WordPress powers more than 40 percent of the internet. It also turns 24 this year — and it shows.
For two decades, the platform democratized publishing in ways few technologies ever have. It gave anyone with an idea and a keyboard the ability to put something online. Millions of livelihoods were built on it. An entire global developer ecosystem grew around it. That is not a small thing.
But the web has changed dramatically since WordPress was born. When it launched, Amazon’s cloud computing platform didn’t exist. Deploying a website meant renting a server. Today, it can mean uploading a JavaScript bundle to a globally distributed network at virtually no cost. WordPress was never designed for that world — and retrofitting a 24-year-old codebase to fit it has its limits.
So Cloudflare rebuilt it from scratch.
The result is EmDash: a new open-source CMS written entirely in TypeScript, designed to be the spiritual successor to WordPress for the modern web. Over the past two months, Cloudflare’s AI coding agents did what would have taken a large engineering team considerably longer. EmDash v0.1.0 is available today as an early developer preview.
Fixing WordPress’s Biggest Problem: Plugin Security
If there is one thing WordPress has never solved, it is plugins.
Ninety-six percent of WordPress security vulnerabilities originate in plugins. In 2025 alone, more high-severity vulnerabilities were discovered in the WordPress ecosystem than in the two previous years combined. The reason is structural: a WordPress plugin is a PHP script that runs inside WordPress with direct access to the site’s database and filesystem. Installing a plugin means trusting it with nearly everything, and trusting it to handle every edge case and malicious input perfectly. Most don’t.
EmDash approaches this differently. Each plugin runs in its own isolated sandbox — a Dynamic Worker — and can only perform the actions it explicitly declares in its manifest. A plugin that sends an email notification after a post is published must declare that it needs content-read access and email-send capability. It cannot access the database. It cannot reach the internet unless a specific hostname is declared. There are no exceptions.
This is not an incremental improvement. It is a fundamentally different security model — one that makes the plugin’s permissions visible and bounded before installation, in the same way an OAuth flow communicates what a third-party app is asking for.
Also Read: When the CEO’s Avatar Speaks, Who Is Actually Responsible?
Breaking Free of Marketplace Lock-In
WordPress’s security problem created a second problem: marketplace dependency.
Because plugins are so difficult to trust independently, the WordPress.org marketplace became the de facto gatekeeper of plugin legitimacy. At the time of writing, that review queue is more than 800 plugins long and takes at least two weeks to clear. And because WordPress plugins are so deeply intertwined with WordPress code, most carry the GPL license — meaning developers who build commercial plugins are effectively required to give their code away everywhere outside that marketplace. The lock-in is structural.
EmDash breaks that cycle in two ways. First, plugins run independently of EmDash and share no code, so plugin authors choose their own license freely. Second, because the security model enforces strict capability boundaries, a platform or site administrator can assess the risk of a plugin based on what it declares — not on whether a central authority has approved it. Trust becomes distributed. The marketplace loses its stranglehold.
Serverless by Design
WordPress requires servers. Provisioning them, scaling them, managing idle compute during quiet periods — the operational overhead is real, and for hosting platforms serving thousands of sites, it compounds quickly.
EmDash is serverless by design, built to run on Cloudflare’s Workers runtime and its v8 isolate architecture. An instance spins up instantly on an incoming request and scales back to zero when traffic stops. Billing is for CPU time only — time spent doing actual work. For platforms hosting large numbers of sites, many of which receive irregular traffic, the cost and operational implications are significant.
EmDash also runs on any Node.js server for those who prefer to self-host or deploy elsewhere.
Built for the AI Era
EmDash includes a built-in MCP server, a CLI, and Agent Skills — structured guidance that tells an AI agent exactly what EmDash can do and how to interact with it. Content migration, schema restructuring, and custom field renaming: the rote operational work that eats hours in any CMS can be handed off to an agent with the full context it needs to act correctly.
Every EmDash site also includes native support for x402, an open standard for internet-native payments. A site owner can require payment for access to specific content, set a price, and provide a wallet address — with no engineering work. When an AI agent or any other client requests that content, it receives a payment prompt, pays, and is granted access. For content creators navigating a web increasingly accessed by agents rather than human readers, it is a meaningful shift in how publishing can be monetized.
Familiar Theming, Modern Stack
EmDash themes are built with Astro, the web framework increasingly favored for content-driven sites. Frontend developers already working in Astro will find the structure familiar: pages, layouts, components, styles, and a seed file that defines content types. Themes in EmDash cannot perform database operations — a deliberate constraint that eliminates a class of security risks that have historically plagued WordPress themes.
Also Read: Most Boards Were Built for a Pre-AI World. The Bill Is Coming Due.
Migrating from WordPress
Existing WordPress sites can be imported into EmDash by exporting a WXR file from WordPress admin or by installing the EmDash Exporter plugin, which creates a secure, access-controlled migration endpoint. Custom post types can be mapped to new EmDash content collections. Migration, including attached media, takes a matter of minutes.
