Cloudflare aims to dethrone WordPress with EmDash, its new plugin-secure CMS
Cloudflare is aiming to replace 24 years of WordPress reign with a new open-source CMS (content management system), which was built in two months with the help of AI agents. Plugin security is a headline pitch. Just use Workers, the company’s computing platform, to isolate plugins.
The US technology giant showcases EmDash as a ground-up rebuild of WordPress, the world's most popular CMS, powering 40% of websites.
Cloudflare believes that the server era is over – most developers no longer run websites on bare metal. EmDash can run on any Node.js server. Its core promise is solving WordPress’s Achilles’ heel – plugin security.
“We think of it as the spiritual successor to WordPress. It’s written entirely in TypeScript. It is serverless, but you can run it on your own hardware or any platform you choose. Plugins are securely sandboxed,” Cloudflare said in a blog post.
Solves a fundamental problem
The company explains that 96% of WordPress security issues originate from plugins. The main issue is that plugins hook directly into WordPress and have direct access to the site’s database and filesystem without any isolation.
Plugins are essential in WordPress or any CMS. They’re what give websites their core functionality, from contact forms to storefronts, analytics, or user management. Without these add-ons, WordPress is just a basic blogging platform.
“When you install a WordPress plugin, you are trusting it with access to nearly everything, and trusting it to handle every malicious input or edge case perfectly,” the post reads.
“EmDash solves this. In EmDash, each plugin runs in its own isolated sandbox.”
The plugins for the new CMS run in isolation via Dynamic Workers, a sandboxed computing feature built on Cloudflare’s own infrastructure, giving the platform a natural advantage.
Developers on other platforms would need to implement their own isolation, for example, by running plugins in separate Node.js processes or containers, which requires extra work.
Cloudflare’s approach solves the fundamental problem: it’s impossible for the plugin to do anything beyond the granted capabilities.
“WordPress plugin security is such a real risk that WordPress.org manually reviews and approves each plugin in its marketplace. At the time of writing, that review queue is over 800 plugins long, and takes at least two weeks to traverse,” Cloudflare argues.
The Cybernews community is talking about this. Be a part of the conversation.
“The vulnerability surface area of WordPress plugins is so wide that in practice, all parties rely on marketplace reputation, ratings, and reviews.”
Cloudflare allows the EmDash plugin to have any license – their code runs independently in a secure sandbox, “without the EMDash site ever seeing the code.”
Many new features, AI included
The tech giant also added other distinctive features to EmDash. It has built-in support for x402, an open standard for internet-native payments, which can be used to charge visiting AI bots or users for access on demand, and “with zero engineering work.”
Also, EmDash ships with AI features, including a built-in MCP server, a CLI, enabling AI agents to interact with it, as well as agent skills that let AI assistants autonomously customize, manage, or migrate content.
EmDash is powered by the increasingly popular Astro frontend framework, which is already familiar to developers.
“Your theme can never perform database operations,” Cloudflare assures.
EmDash uses passkeys by default for authentication, eliminating passwords as a potential attack vector. Also, Cloudflare offers an easy migration from a WordPress site by exporting a WRX file or using the EmDash Exporter plugin.
Many don’t like where this is going
Tech pros on Hacker News, a major Silicon Valley forum, weren’t too enthusiastic about the announcement. Many assumed it was an April Fool's joke.
One of the most upvoted comments suggested that CMS’s should go in the opposite direction – to static, simple, easy-to-cache files rather than running more “server-side” code.
“But of course, then they wouldn't be able to sell their own ‘workers’ product,” a user using the alias “embedding-shape” posted.
“The headline feature, plugin isolation via Dynamic Workers, only works on Cloudflare's runtime. On any other host, it's just a TypeScript CMS without the security model that justifies its existence. Open source but architecturally locked in,” another user noted.
“It looks like if you self-host, the sandboxing of plugins' benefits goes out the window,” yet another response reads.
According to Cloudflare, EmDash “makes the most out of the v8 isolate architecture of Cloudflare’s open source runtime workerd.” The CMS won’t use any workers when there are no requests, allowing it to bill only for CPU time.
Many WordPress enthusiasts were also skeptical, claiming that the CMS cannot be that easily replaced, as most existing plugins and ecosystems won’t be compatible.
“This is naive thinking you can just rewrite WordPress and think it's going to solve any problems that exist with WordPress. The WordPress community has been built over decades, including its successes and failures. Still, people are not going to just stop using WordPress, as I have seen people attempt this over and over in the last 20 years with little success,” a user “p4cmanus3r” posted.
One user, “philipwhiuk” also believes that the network effect of WordPress is just too strong.
“People aren’t on WordPress because of WordPress. They’re on WordPress because of WooCommerce, a million themes, BuddyPress, integrations for every stupid internal business API on the planet,” the post reads.
Unlock more exclusive Cybernews content on YouTube.
