The Linux Foundation has introduced a new initiative called the Fair Package Manager (FPM) – a collaborative, open source effort aimed at improving the safety, stability, and governance of CMS plugin ecosystems such as WordPress, Joomla, Drupal, and Typo3.
What Is the Fair Package Manager?
The Fair Package Manager (FPM) is a decentralized registry and governance framework created to bring greater transparency and control to how CMS plugins and themes are managed and distributed.
In simple terms, it helps developers, hosting providers, and website owners better track, govern, and trust the software packages they use to power their websites.
Why This Matters
Content management systems like WordPress, Joomla, and Drupal have empowered millions of websites by making it easy to extend functionality using third-party plugins and themes. However, this flexibility comes with serious risks, especially when it comes to software maintenance and supply chain security.
Many popular CMS plugins are developed by individual contributors or small teams. Over time, some of these plugins become inactive, neglected, or worse: sold off or hijacked by bad actors. Once compromised, a plugin can introduce malicious code into thousands or even millions of websites through automatic updates. These attacks often go unnoticed until significant damage is done, including data breaches, SEO spam injections, or complete site takeovers.
The Fair Package Manager addresses these risks by introducing a new governance model. It separates plugin ownership from its control and distribution, making it harder for malicious actors to exploit abandoned projects. It also adds layers of accountability by using verifiable credentials and transparent metadata, helping both developers and end-users understand a plugin’s full history and current governance status.
For website owners, developers, and hosting providers, this means fewer surprises and safer plugin ecosystems. It’s a proactive step toward fixing the fragmented way plugins are currently managed, and it lays the groundwork for better collaboration between CMS communities, infrastructure providers, and end-users.
Who’s Behind the Project?
FPM is being developed under the stewardship of the Linux Foundation and is backed by a diverse group of CMS stakeholders:
- Dries Buytaert (Founder of Drupal)
- Matt Mullenweg (Co-founder of WordPress and CEO of Automattic)
- Open Source Matters (Joomla’s supporting organization)
- Typo3 Association
- Hosting and DevOps providers like Pantheon, Netlify, Platform.sh, CivicActions, and Amazee.io
The early participation of CMS founders and infrastructure providers gives the project a strong chance at widespread adoption.
How the Project Helps Hosting Users
For site owners and hosting customers, FPM could become a critical security layer. Rather than blindly trusting plugin updates or relying on outdated repositories, you will benefit from a framework that:
- Prevents rogue updates and plugin takeovers.
- Improves visibility into who maintains a plugin and how it’s governed.
- Promotes healthy plugin ecosystems with shared accountability.
This could have a particularly strong impact on WordPress users, many of whom depend on free plugins from the official repository but have no control over how or when those plugins are transferred or updated.
Looking Ahead
The Fair Package Manager isn’t limited to WordPress. It’s designed to support multiple CMS platforms and could eventually evolve into a community-driven standard for plugin safety across the web.
With early support from both the developer and hosting communities, FPM may offer a long-overdue solution to one of open source’s most persistent risks: unregulated plugin lifecycles.
To learn more or get involved, visit the Linux Foundation announcement page.
