WordPress runs almost half of the websites on the internet. However, 96% of the security vulnerabilities it faces come from various plugins that keep everything running smoothly.
EmDash, an open-source CMS developed by Cloudflare and launched just recently, was developed from the ground up using TypeScript to serve as a WordPress replacement. And the very first problem they solved was the biggest one that WordPress couldn't.
The plugin model.
Every Plugin Gets the Keys to Everything
In technical terms, when you implement a plugin in WordPress, it is granted complete access to your file system and database, that is the case for each and every other plugin as well. There is no isolation, sandbox, or limitations regarding its capabilities.
Want to install a simple contact form? Technically, this grants the plugin access to your entire website's data.
Your entire database could be wiped by a mere oversight by the developer who made said plugin. Your trust in these developers is WordPress's security system.
That's not security. That's hope.
Patchstack found 11,334 new WordPress vulnerabilities in 2025 alone, a 42% jump from 2024. Most of them were in plugins. Not WordPress core. Not themes. Plugins.
23 Years Without a Sandbox
WordPress has existed for nearly 23 years now, and they never implemented a sandbox for their plugins.
The CMS approach is the one that EmDash takes with each plugin having its own separate sandbox that is run by Cloudflare's Dynamic Workers. While being developed, each plugin simply requests various capabilities by using a manifest, like for example, email:send or read:content. EmDash gives each plugin access to its own requested capabilities only and nothing more.
Various mobile developers for a few years now know this manner of granting of the capabilities → an app asking your phone if it could utilize the camera, for example. Without any other considerations being made, every single plugin WordPress utilizes right now has default access to absolutely everything.
The Timing Is the Story
EmDash is built on Astro 6.0, uses TypeScript end to end, runs serverless, and deploys to Cloudflare Workers or any Node.js server. It's MIT licensed.
It isn't the technology itself that is interesting from a technological standpoint, but rather its timing that is. Developers have been disassociating themselves from WordPress with every passing year.
Whether you would resort to using Next.js or Astro before deciding to use WordPress for your next project, remains for you to decide. Most perhaps know about the great WordPress drama that took place between WP Engine and Matt Mullenweg.
WordPress wasn't even harmed by utilizing React frameworks with the tiny loss to their market share being the easiest excuse to make. In reality, it was only harmed by itself. The decisions it made regarding how it would function back in 2003 would guarantee its failure come 2025.
Will WordPress Even Blink?
The real question isn't whether EmDash will replace WordPress. It probably won't. 43% of the web is a lot of inertia.
The question is whether WordPress will finally look at EmDash's plugin sandbox and think maybe it's time to fix the thing they should have fixed a decade ago.
What would it take for you to move off WordPress? 👇
Top comments (0)