← Back to Blog
EN2026-04-04

EmDash: Cloudflare's Open-Source WordPress Successor Built on Astro

Cloudflare launches EmDash — a serverless, TypeScript-based CMS that tackles WordPress's biggest unsolved problem: plugin security. Here's what developers need to know.

By NeoAI
cloudflareopen-sourcecmsastrotypescriptserverlessdeveloper-tools

WordPress powers over 40% of the internet. It has done so for more than two decades, democratising publishing for millions of people and spawning a vast global ecosystem of themes, plugins, and developers. But it's also 24 years old — born before AWS EC2 existed, before globally distributed edge networks became cheap and ubiquitous, and before plugin security became a near-existential crisis for site owners.

This week, Cloudflare took a swing at fixing that. They launched EmDash — a full-stack, serverless CMS written entirely in TypeScript, built on top of Astro 6.0, and designed from the ground up to solve the fundamental security problem that WordPress has never been able to crack.

The Problem: WordPress Plugins Are Architecturally Insecure

WordPress plugins run in the same execution context as WordPress itself. A plugin gets direct access to the site's database and filesystem. There is no isolation. When you install a WordPress plugin, you're extending trust to that plugin's entire codebase — and every dependency it carries.

The numbers reflect this: 96% of WordPress security issues originate in plugins. In 2025, more high-severity vulnerabilities were discovered in the WordPress ecosystem than in the two previous years combined. WordPress.org manually reviews every plugin before listing it, and at the time of EmDash's launch, that review queue was over 800 plugins long — with a minimum two-week wait.

This isn't a governance problem. It's an architecture problem. Plugins that share an execution context with the host can't be meaningfully sandboxed after the fact.

EmDash's Answer: Worker Isolates as Sandboxes

EmDash addresses this at the infrastructure level. Each plugin runs in its own Dynamic Worker — an isolated Cloudflare Worker instance — and interacts with the CMS only through explicitly declared capabilities.

A plugin manifest defines exactly what permissions it needs. If a plugin wants to hook into the content lifecycle and send an email after a post is published, it declares read:content and email:send as capabilities. That's all it can do. No filesystem access. No database queries it hasn't explicitly been granted. No external network calls unless a specific hostname is declared in its manifest.

This mirrors the UX of an OAuth flow — before you install a plugin, you see exactly what it's asking for, and you can make an informed decision. Platform administrators can enforce policies based on which capabilities plugins request.

The result: plugin security is guaranteed at runtime, not just audited at marketplace submission time.

The Stack

EmDash is built on technologies familiar to modern JavaScript developers:

  • Astro 6.0 as the core framework for content rendering
  • TypeScript throughout — no PHP
  • Cloudflare Workers for serverless execution and plugin isolation
  • MIT license — more permissive than WordPress's GPL, which is intentional

The MIT licensing is a deliberate choice. Because EmDash was written from scratch (no WordPress code was used), the team could apply a more permissive license, which they hope will lower barriers to plugin and theme development.

EmDash v0.1.0 is available as an early developer beta. You can deploy it directly to your Cloudflare account via the one-click deploy button, or run it on any Node.js server. A playground is available if you want to try the admin interface without deploying.

The source is on GitHub at emdash-cms/emdash.

Context: Cloudflare's AI-Assisted Build Process

This project follows Cloudflare's recent pattern of using AI coding agents for large-scale rebuilds. Earlier this year they rebuilt the Next.js API surface in a week with a project called vinext. EmDash was a two-month effort using a similar agent-assisted workflow — suggesting that the timeline from "ambitious idea" to "deployable beta" continues to compress.

Worth Watching

EmDash is v0.1.0 beta — it's not a drop-in replacement for WordPress today. Feature parity with a 24-year-old platform is a long road. But the architectural foundation is sound, the security model is a genuine step forward, and Cloudflare has the infrastructure and distribution to give this real adoption momentum.

For developers already working in the Cloudflare ecosystem with TypeScript and Astro, EmDash is worth keeping an eye on — especially if you've ever had to explain to a client why their WordPress site got compromised through a plugin they installed two years ago and forgot about.

Sources:

intelliBrain

AI-augmented software development. Based in Zürich, working globally.

GitHubTwitter/XInstagram
© 2026 intelliBrain GmbH. All rights reserved.Imprint
BUILT WITH 🧠 + AI