EmDash – a spiritual successor to WordPress that solves plugin security
by elithrar on 4/1/2026, 4:14:38 PM
https://blog.cloudflare.com/emdash-wordpress/
Comments
by: solarkraft
Convince me this isn’t vibeslop.<p>If Cloudflare really have radically changed their software development philosophy lately, this would actually be an interesting project, being based on Astro and coming with some APIs for programmatic management.<p>Them being so happy about the „cost of software development“ and not going very deep into ecosystem, community or project management doesn’t convince me that this is going to be a worthwhile project, even if, unlike their previous vibe coding demos, this one actually works.
4/1/2026, 5:49:50 PM
by: 8organicbits
I don't think it's the code that makes WordPress valuable. I've been learning WordPress recently and haven't been too impressed with the internals. WordPress is valuable because of the ecosystem and support. I have no doubt that WordPress will still be a thing in ten years. What's the support plan for EmDash? I see commits are mostly from a single developer.<p>E: Oh, I think it's an April fools joke, I'm embarrassed.
4/1/2026, 4:51:59 PM
by: FlamingMoe
A WordPress spiritual successor backed by Cloudflare sounds great in theory, but the headline feature, plugin isolation via Dynamic Workers, only works on Cloudflare's runtime. On any other host it's just a TypeScript CMS without the security model that justifies its existence. Open source but architecturally locked in.
4/1/2026, 5:37:04 PM
by: Meneth
"solve security" - that's an April Fools joke if I ever heard one.
4/1/2026, 6:31:29 PM
by: amiga386
> While EmDash aims to be compatible with WordPress functionality, no WordPress code was used to create EmDash. That allows us to license the open source project under the more permissive MIT license.<p>Ha ha, that's really funny timing given the recent launch of Cleanroom As A Service, promising that you can licensewash other peoples' code quickly and easily: <a href="https://malus.sh/" rel="nofollow">https://malus.sh/</a><p>I'm not saying they did that, but it's ironic timing.
4/1/2026, 5:39:22 PM
by: embedding-shape
> Our name for this new CMS is EmDash. We think of it as the spiritual successor to WordPress. It’s written entirely in TypeScript. It is serverless, but you can run it on your own hardware or any platform you choose. Plugins are securely sandboxed and can run in their own isolate, via Dynamic Workers, solving the fundamental security problem with the WordPress plugin architecture. And under the hood, EmDash is powered by Astro, the fastest web framework for content-driven websites.<p>To me this sounds of the polar opposite of the direction CMS's need to go, instead simplify and go back to the "websites" roots where a website are static files wherever, it's fast, easy to cache and just so much easier to deal with than server-side rendered websites.<p>But of course, then they wouldn't be able to sell their own "workers" product, so suddenly I think I might understand why they built it the way they built it, at the very least to dogfood their own stuff.<p>I'm not sure it actually solves the "fundamental security problem" in actuality though, but I guess that remains to be seen.
4/1/2026, 4:32:26 PM
by: jdurban
the plugin security problem in WordPress was never really a code quality problem - it was a trust model problem. any developer could publish a plugin and any site owner could install it with one click, with no vetting layer in between. TypeScript and serverless doesn't change that dynamic unless the trust model changes too. curious how EmDash handles third-party plugin permissions at the API boundary.
4/1/2026, 5:59:34 PM
by: rgbrenner
> Solving scale-to-zero for WordPress hosting platforms > WordPress is not serverless<p>Just not accurate. WordPress doesn't prevent this.. It's up to hosting providers to work on their infra so it can run in a serverless fashion.<p>For example: <a href="https://www.agiler.io" rel="nofollow">https://www.agiler.io</a><p>That's serverless wordpress that scales to zero.. no changes to WordPress, plugins or anything else.. just platform infra.
4/1/2026, 5:31:23 PM
by: doright
I dunno, with the constant firehose of debate and disdain for AI this is a joke I'm too burned out about to feel like laughing at.
4/1/2026, 5:57:33 PM
by: spankalee
It's a shame they don't seem to try to address the divide between CMS's and static sites.<p>Most WordPress sites could just be static, but WordPress has a nice editor interface, so they're not - unless you use a SSG plugin. Building that into the core workflow (which I believe Astro supports) and giving users a nice hosted editor that produces a static site would be welcome innovation.
4/1/2026, 5:01:45 PM
by: heipei
Serious question: Who actually builds stuff on Cloudflare workers? I mean large software projects / services, and not just side projects where the ability to scale-to-zero is perhaps more important than the scale-to-infinity direction. I feel like Cloudflare keeps pushing workers with its full force yet I fail to see the appeal.
4/1/2026, 5:50:53 PM
by: andy_xor_andrew
> x402 is an open, neutral standard for Internet-native payments. It lets anyone on the Internet easily charge, and any client pay on-demand, on a pay-per-use basis. A client, such as an agent, sends a HTTP request and receives a HTTP 402 Payment Required status code. In response, the client pays for access on-demand, and the server can let the client through to the requested content.<p>Fascinating. Cloudflare is envisioning a future where agents are given debit cards by their owners, so they can autonomously send microtransactions to website owners to scrape content or possibly purchase goods on the owner's behalf. I don't know how I feel about that but there's no doubt it's a fascinating concept.<p>Brb, setting up a honeypot that always responds with HTTP 402 Payment Required demanding 10cents per visit... That's the next "selling 1 million pixels on my website for $1 each", I guess
4/1/2026, 5:01:46 PM
by: nullable_bool
Its kind of annoying that CF would use an LLM to build something and try to pass it off as something built from "the ground up". Its just copying the library that was already build and passing it off as their own.
4/1/2026, 4:30:02 PM
by: kocialnews
The power of WordPress is not the ease of use, but PHP.<p>Anything built on PHP will be widely used, like Laravel
4/1/2026, 4:28:30 PM
by: mrbonner
I am not sure if this is an April fool joke anymore in the age of AI.
4/1/2026, 6:21:27 PM
by: jmkni
It's kind of ironic that the name of this product is also the most obvious marker of LLM generated content
4/1/2026, 4:46:56 PM
by: 0xbadcafebee
Serious question: Why is everyone still using JavaScript to AI-code projects? You can vibe-code apps with real languages now.<p>There's no reason to use an interpreted, bloated, weird language anymore. The only reason interpreted languages were a thing was so you could edit a file and re-run it immediately without a compile step. Compiling is now cheap, and you don't have to build expertise in a new language anymore. Ask AI to write your app in Go, it'll happily comply. Run it and it's faster with less memory use and disk space. The code is simpler and smaller making reviewing easier. Distribution is as easy as "copy the file".<p>I'll grant you, interpreted languages skip the "portability" compiling/distributing step, and let you avoid the stupid MacOS code signing. But Go is stupid easy to cross-compile, and (afaik?) the user can un-quarantine a self-signed app pretty easily.
4/1/2026, 6:01:28 PM
by: halapro
Yes definitely compare it multiple times to WordPress and nobody will think of calling their lawyers.<p>Is this April fools? With real products launching on this date you can't really be too sure.
4/1/2026, 4:35:33 PM
by: password4321
If you need a reliable source for WordPress plugins, check out <a href="https://github.com/fairpm/fair-plugin?tab=readme-ov-file#fair-connect" rel="nofollow">https://github.com/fairpm/fair-plugin?tab=readme-ov-file#fai...</a><p><i>A system for using Federated and Independent Repositories in WordPress</i>
4/1/2026, 5:46:06 PM
by: sourcecodeplz
This part is interesting:<p>"Plugin security is the root of this problem. Marketplace businesses provide trust when parties otherwise cannot easily trust each other. In the case of the WordPress marketplace, the plugin security risk is so large and probable that many of your customers can only reasonably trust your plugin via the marketplace. But in order to be part of the marketplace your code must be licensed in a way that forces you to give it away for free everywhere other than that marketplace. You are locked in."<p>There was much drama with wordpress some time ago and the plugin marketplace.
4/1/2026, 5:06:22 PM
by: Levitating
I don't like where any of this is going
4/1/2026, 5:32:08 PM
by: megnu
The UI doesn't seem geared to power users. E.g. Why is the featured image taking up so much space above the content editing area when it's sized appropriately for the sidebar? Imagine you need to update the text of several posts... Well, now you gotta scroll down half the page to the content area of each one.<p>And all that padding gets you quite the narrow content area. Not to mention it looks like a very basic TinyMCE. Seems like more of a POC than an actual "spiritual successor".
4/1/2026, 4:47:35 PM
by: bbx
I'm all for creating new frameworks that are faster and more secure. But I don't see how this one relates to Wordpress (not in PHP, serverless, not "plug and play", dependent on Astro, "AI Native"…).<p>It looks like a good open source project, but just call it a new CMS. I think calling it a "spiritual successor to WordPress" is just to gain some marketing points.
4/1/2026, 4:59:20 PM
by: gsmiznith
This is great, but if the plugin ecosystem isn't compatible will it take off?<p>Most WordPress users use at least one plugin: it is the appeal of the product.
4/1/2026, 5:40:58 PM
by: paoliniluis
Who wants to vibe code an open source Cloudflare?
4/1/2026, 5:39:58 PM
by: woodylondon
Reading the comments below, have we all fallen for a 1st April Fools' joke?<p>Actually, rebuilding WordPress without the ecosystem is kind of the point. For example, would Divi or the major page builders rebuild their entire products to support this? I doubt it
4/1/2026, 4:56:07 PM
by: bo0tzz
I've been wanting a CMS on top of Cloudflare workers for a while, so I hope this pays off!
4/1/2026, 4:20:25 PM
by: rodolphoarruda
Plugin security is one thing. Plugin budget is another thing... much larger of a problem in some cases.
4/1/2026, 5:21:45 PM
by: sergiotapia
Spiritually bankrupt, that should just be considered marketing material.
4/1/2026, 6:16:19 PM
by: ramesh31
I really hope Cloudflare is ready and willing to stand by this thing for the next 20 years, and drive it as a first class product with a huge open source team. Because short of that you can just add this to the mile-long list of "successors to WordPress" we've been through over the decades. Maybe they're in it for the long haul. We'll see. But it takes time, and mountains of integrations and acceptance into the wider web authoring ecosystem for anything like this to gain real adoption.
4/1/2026, 4:52:43 PM
by: hnismad
EmDash on Apr 1 come on guys
4/1/2026, 6:28:18 PM
by: pxtail
Good one, at last, April fools joke with some effort.
4/1/2026, 4:51:06 PM
by: vessenes
Here to say -- great name. It's not just a reference to our modern times, it's a sign of brilliance. (I wrote this myself with no clanker support)
4/1/2026, 4:18:54 PM
by: philipwhiuk
The problem is that it doesn't solve the network-effect problem.<p>People aren't on WordPress because of WordPress.<p>They're on WordPress because of WooCommerce, a million themes, BuddyPress, integrations for every stupid internal business API on the planet (many of which are terrible and were written by an idiot with a crayon).<p>The APIs will have no testing because they are bad. In many cases the WordPress implementation of the API written in the codeblock, ran on page-load to the pain of the person responsible for SEO, is the API contract.<p>And yes those plugins are also terrible, but they solve business problems, even if they are tech problems.<p>You can't just launch a better wp-core and expect it to replace any of that.<p>EmDash needs to actually run the existing insecure WP plugins to takeover.
4/1/2026, 4:32:05 PM
by:
4/1/2026, 5:27:51 PM
by: orliesaurus
deployed it on vercel for lolz - it works!
4/1/2026, 6:18:33 PM
by:
4/1/2026, 5:12:28 PM
by: _cloned
Payload
4/1/2026, 5:08:29 PM
by: tamimio
Will be there a way to export all the posts to markdown so you never get locked in?
4/1/2026, 5:00:20 PM
by: AIorNot
Damm Anthropic had a chance to say april fools too for the claude code leak!!
4/1/2026, 4:57:19 PM
by: mrcwinn
It’s written in typescript, not PHP. How does this improve security if no one uses it because they’ve invested so much in the WP plugin ecosystem?
4/1/2026, 4:50:45 PM
by: riffic
if this can implode the crooked "web hosting industry" that surrounds the lamp / wordpress ecosystem the better.
4/1/2026, 5:39:52 PM
by: yeah879846
"Failed to initialize playground"
4/1/2026, 4:52:13 PM
by: squidbeak
Impressive and created by agents. Another example for skeptics wondering where the AI apps are.
4/1/2026, 4:40:28 PM
by: ChrisArchitect
Held up getting into the details of this ambitious project because of the name! Ridiculous choice considering the associations with AI, slop, and even the general crowded namespace surrounding that. C'mon.<p>(looks for cameras) <i>Wait a minute, am I being Punk'D? Oh my god! Ashton, you really got me! Ha Ha! Ashton!</i>
4/1/2026, 4:53:00 PM
by: aplomb1026
[dead]
4/1/2026, 5:31:26 PM
by: toolpipe_dev
[dead]
4/1/2026, 6:09:51 PM
by: throwaway613746
[dead]
4/1/2026, 5:17:58 PM
by: 9864247888754
[dead]
4/1/2026, 4:53:18 PM