WordPress Co-Founder Reacts to FAIR Project

During WordCamp Europe, Matt Mullenweg shared his concerns about the security risks and overall complexity involved in managing federated plugin repositories.

Just before the event, the Linux Foundation announced the launch of the FAIR Package Manager project—an open-source, decentralised repository for WordPress themes and plugins. This project aims to reduce centralised control by offering a more distributed approach to plugin and theme management.

This initiative has gained attention following Mullenweg’s recent actions, where he took over several paid premium plugins, created free versions, and restricted access to the original free versions. These events led many in the WordPress community to prioritise finding alternative, decentralised solutions.

The FAIR project was publicly introduced on Friday, 6th June—right in the middle of the three-day WordCamp Europe conference. Naturally, this timing sparked conversation and debate among attendees.

The Linux Foundation described the project as a significant step forward, stating:
“…The FAIR Package Manager project paves the way for the stability and growth of open source content management, giving contributors and businesses additional options governed by a neutral community…”

Unsurprisingly, Mullenweg was questioned about the FAIR project more than once during the event. While he answered graciously, he also exercised caution, as the announcement was still very fresh—less than 24 hours old at the time.

Initial Reaction To Project FAIR

The first question about the FAIR project came early during the Q&A session at WordCamp Europe. Matt Mullenweg was asked how he envisions such initiatives working alongside WordPress and what he considers an ideal outcome.

In his response, Mullenweg showed a degree of cautious optimism. He highlighted the open-source nature of WordPress, emphasising that this flexibility allows for projects like FAIR to coexist with the platform. However, he refrained from going into much detail, likely because of how recently the announcement had been made.

It was evident that Mullenweg felt slightly uneasy about the way the FAIR project was introduced. He mentioned that it had been developed “in secret,” and seemed a bit frustrated by the timing and manner of the announcement. While it’s unclear how private the development process actually was, the release by the Linux Foundation did come across as sudden—almost as if it caught the WordPress community off guard.

In his own words, Mullenweg said:
“…I think that’s part of the beauty—that something like this can be written with the APIs that WordPress has. I don’t know if I want to comment too much further on it just because I kind of just found out about it last night, there hasn’t been that much time. There’s a lot of code and… complexities.

You know, I do wish if the team did want to collaborate—or the team says we want to be transparent and everything—but it did sort of drop as a surprise. It was worked on in secret for six months. But we can work past that and look at it.”

His remarks reflected both a commitment to open-source collaboration and a desire for greater transparency from projects aiming to integrate closely with WordPress.

Do Users Want A Federated Repository?

Matt Mullenweg steered the discussion away from his personal opinion and instead questioned whether a decentralised system was something WordPress users actually wanted. He also highlighted the massive scale of managing such a system, especially for the plugin repository.

He elaborated by saying that user needs should be the priority—particularly the difficulties users face in finding trustworthy plugins, ensuring security, and receiving timely updates. He cited worrying statistics about website hacks often stemming from outdated plugins. These, he said, are top concerns for the official WordPress plugin directory. He then explained the scope of the current system, noting that WordPress now hosts over 72,000 plugins and themes, amounting to around 3.2 terabytes of data in zip files—excluding all version history. This volume presents a risk, especially if hundreds of mirror sites were to begin downloading the entire directory at once, potentially causing server overloads or even DDoS attacks.

Around twenty minutes later, another attendee raised a follow-up question. She introduced herself as a long-time contributor to the WordPress community, specifically within the communications and plugin review teams. Her focus, she said, had always been on serving both users and plugin developers.

She explained why she saw the FAIR project as beneficial. As a federated and independent repository supported by the Linux Foundation, it aims to provide a more secure, user-focused alternative for hosting trusted plugins and themes. The FAIR system could, in her view, improve discoverability, offer developers more choice in their supply chains, and even reduce the load on WordPress.org by distributing that traffic across mirror sites. She concluded by asking whether WordPress.org would be open to collaborating with FAIR.

Mullenweg responded cautiously, admitting he still didn’t know much about the project beyond the Linux Foundation’s public announcement. He said that although WordPress is open to considering new ideas, there are major challenges involved. For instance, he noted that any supply chain attack today would have to compromise WordPress.org—something that has never happened. This comment drew laughter from the audience, momentarily catching Mullenweg off guard.

He went on to describe the complications that could arise from a decentralised repository. Having multiple locations increases the risk of security breaches, inconsistent uptime, and general maintenance issues. It could also break many of the analytics tools and phased rollout features currently in use—tools that plugin developers rely on to test features gradually and gather data before a full launch.

According to Mullenweg, the strength of WordPress lies in its centralised infrastructure and the valuable feedback loop that wordpress.org provides. Users, he argued, aren’t asking for multiple download sources. Instead, they want reassurance about plugin trustworthiness, reliable reviews, compatibility, and moderation. These are the features that users expect—not decentralisation.

He stressed that it was still early days, with less than 24 hours since the announcement, and reiterated his desire to read the code, explore the project further, and allow colleagues to review it. Rushing to conclusions, he implied, would be premature.

Mullenweg did, however, commend the constructive approach being taken. He applauded the fact that developers were actively building and experimenting with code rather than merely debating online. He acknowledged that FAIR could end up being a niche solution adopted by a small number of users or hosts, but he also recognised the potential for something valuable to emerge from it.

Returning to the topic of complexity, Mullenweg raised another practical challenge: how would plugin admin banners be enforced in a decentralised FAIR system? This kind of oversight, he suggested, is vital to maintaining standards.

He then invited the attendee to share her ideas for solving these problems. She humbly admitted she wasn’t the smartest person in the room and suggested that the issue called for collaboration. She added with a smile that perhaps ChatGPT could help figure it out—a joke that lightened the mood and closed the exchange on a cheerful note, with applause from the audience.