Cloudflare just launched EmDash. An open-source CMS built on Astro, written entirely in TypeScript, designed from scratch to solve the one problem that has plagued WordPress for its entire 24-year existence: plugin security.
Two engineers built it in two months. With heavy AI agent assistance. And the creator of Yoast SEO, the most installed WordPress plugin in history, has already committed to building on it.
That is not a side project. That is a declaration of war.
The problem that is actually being solved
96% of WordPress security incidents come from plugins. Not from WordPress core. From the plugins that everyone installs because WordPress without plugins is a blank page.
The reason is architectural: every WordPress plugin gets unrestricted access to the entire filesystem and database the moment you install it. A contact form plugin can read your entire database. A caching plugin can write to any file on the server. There is no sandboxing, no capability restrictions, no isolation.
In 2025, more high-severity vulnerabilities were found in the WordPress ecosystem than in the two prior years combined. And there is no way to fix this within WordPress’s architecture because the plugin system was designed before anyone thought about sandboxing.
EmDash fixes this by running each plugin in its own isolated V8 Worker. Every plugin declares a capability manifest: “I need read access to content and permission to send email”. That is all it gets. No declared capability, no access. A contact form plugin literally cannot read your database because the runtime will not let it.
Why I care about this personally
I have run WordPress sites for over a decade. precog.me, my ShinTo Kernel blog, has been running on WordPress on a Raspberry Pi for 13 years. dringlord.com, my Spanish tech blog, is WordPress. The old ckik.dev was WordPress on AWS.
I know the pain. The constant updates, the plugin vulnerabilities, the moment you realize that one of your 15 plugins has not been updated in two years and is probably a security hole. The anxiety of running wp-update and hoping nothing breaks.
WordPress works. It powers 42% of the web. But it works the way a house built in 1980 works: the foundation is solid, the plumbing is questionable, and nobody wants to touch the electrical wiring because they are not sure what will explode.
EmDash is what you would build if you started from scratch in 2026 with everything we have learned about security, serverless architecture, and content modeling. Which is exactly what they did.
The catch nobody should ignore
The plugin sandboxing only works on Cloudflare Workers. Deploy EmDash on your own Node.js server and the security model vanishes. The headline feature, the reason it exists, requires Cloudflare’s infrastructure.
That is not an accident. Cloudflare acquired Astro in January. Two weeks later, development on EmDash started. The CMS is open source and MIT licensed, which is genuinely generous. But the architecture funnels users toward Cloudflare Workers, which is where the revenue comes from.
Open source as a distribution channel for paid infrastructure. This is the playbook. It works because the product is genuinely good, and it is worth understanding because the incentives are not hidden, they are structural.
The ecosystem problem
WordPress has 59,000 plugins, thousands of themes, tens of thousands of agencies, and a documentation community that has been building for 24 years. EmDash has zero of all of those.
The Yoast creator endorsing EmDash is a strong signal, but one person does not make an ecosystem. EmDash needs 5-7 years of strong execution to build something that can compete with WordPress’s network effects.
What it has going for it: developers are tired. The WordPress community is fractured after the Mullenweg/WP Engine dispute. The timing is right. The architecture is right. The question is whether “right” is enough to overcome 24 years of momentum.
What this actually means
This is not about WordPress dying. WordPress will power 40% of the web for years to come. The installed base is too massive to disappear.
This is about what NEW sites get built on. If you are starting a project today, do you reach for WordPress (PHP, 24-year-old architecture, plugin security nightmares) or EmDash (TypeScript, sandboxed plugins, serverless, AI-native)?
For developers, the answer is increasingly obvious. For the 90% of WordPress users who are not developers, nothing changes yet. But “yet” is doing a lot of work in that sentence.
Sources: Cloudflare Blog, Hacker News (660pts, 485 comments), The Register