Prefer to listen? Get the audio here (Spotify).
FAIR package manager could be the biggest shift in WordPress since I jumped in circa 2007.
If you’ve followed the legal tug-of-war between the major WordPress players (I summed up the highlights here), you know change is brewing.
So far the fallout has mostly been grumbling – some loud, some under-the-radar. I’ve kept an eye on a few camps, waiting to see if anything solid might rise above the noise.
Turns out several groups are pushing for fresh WordPress governance. (That probably won’t impact your day-to-day just yet.)
This new announcement, though, could.
Unveiled alongside WCEU, it’s called the FAIR package manager.
FAIR was built for the WordPress ecosystem to manage plugins and themes—without leaning on a single, central hub. That “hub” is, of course, WordPress.org. Right now, every vetted plugin, theme, and update flows through that one pipe.
FAIR package manager was built to manage plugins and themes, removing reliance on centralized systems.
A package manager is complicated to understand – and to make it de-centralized is even more complicated. Over the last few weeks I’ve asked people much smarter than I, to get a thorough explanation of how this will effect you.
What follows are the bits that I would want to know if I was you; minus the fluff and PR spin.
What FAIR IS NOT
In your circles you are likely to hear security warnings regarding FAIR from mainstream, From the rebels, it is a dream – however as always, the truth is somewhere in the middle. And to confuse matters, some are adding in their political views about the governance of WordPress.
When discussing FAIR, I will remove any governance opinions – that is a separate issue. We will stick to the options that FAIR is trying to provide – whether they are safe – and if we should use those options. Before I can tell you – as simply as I can – what FAIR is – let’s go through a few things it is not.
FAIR package manager is not an alternative to WordPress. And I’ve heard on social media that it is. Let me be clear: it is not an alternative to WordPress. You must have WP in order to use the FAIR package manager. They cannot exist without each other!
FAIR does not change the governance of the open source project that is WordPress.
FAIR is not part of Automattic (the company that commercially owns WordPress.com).
FAIR is not just a plugin. Yes – you install part of it like a plugin. But it is a LOT more – and you need to know that before you dive in.
What is FAIR Package Manager
There are several parts, technically to the FAIR package manager. I am going to talk about the two concepts behind it: the distributed part, and the requirements. The whole description/fancy technical answer is: *Deep Breath* a distributed protocol for package management, guaranteeing security, data portability, and control, while providing a seamless user experience for finding, installing, and updating packages.
Let’s break that down a bit.
Distributed Protocol for Updating Packages
FAIR… a distributed protocol for package management, guaranteeing security, data portability, and control, while providing a seamless user experience for finding, installing, and updating packages.
First – some definitions:
Package (Management)… Packages are plugins and themes.
Finding, installing, and updating packages: currently when you install WordPress you get a “Plugins” tab and an “Themes” tab (under Appearance). These tabs are automatically connected to WordPress.org. Plugins and themes are available for your website to search, install, and update.
Repository: a bucket for a bunch of things, in this case, it is a bucket of plugins
Distributed (protocol): Because there is generally only one centralized repository of themes and plugins, we consider this ‘centralized’. The fear is, what if something happened to WordPress.org, would we be able to get upgrades to our software? Would the plugins just become out of date and insecure?
Unfortunately this happened in 2024 to WP Engine during their legal battle. Automattic / Matt Mullenweg, deactivated their (and their clients’) access to WordPress.org.
Losing access to the centralized repository is a big deal, obviously. So FAIR protocol aims to provide an option to the centralized repository. They aim to create a distributed protocol.
Protocol: a method of doing things. And the reason this is so complicated!
Security, Ownership & Control
Guaranteeing security: obviously we can’t go to our little brother’s bucket of code and download into our enterprise site. Someone has to be sure the code is SAFE. Who does that and how? That is the question that the FAIR team is addressing.
Export-able: the people who make the plugins need to be able to export them. What’s the point of having lots of repositories if you are forced into only one?
One’s own Control: the users want to choose what repository they use: WordPress.org or another…
What is FAIR in Layman’s Terms?
It is a method to connect to a repository of my choosing to find, install and update plugins and themes. The method itself provides security, extends ownership, choice and responsibility to the repository owners, plugin authors and users of WordPress.
Now – there are lots of questions still left unanswered – like how will analytics be calculated? How will it be kept secure? Will users be able to find plugins with so many individual repositories?
There is more to come… if my brain can put it all together!
New! Welcome-Email AI Agent
Looking at email marketing? Don’t forget a welcome series – folks are 4x more likely to open the first email than any other email that you send! Enter your email and we’ll send you to our custom AI Agent that will help you craft five highly converting emails in a welcome series! Then see this post for the tutorial.
Cathy Mitchell
Single Mom, Volunteer, Lifelong Learner, Jesus Follower, Founder and CEO at WPBarista.