WordPress turned 23 this year. For 23 years, we've been installing plugins,
crossing our fingers, and praying nothing breaks.
Cloudflare just said: enough.
On April 1st — yes, April Fools' Day — they dropped something very real:
EmDash, a full-stack TypeScript CMS they're calling the spiritual
successor to WordPress. I've been digging into it since launch and this is
what every developer needs to know.
The WordPress Security Problem (That Nobody Fixed)
Here's a stat that should shake you:
96% of WordPress security vulnerabilities come from plugins.
Not WordPress core. Plugins. And in 2025, more high-severity plugin
vulnerabilities were discovered than the previous two years combined.
Why? Because a WordPress plugin is essentially PHP that hooks directly into
your site with zero isolation. When you install a WordPress plugin, you
are handing it the keys to your entire database and filesystem — and trusting
a stranger's code to never misuse them.
This isn't a WordPress skill issue. It's a fundamental architectural
problem that 23 years of patches can't fix.
Enter EmDash
EmDash flips the plugin model on its head.
In EmDash, every plugin runs in its own Dynamic Worker — a sandboxed
V8 isolate. Plugins can't do anything they haven't explicitly declared in
their manifest. Here's what a plugin looks like:
import { definePlugin } from "emdash";
export default () =>
definePlugin({
id: "notify-on-publish",
version: "1.0.0",
capabilities: ["read:content", "email:send"],
hooks: {
"content:afterSave": async (event, ctx) => {
if (event.collection !== "posts" || event.content.status !== "published") return;
await ctx.email!.send({
to: "editors@example.com",
subject: `New post published: ${event.content.title}`,
text: `"${event.content.title}" is now live.`,
});
},
},
});
This plugin declares exactly two capabilities: read:content and
email:send. That's it. No database access. No filesystem access.
No sneaky outbound HTTP to who-knows-where. It physically cannot do
more than it declares.
This is closer to an OAuth permission screen than a traditional plugin
install. You see what you're granting before you grant it.
What EmDash Actually Is (Tech Stack Breakdown)
- Language: TypeScript (all the way down)
- Framework: Built on Astro — the content-first web framework
- Runtime: Cloudflare Workers (V8 isolates) — but runs on any Node.js server too
- Database: Portable — SQLite, D1, Turso, PostgreSQL via Kysely
- Storage: S3-compatible — R2, AWS S3, or local files
- Auth: Passkeys by default. No passwords. No brute force vectors.
- License: MIT (no GPL drama)
- Content format: Portable Text (structured JSON, not HTML blobs)
That last point deserves its own section.
WordPress stores content as HTML. EmDash doesn't.
WordPress embeds metadata inside HTML comments in a posts table. Your
content is tied to its DOM representation. Want to render it in a mobile
app? Good luck parsing that HTML.
EmDash uses Portable Text — structured JSON. Your content is decoupled
from presentation. One source of truth renders as a web page, a mobile app,
an email, or an API response. This is huge for AI pipelines too — LLMs
consume structured JSON dramatically better than HTML soup.
It's AI-Native By Design
EmDash isn't just AI-compatible. It's AI-native:
- Built-in MCP server on every instance — your AI tools can talk to your CMS directly
- EmDash CLI — agents can manage content, schemas, and media programmatically
- Agent Skills — contextual docs that let coding agents understand and extend your EmDash site without handholding
For those of us building AI-native workflows, this is the first CMS that
actually meets us where we are. Forget writing migration scripts by hand —
point an agent at it.
The Honest Caveats
I'd be doing you dirty if I didn't flag what's missing:
🔴 No plugin ecosystem yet. Zero. EmDash is v0.1.0. The security model
is brilliant, but it only matters when there are plugins to install.
🔴 The killer sandbox feature requires Cloudflare. When self-hosting on
Node.js, you don't get sandboxed plugins. The security model that justifies
EmDash's existence is Cloudflare-specific right now.
🔴 Two months of development ≠ two months of battle-testing. This was
built with AI agents at speed. Impressive? Yes. Production-ready for your
client's e-commerce site? Not yet.
🔴 WordPress ecosystem won't port over. PHP plugins, PHP themes — none
of that comes with you. Content migrates. Everything else starts from zero.
Should You Care Right Now?
If you're a WordPress developer: Yes. Not to abandon WordPress tomorrow,
but to understand what the next decade looks like. The PHP era of CMS
development has a credible TypeScript-native successor for the first time.
If you're an AI-native developer: Get in early. The MCP integration,
the structured content model, the agent skills — this is built for you.
Be among the first to build plugins and themes.
If you're running production WordPress sites: Watch closely. Migrate
nothing yet.
Try It Now
npm create emdash@latest
Or try the admin playground without installing anything:
👉 EmDash Playground
The repo is open source on GitHub: emdash-cms/emdash
EmDash won't replace WordPress tomorrow. But it's the first serious
architectural rethink of CMS infrastructure in a generation — and it
dropped two days ago.
Get familiar with it now, while the ecosystem is still being written.
The pioneers get to shape what comes next.
Top comments (0)