Introducing FAIR 1.1, our newest release as part of our regular 6-week release train. We’ve got some great new features, as well as refinements of existing ones.
One of the big features we’ve included in 1.1 is WP-CLI support for plugins, making it possible to manage plugins directly from the command line using their DID. We’ve heard from a lot of people that they’d love to be able to manage FAIR-distributed plugins using the CLI – and now you can!
We’ve also improved consistency and accuracy with a few parts of our user interface, helping to clarify the experience for everyone.
All of this, plus loads of other fixes below – as always, thanks to our amazing contributors.
Our plan is to release regularly on a roughly 6 week cadence to make sure we’re always getting the latest and greatest out to you.
We’ve also been cooking in the background on other components in the FAIR ecosystem, including significant work on AspireCloud and AspireExplorer – plus, we’ve just wrapped up our hackathon with Patchstack, building the groundwork for our labeler system (more on that soon!).
FAIR Plugin now includes WP-CLI support for plugins, making it possible to manage plugins directly from the command line using their DID. (#277)
Better User Experience
More Accurate Update Dates: Plugin cards now display a more accurate “Last Updated” date, helping users better assess plugin maintenance status. (#262)
Consistent Modal Tabs: Tabs in the “View Details” and “More Details” modals now display in a consistent, predictable order. (#310)
Improved Compatibility
Improved Avatar Handling: Only Gravatar URLs are replaced, ensuring other avatar services are not impacted. (#302)
Updated Browser List: The browser compatibility feature now includes an updated browser list to provide more accurate compatibility warnings. (#312)
Improved FAIR Identifiers
FAIR Plugin Directory Integration: The “Add Plugins” screen now features a “FAIR Plugin Directory” link that takes users directly to https://fair.pm/packages/plugins, replacing the previous WordPress.org Plugin Directory link. (#305)
FAIR Plugin Assets: FAIR Plugin now has its own placeholder banner and icon. (#306)
Upgrade Notes
This is a feature release that maintains backward compatibility with version 1.0. All users are encouraged to upgrade to take advantage of these improvements.
Try FAIR 1.1 today
Ready to explore FAIR?
Install the FAIR Pluginrelease ZIP to search for verified plugins from both official and independent sources.
Based on Ryan McCue’s presentation at LoopConf 2025
Introduction
The WordPress ecosystem stands at a critical juncture. With over 40% of the web running on WordPress, the platform has grown far beyond its humble beginnings. Yet at its core, WordPress still depends on infrastructure controlled by a single entity—and recent events have made it clear that this dependency represents a significant risk to the entire ecosystem.
Enter the FAIR Project: Federated And Independent Repositories. Announced during WordCamp Europe 2025 at AltCtrlOrg in June, FAIR represents a comprehensive effort to reimagine how WordPress—and indeed any CMS—handles software distribution, updates, and ecosystem management. At LoopConf 2025, Ryan McCue, VP of Product at Human Made and co-chair of FAIR’s technical steering committee, delivered an in-depth presentation explaining not just what FAIR is, but why it matters and how it works.
Who is one of the leaders of FAIR.pm?
Before diving into FAIR, it’s worth understanding who’s leading this initiative. Ryan McCue brings over 21 years of experience to the WordPress community—more than two-thirds of his life. His contributions to WordPress are substantial:
This isn’t someone with a passing interest in WordPress. This is someone whose professional identity has been intertwined with WordPress’s success for decades. That context matters when understanding the motivation behind FAIR.
Why FAIR Exists: The Dependency Problem
WordPress’s architecture includes numerous touchpoints with wordpress.org. Most users know about the obvious ones:
As McCue emphasized in his presentation, “WordPress runs 40 something percent of the web. We are at a point where we need to be taking ourselves seriously and we need to have alternatives to depending on a single person and on any single entity.”
The Hidden Privacy Issues
One of the most striking revelations from FAIR’s technical audit concerns user privacy. Take the browser version checking feature, for example.
The Browse Happy project has been checking browser versions since before browsers had automatic updates—a genuinely useful service at the time. However, the version checks in WordPress today still reference browser versions from 2016-2017. Internet Explorer 8-11, Chrome 23, and Firefox 18—all discontinued nearly a decade ago.
The version checks serve no practical purpose anymore. Yet every time you load your WordPress dashboard, your browser user agent gets sent to wordpress.org. The only purpose this serves is analytics collection by wordpress.org.
As McCue pointed out, “Many people probably don’t know that this data gets collected. I certainly did not realize when I loaded up my WordPress dashboard, my browser user agent was getting sent off to wordpress.org.”
The privacy policy implications are murky at best. The data retention period is unknown. Whether this complies with GDPR is unclear. And there’s no guarantee that the public source code actually matches what runs on the server.
The Ping-O-Matic Revelation
The privacy concerns extend beyond browser checking. WordPress’s ping system, which notifies external services when you publish content, presents another issue.
Ping-O-Matic appears to be a WordPress Foundation project. It claims to notify search engines about your new content, pinging services like:
Here’s the problem: Most of these services are defunct.
FAIR’s team spoke directly with Google, who confirmed that Feed Burner data is never used anywhere. It’s a discontinued product whose APIs don’t work properly. Spinn3r’s website no longer functions. Superfeedr was acquired and essentially shut down.
“Every time you publish a piece of content on your site, it sends a ping off to wordpress.com and to Automattic that says, Hey, I’ve published a piece of content,” McCue explained. “This is extremely valuable data, right? They now have a map of every WordPress site and all the content that’s getting posted everywhere.”
FAIR’s Solution: Technical Independence
The FAIR Project’s Technical Independence initiative aims to replace every wordpress.org dependency with better alternatives. Rather than simply creating one-to-one replacements, FAIR is focused on improving the functionality while preserving privacy.
Better Browser Checking
Instead of sending your browser user agent to a third party, FAIR uses Browserslist—an industry-standard tool used by Webpack, Babel, and other development frameworks. Browserslist uses real-world data from Can I Use and browser vendors themselves.
The key difference: checks run entirely on your site. No data gets sent anywhere. The checks actually work (using current browser versions), and your privacy is preserved. As McCue noted, “We can not just protest something or say we’re gonna build a one-to-one alternative, but we can actually make things better for users.”
Modern Search Engine Integration
For pings, FAIR replaces the defunct services with IndexNow—an open standard created by search engines including Microsoft Bing. When you ping one IndexNow endpoint, it distributes to all participating search engines. It’s decentralized, actually used by search engines, and genuinely useful.
Privacy-Preserving Solutions
The pattern repeats across FAIR’s technical independence work:
PHP version checks: Talk directly to php.net‘s API instead of wordpress.org
Emoji: Use common CDNs that users likely have cached
News and events: Run FAIR’s own APIs (necessary since no one else has this data)
Browser checks: Run entirely on-site with no external calls
Everything is designed around minimal data collection, preservation of privacy, and use of industry standards wherever possible.
Rethinking Package Management
The plugin and theme ecosystem represents FAIR’s most ambitious undertaking. The current mental model—that plugins and themes come from wordpress.org—is incomplete. Developers regularly install plugins from:
Each of these sources often includes its own update mechanism. A site with 20 plugins might have 20 different update processes running, each talking to different external services in different ways.
This creates several problems:
Discovery and Installation
Third-party packages can’t be installed through the WordPress admin interface. Users must find them elsewhere (Google, GitHub, recommendation sites), download them, and manually upload them. This is a poor user experience compared to searching within WordPress and installing directly.
Developer Inefficiency
Every developer building a premium or private plugin must solve the same problem: how to handle updates. Solutions range from custom-built systems to libraries like EDD Software Licensing or Git Updater. It’s inefficient to reinvent this wheel constantly.
Security and Safety
Plugins hosted on wordpress.org undergo some review and moderation. It was only in late 2025 that automated scans were introduced and reviews were expanded beyond initial submission. For plugins not hosted on wordpress.org there is no human review, no automated scanning, and no vulnerability checking other than what the developer does themselves. Users currently install third-party plugins with essentially no safety guarantees.
Even wordpress.org mirrors (increasingly common since September 2024) could theoretically modify packages without detection.
Policy Restrictions
WordPress.org’s policies prohibit building alternative plugin stores within WordPress itself. While there are understandable safety reasons for this, it leaves users without good options for managing their complete plugin ecosystem.
FAIR’s Package Management Model
FAIR’s approach draws inspiration from an unlikely source: the web itself.
When you want to visit a website, you don’t ask permission from a central authority. You type the URL and go. But how do you discover new websites? Search engines. Once you know about a site, you access it directly.
FAIR applies this same model to package management:
Repositories
Anyone can run a repository hosting plugins and themes. This could be:
GitHub
A premium plugin vendor
A company’s internal repository
The FAIR-operated repository
A wordpress.org mirror
Repositories are the sources of truth for packages. Sites pull updates directly from repositories, just like your browser talks directly to websites.
Discovery Aggregators
To solve the discovery problem, FAIR introduces “discovery aggregators”—essentially search engines for packages. These aggregators index available packages across all repositories, making them discoverable to users.
Multiple discovery aggregators can exist, just like multiple search engines exist for the web. This prevents any single entity from controlling discoverability while still providing users with the convenience of searching from within WordPress.
AspireCloud, which has joined forces with FAIR through AspirePress, serves as the initial discovery aggregator, but anyone can run one.
Labelers (Moderation Services)
How do you maintain safety in a decentralized system? FAIR borrows from Bluesky’s approach with “labelers“—services that apply labels to packages based on various criteria:
Security scanning results
Copyright violation checks
Human moderation reviews
Platform compatibility
Code quality assessments
Multiple labelers can exist, and users can choose which ones to trust. Your hosting provider might run a labeler indicating platform compatibility. Security firms might run labelers focused on vulnerability detection. The FAIR project will run its own labeler with human review.
Crucially, labelers operate independently of repositories. A developer can’t control what labelers say about their package—just like a hotel can’t control its TripAdvisor reviews.
Analytics (Optional)
For understanding package usage, FAIR includes an optional analytics service. This is deliberately separate and non-essential—the entire system works without it. Users can opt out. But it provides valuable data about package popularity, similar to how the Chrome User Experience Report provides insights about web usage without being essential to the web’s operation.
Trust and Provenance
To ensure users install the intended package (not an impersonator), FAIR implements multiple trust layers:
Domain validation: DNS verification confirms package ownership
Host information: Users can see where packages originate
Globally unique IDs: Every package has a unique identifier that persists regardless of where it’s hosted
Future enhancements: A working group is developing additional trust mechanisms
The Complete System
When fully implemented, FAIR’s architecture looks like this:
Your WordPress site connects to multiple services:
Repositories (for package downloads and updates)
Discovery aggregators (for finding new packages)
Labelers (for safety information)
Analytics (optionally, for usage data)
Repositories host packages and serve updates directly to sites
Discovery aggregators index packages across all repositories, making them searchable
Labelers independently assess and label packages based on their criteria
Analytics services collect opt-in usage data
No single entity controls the entire system. Multiple instances of each component can exist. Sites choose which discovery aggregators and labelers to trust. Developers choose where to host their packages.
Technical architecture alone doesn’t guarantee trustworthiness. FAIR’s organizational structure draws on best practices from successful open source projects, particularly those within the Linux Foundation.
The Technical Steering Committee
The Technical Steering Committee (TSC) consists of 40+ organizers—people who have made significant technical contributions to FAIR. This includes:
Code contributors
Documentation writers
Website maintainers
Other technical contributors
TSC members elect three co-chairs who lead the committee and break ties when consensus can’t be reached. The current co-chairs are:
For most decisions, FAIR operates like any open source project: consensus-based, with co-chairs stepping in only when necessary.
The Governing Board
To handle business needs, FAIR includes a Governing Board that manages:
Corporate sponsorships
Funding
Marketing and outreach
Event organization
PR efforts
The Governing Board provides financial support and guidance but is deliberately separated from technical decisions. This prevents any single corporate sponsor from controlling FAIR’s technical direction.
The Linux Foundation
FAIR operates as the FAIR Web Foundation within the Linux Foundation, borrowing proven organizational models from mature open source projects. This structure separates business concerns from technical decisions while providing the governance and legal framework necessary for a project of FAIR’s scope.
Current Status and Future Work
FAIR reached version 1.0 in September 2025 (just before LoopConf), marking a significant milestone. However, the team is clear that this is just the beginning of a long journey.
What’s Available Now
FAIR plugin (v1.0): Installable on WordPress sites to connect to the FAIR ecosystem
Mini FAIR Repo: Allows developers to publish their own packages to FAIR
AspireCloud: The discovery aggregator for finding packages
AspireExplorer: Web interface for browsing available packages
All projects are open source and available on GitHub at github.com/FAIRpm.
What’s Coming
Labeling/moderation services: For package safety and quality assessment
Analytics service: Optional usage tracking
Enhanced trust mechanisms: Additional provenance and verification systems
Better documentation: Ongoing improvement of guides and references
Composer integration: Making FAIR packages available through Composer
Additional protocol work: Refinement and expansion of core specifications
Areas Needing Contributors
FAIR welcomes contributors in numerous areas:
Moderation and trust: Developing labeling services and trust policies
Documentation: Creating guides for various audiences and use cases
Core development: Building out the plugin, AspireCloud, and AspireExplore
Protocol design: Refining specifications and standards
Testing and feedback: Using FAIR in real-world scenarios
You can join the community on Slack at chat.FAIR.pm or explore the code on GitHub.
Why This Matters
FAIR represents more than just technical infrastructure. It’s a philosophical statement about how critical open source ecosystems should operate in 2024 and beyond.
Independence from Single Points of Failure
When 40%+ of the web depends on infrastructure controlled by one person, that’s a risk too large to ignore. FAIR eliminates this single point of failure while maintaining compatibility with existing WordPress installations.
Privacy by Design
Rather than collecting data by default and hoping it’s handled responsibly, FAIR minimizes data collection and makes it transparent. Browser checks run locally. Pings go to services that actually use them. Analytics are optional and clearly disclosed.
Open Competition
By allowing multiple discovery aggregators and labelers to exist, FAIR enables competition and innovation in areas previously locked to a single provider. Better search? Better moderation? Better safety checking? The ecosystem can evolve without permission.
Learning from the Web
FAIR’s architecture intentionally mirrors the web’s successful model of decentralization. No one controls the web. No one controls which search engine you use. No one controls which websites exist. Yet it all works together through open standards and protocols.
Beyond WordPress
While FAIR emerged from WordPress community needs, it’s designed for any CMS. Ghost, Drupal, Joomla—any platform handling package management could benefit from FAIR’s approach. This is an ecosystem-level solution, not a WordPress-only project.
Getting Involved
Whether you’re a developer, designer, writer, or concerned community member, FAIR needs your help. The project is in active development with a long road ahead.
For users: Install the FAIR plugin (version 1.0) on your site. Test it. Provide feedback. Help identify issues and edge cases.
For developers: Check out the GitHub repositories. Read the discussions. Contribute code, ideas, or documentation. Build integrations.
For organizations: Consider running your own repository or labeler. Provide feedback on business needs. Contribute to governance discussions.
For everyone: Join the conversation on Slack. Spread awareness. Help build a more resilient, private, and independent WordPress ecosystem.
Conclusion
The WordPress ecosystem has thrived for over 20 years, largely thanks to infrastructure provided by wordpress.org. But as McCue noted, “It’s time to grow up.” An ecosystem powering nearly half the web cannot depend on any single entity, no matter how beneficial that entity has been historically.
FAIR doesn’t seek to destroy or replace out of spite. It seeks to improve, to preserve privacy, to enable competition, and to ensure WordPress’s next 20 years are built on a foundation as resilient and decentralized as the web itself.
The work has only just begun. Version 1.0 is a starting point, not a finish line. But with over 40 organizers, growing community support, and a clear technical vision, FAIR is positioning itself to be the infrastructure layer the WordPress ecosystem needs for its future.
As McCue concluded: “I am very invested in this ecosystem and I don’t want to see it go anywhere bad. I don’t want it to collapse or anything like that. So, you know, I’m very invested in making sure that this is a project for the long term.”
The future of WordPress package management is federated, independent, and FAIR.
Decentralised WordPress packages are here. The working group for Federated And Independent Repositories (FAIR) is excited to announce its 1.0 Milestone Release. This milestone includes updates to several of the software projects that FAIR maintains, enabling WordPress site administrators to find, trust, and install packages from independent sources or from a mirror of the official WordPress repository. With this milestone, FAIR invites any WordPress site owner or maintainer to install FAIR’s technical independence plugin to access this combined set of packages.
Lower right corner displays updates source.
Overview
FAIR enables you to run a small, trusted plugin hub that you control. Your site can install plugins from WordPress.org and from independent FAIR sources. Each package is verified with cryptographic signatures and identified with a DID (Decentralized Identifier).
Browse packages at fair.pm/packages, or directly from the plugin search screen after installing the FAIR Plugin.
Results are powered by AspireCloud, which combines WordPress.org plugins with FAIR-registered independent sources. When you choose a FAIR-registered plugin, its cryptographic signature is checked before installation, and updates from these sources work as smoothly as updates for official WordPress plugins.
New in this release
As this release combines progress across many different parts of the FAIR project, we’ll include the main changes for each of its projects.
AspireCloud
AspireCloud aggregates metadata for packages from multiple sources and presents them as a combined list that you can browse, select, and install using the link provided by AspireCloud for each package. This release adds selected plugins from independent repositories to its index, making it more than a mirror, but a gateway to a decentralized group of software sources. The release includes search performance improvements with a new API to support faceted searches.
AspireExplorer
AspireExplorer is a WordPress plugin that provides a public web interface for browsing and downloading packages. The plugin now also powers the listings at fair.pm/packages/, where you can browse or search the AspireCloud index. The FAIR Plugin itself can be downloaded from this listing. These listings include a badge indicating packages that come from FAIR sources instead of WordPress.org.
FAIR 1.0 plugin
The FAIR plugin enables your site to install and update plugins and themes from the FAIR network while minimizing data sharing to support GDPR and other privacy regulations.
Manages plugin & theme installation and updates
Installs & updates both WordPress.org and FAIR-registered software
Increases privacy for regional requirements (EU and elsewhere)
Limits contact to third-party servers
Does not store or report personally identifiable information
Increases Performance
Uses local metadata when possible
Performs many functions internally rather than via third-party services
Avoids pings to unpublished content
In short, the FAIR plugin supports decentralized, verifiable sources, allowing site owners to maintain control over where data is sent and how plugins are installed. These updates help ensure that plugin discovery, installation, and updates work smoothly and securely across both official and independent sources just as easily as you’ve always done from your WordPress dashboard.
Avatar Source selection can be toggled at Settings > Discussion > Avatars
Mini-FAIR Repo plugin
FAIR has created a WordPress plugin that turns your site into a FAIR-ready connector for advertising your plugin or theme published on GitHub, Gitea, GitLab, or Bitbucket. This release enables serving listings of published packages to the FAIR network using DIDs and REST API endpoints.
Planet FAIR
Planet FAIR is the component that serves the news in the FAIR ecosystem. It is a curated feed shown in the WordPress admin dashboard and also lists upcoming events in the WordPress ecosystem. This release addresses RSS publishing issues and enhances source curation. Guidelines for inclusion are available in the Planet repository: FAIR’s Planet repository.
Why FAIR 1.0 matters
FAIR 1.0 is the first time the full stack works together. For users, this means you can now discover and install plugins from outside the WordPress.org ecosystem without needing to modify your workflow. For developers and publishers, it offers a real, working path to distribute trusted software independently, using open standards and shared infrastructure.
This release brings together everything FAIR stands for. It gives site owners more control over where their software comes from. It allows plugin authors to publish without relying on centralized platforms. And it provides the entire ecosystem with a model that makes decentralization feel familiar, secure, and easy to use.
With cryptographic signing, DNS-based identity, open metadata, and support for community-led moderation, this milestone lays the foundation for a future where package distribution is both decentralized and verifiable.
Most importantly, it shows that FAIR is not just a proposal or a protocol. It is a working ecosystem, and it is ready for others to build on.
Acknowledgements
Thank you to everyone who contributed to FAIR 1.0!
Andrew Norcross, Andy Fragen, Anonymous, Austin, Benjamin Sternthal, Brent Toderash, Carrie Dils, Chris Reynolds, Chuck Adams, Claudio Rimann, Colin Stewart, Cory Curtis, Courtney Robertson, Cristi Rusu, Jason Cosper, Joe Dolson, Joe Hoyle, Joe Murray, Joost de Valk, Jory Burson, Joshua Eichorn, Karim Marucchi, Kevin Cristiano, Marc Armengou, Matt Leach, Mika Epstein, Najm Njeim, Namith Jawahar, Pat Ramsey, Peter Wilson, philipjohn, Ryan McCue, Sarah Savage, Scott Kingsley Clark, Sé Reed, Shady Sharaf, Siobhan McKeown, Taco Verdonschot, Timi Wahalahti, Topher DeRosia, and Veerle Verbert
If your name is missing here, please let us know either on GitHub or in the FAIR Chat!
Try FAIR 1.0 today
Ready to explore FAIR?
Install the FAIR Plugin to search for verified plugins from both official and independent sources.
Say hello to the Fair plugin 0.4.0! With version 0.4.0 you can install a plugin from the plugins screen using the plugin’s Decentralized ID (DID). This uses the decentralized FAIR protocol to install the plugin without touching a centralized repository. And once a plugin or theme with the correct headers is installed it will receive its updates using the FAIR protocol.
This is a big step towards decentralized package management and puts us firmly on the road towards 1.0 and a plugin directory which has no reliance on centralized infrastructure. Our roadmap for 1.0 includes the listing and search functionality to fully replace the existing plugins list.
Try out 0.4.0
You can try out the decentralized functionality with a test plugin ID: did:plc:deoui6ztyx6paqajconl67rz
Or see it in action in this video:
Also in this release:
FAIR has improved compatibility with multisite, but now only allows network activation – since plugins and themes are only managed at the network level.
Avatars are also managed more effectively across the network, with changes to how settings are stored (thanks @norcross!)
Pings are now sent via IndexNow when content is deleted, ensuring that 404s are picked up sooner (thanks @peterwilsoncc!)
The browser update check has been updated to reflect current browsers.
