s core infrastructure could disrupt updates,increase server loads,and break plugin⁢ telemetry. She said that improvements like signed updates or better fallback systems are ​welcome, but they must be‌ implemented with long-term⁢ care.

The FAIR repository is live⁣ on GitHub and ​accepting contributions. ⁣The project team plans to move‍ forward ‍nonetheless of Automattic’s participation, aiming ⁤to provide stability and neutrality‍ to the WordPress community.

What’s next

The FAIR Package Manager project will⁤ continue development, seeking ⁣wider adoption‍ and contributions from the wordpress community. ⁣The Linux Foundation will provide ongoing oversight, ensuring neutrality and stability as the project ⁣evolves.