Skip to content
January 20, 2026: HelloBlog.io Is Live: A 22-Language, Ad-Free Tech Blog Built on Open Source
Български Čeština Dansk Deutsch Eesti Ελληνικά English Español Français Hrvatski Italiano Latviešu Lietuvių Magyar Nederlands Polski Português Română Slovenčina Slovenščina Suomi Svenska
HelloBlog
Joost de Valk Steps Back From FAIR: What It Means for a Federated WordPress Plugin Repository
Sarah Mitchell
Sarah Mitchell February 26, 2026 · 6 min read

Joost de Valk Steps Back From FAIR: What It Means for a Federated WordPress Plugin Repository

wordpress ecosystem governance linux foundation supply chain security

When your CMS ecosystem relies on a single distribution hub for plugins, themes, and updates, you’re effectively betting uptime, integrity, and vendor neutrality on one chokepoint. That uncomfortable reality became impossible to ignore in 2025-and it’s the backdrop for why the FAIR project was created and why Joost de Valk (Yoast SEO founder) has now decided to step away from it.

This post breaks down what FAIR is, why it mattered to the WordPress ecosystem, what de Valk said about the project’s lack of momentum, and why FAIR’s remaining team frames the work as bigger than WordPress-especially with regulation like the EU Cyber Resilience Act coming into view.

What FAIR was trying to change

FAIR is a Linux Foundation project aimed at enabling an independent, federated repository model for distributing software components-specifically discussed in the WordPress context as an alternative to relying solely on WordPress.org for themes, plugins, and update services.

In WordPress terms, “federated” means multiple independent, hosted repositories can participate in distribution. Instead of one central operator controlling publishing and updates, the ecosystem could spread trust and availability across a group of repositories that can interoperate. The practical promise is straightforward: fewer single points of failure and a more resilient supply chain for plugin/theme delivery.

Why the project appeared in mid-2025

FAIR emerged in mid-2025 in response to a highly visible conflict inside the WordPress ecosystem.

The flashpoint was when Matt Mullenweg replaced WP Engine’s Advanced Custom Fields (ACF) plugin in the official WordPress repository with his own version-a fork (a duplicated codebase published as a separate version). Around the same time, WP Engine and many of its customers were locked out from accessing the official WordPress.org theme and plugin repository and the related update services.

Those actions triggered widespread criticism, but they also surfaced a structural issue that had been easy to downplay for years: if one central system can remove a major plugin and restrict access to distribution and updates, then the entire WordPress economy-from agencies to hosts to enterprise site owners-has a single point of failure.

FAIR was one of the more organized attempts to address that by pushing for decentralization: a federated group of independent repositories, hosted by different parties, rather than a single gatekeeper.

Joost de Valk’s role in getting FAIR off the ground

Joost de Valk wasn’t just a name attached to the idea. He was central in articulating why independent repositories mattered, and he helped co-found FAIR with a goal of moving it toward neutral governance. In other words, the intent wasn’t to create a competing fiefdom, but to get the project started and then place it into a model that could be trusted as broadly as possible.

Why de Valk is stepping away

De Valk announced he is stepping away from FAIR, pointing to a key blocker: the project hasn’t secured the level of financial support needed to become a truly viable entity.

He described months of conversations with hosting companies and other large ecosystem players, but said a consistent pattern emerged: they don’t want to invest in this kind of solution.

In recent months, we’ve had many conversations with hosting companies and other large ecosystem players. What became increasingly clear is this: they do not want to invest in this kind of solution. Not because they love the current situation. Not because they agree with everything that’s happened. But because investment means commitment. It means cost. It means stepping into political tension. And most of all, it means risk.

Joost de Valk

The phrasing that stands out for anyone watching WordPress governance drama is “political tension” and “risk.” De Valk didn’t explicitly name what those are, but the implication is hard to miss: in a dispute as high-stakes as the Mullenweg–WP Engine conflict, funding FAIR could be perceived as taking a side.

For major web hosts, “taking a side” isn’t an abstract community concern-it can translate into commercial risk at massive scale, potentially impacting revenue in the millions or even billions. From that perspective, it’s not surprising that hosts might prefer to wait rather than step into a fight that could escalate.

FAIR’s response: still independent, and not just about WordPress

FAIR’s team acknowledged de Valk’s decision and reaffirmed something important about the project’s positioning: funding has indeed been a persistent challenge, but FAIR continues to operate independently.

They also emphasized that FAIR was never meant to be WordPress-specific. The deeper target is industry-wide software supply chain security: decentralized distribution, trust, and verification mechanisms that can work across ecosystems.

The problems FAIR solves are not WordPress-specific. Supply chain security, decentralized distribution, trust and verification are industry-wide issues and they’re becoming more urgent, not less. The EU’s Cyber Resilience Act arrives in December 2027 and when it does, software supply chain integrity becomes a regulatory requirement — demonstrating provenance, security scanning, and traceable update mechanisms. FAIR’s architecture is built with exactly this kind of trustworthiness in mind. We haven’t given up on WordPress. We still welcome contributors and ecosystem leaders to join us so we can continue advancing the work.

FAIR Project

Two things are doing a lot of work in that statement.

  • First, FAIR reframes the motivation: the architecture is about verifiable trust in distributed software delivery, not simply a reaction to WordPress politics.
  • Second, it ties urgency to regulation: the EU’s Cyber Resilience Act is called out with a concrete date-December 2027-when supply chain integrity becomes a regulatory requirement (including provenance, security scanning, and traceable update mechanisms).

What this means for WordPress developers and site owners

FAIR continuing without a high-visibility spokesperson who’s deeply embedded in the WordPress community changes the project’s public posture. De Valk’s presence gave the effort a familiar voice and helped translate a complex governance-and-infrastructure problem into something the broader WordPress world could rally behind.

But the more practical constraint is the one he highlighted: without funding and major ecosystem participation-particularly from hosting companies-progress is harder. Federated distribution only becomes meaningfully useful when enough parties run repositories, contribute infrastructure, and treat the system as production-grade.

At the same time, FAIR’s emphasis on supply chain security and compliance pressure suggests a possible path forward: if the WordPress-specific conflict cools down, or if regulatory requirements force infrastructure investment, the incentives for participation could change. The statement makes clear they haven’t abandoned WordPress as a use case, even if the work is framed as broader than WordPress itself.

Key takeaways

  • FAIR was launched in mid-2025 after the ACF fork and the lockout of WP Engine and many customers from WordPress.org repository and update services highlighted WordPress’ single point of failure.
  • Joost de Valk helped co-found FAIR and move it toward a neutral governance model, advocating for independent repositories.
  • De Valk is stepping away, citing lack of financial support and ecosystem reluctance-especially from hosts-due to cost, commitment, political tension, and risk.
  • FAIR says it remains independent, and frames its mission as industry-wide supply chain security rather than WordPress-only.
  • FAIR points to the EU Cyber Resilience Act (December 2027) as a driver for requirements like provenance, security scanning, and traceable update mechanisms.

References / Sources

Sarah Mitchell

Sarah Mitchell

Editor of the English team, DevOps and cloud architecture specialist. I feel at home in AWS and Kubernetes environments. I believe in continuous learning and knowledge sharing.

All posts

More from Sarah Mitchell

Making WordPress Abilities Usable by AI Agents with the MCP Adapter Making WordPress Abilities Usable by AI Agents with the MCP Adapter GDPR Compliance Checklist for Website Owners (2026 Edition): From Data Mapping to Cookie Consent GDPR Compliance Checklist for Website Owners (2026 Edition): From Data Mapping to Cookie Consent ACF Extended Critical Bug: When a “Role” Field Turns Registration Into Admin Access ACF Extended Critical Bug: When a “Role” Field Turns Registration Into Admin Access

Join the HelloWP community!

Chat with us about WordPress, web development and share experiences with other developers.

- members
- online
Join

We use cookies to improve your experience. By continuing, you agree to our Cookie Policy.