Cloudflare Wants to Replace WordPress. Here's What They Got Right (and What's Missing).
40% of the Internet Just Got a Challenger
Cloudflare launched EmDash this week, an open source CMS they call "the spiritual successor to WordPress." Built on Astro 6.0, written entirely in TypeScript, MIT licensed, and designed to run serverless. They rebuilt WordPress from scratch using AI coding agents in two months.
That's a bold claim when WordPress powers over 40% of the internet. But after reading the source, running the demo, and analyzing the architecture, this isn't vaporware. EmDash solves real problems that have plagued WordPress for years, particularly around plugin security. It also has gaps that matter for production use.
At Cafali, we manage WordPress sites for multiple clients. Most of them use 3 to 6 plugins for basic functionality: contact forms, SEO, caching, maybe a page builder. For these clients, EmDash could be a legitimate replacement. For others, it's not there yet.
Here's our honest analysis.
The Plugin Security Problem Is Real
This is EmDash's strongest argument and it's hard to disagree with.
96% of WordPress security vulnerabilities come from plugins. Not from WordPress core. Not from themes. Plugins. That number comes from Patchstack's annual security report, and it's been consistent for years. In 2025, more high-severity vulnerabilities were found in the WordPress ecosystem than the previous two years combined.
The root cause is architectural. A WordPress plugin is a PHP script that hooks directly into WordPress with full access to the database, filesystem, and user data. When you install a WordPress plugin, you're trusting it with everything. There's no isolation, no permission model, no sandbox.
EmDash takes a fundamentally different approach. Each plugin runs in its own isolated sandbox via Cloudflare's Dynamic Workers. Plugins must declare their capabilities upfront in a manifest. A plugin that needs to read content and send emails declares exactly that, and it physically cannot do anything else. No database access unless granted. No network access unless a specific hostname is declared.
For our clients running basic WordPress sites with a handful of plugins, this security model is genuinely appealing. Their current setup means a vulnerable contact form plugin could compromise their entire site. With EmDash, that same plugin would be sandboxed with only the permissions it needs.
Not Just Cloudflare: It Runs Anywhere
The first question we had was vendor lock-in. Cloudflare building a CMS that only runs on Cloudflare would be a non-starter for most of our clients.
EmDash uses portable abstractions at every layer:
- Database: Cloudflare D1, but also SQLite, Turso, or PostgreSQL
- Storage: Cloudflare R2, but also AWS S3, any S3-compatible service, or local filesystem
- Sessions: Cloudflare KV, but also Redis or file-based
- Plugins: Worker isolates on Cloudflare, or in-process "safe mode" on any Node.js server
You can run the full demo locally with pnpm dev on Node.js and SQLite. No Cloudflare account needed.
The catch: sandboxed plugins, the main security feature, require Cloudflare Workers. Running on Node.js puts plugins in "safe mode" which means they run in-process without isolation. You get the capability manifest and permission declarations, but not the hard sandbox boundary. For basic plugins this is probably fine. For untrusted third-party plugins, the sandbox is the whole point.
So the honest answer is: EmDash runs anywhere, but its best feature only works on Cloudflare.
What EmDash Does Better Than WordPress
Structured content instead of serialized HTML. WordPress stores content as HTML with metadata embedded in comments. EmDash uses Portable Text, a structured JSON format. Your content can render as a web page, a mobile app, an email, or an API response without parsing HTML. For agencies managing content across multiple channels, this is a significant upgrade.
Built-in MCP server. EmDash ships with a Model Context Protocol server so AI coding agents can interact with your site directly. Create content, manage plugins, modify schema, all through AI tools like Claude Code. WordPress requires third-party plugins for any AI integration.
Agent-friendly from day one. Skill files for AI-assisted plugin and theme development, a CLI for programmatic site management, and WordPress migration tools that use AI to help port plugins and themes. EmDash was designed for the era where AI agents are part of the development workflow.
Scale to zero. WordPress requires a running server whether it's serving traffic or not. EmDash on Cloudflare Workers scales to zero when idle and spins up instantly when a request arrives. For client sites that get moderate traffic, the hosting cost difference is significant.
x402 payments built in. Every EmDash site can charge for content access via the x402 standard. No subscriptions, no payment plugins, no Stripe integration work. Configure which content requires payment, set the price, provide a wallet address. Relevant for clients exploring paid content or gated resources.
TypeScript all the way down. No PHP. No separate language for the backend. The same developers writing your frontend React or Vue components can write EmDash plugins. For agencies like ours that staff full-stack JavaScript and TypeScript developers, this eliminates the need for PHP specialists on WordPress maintenance projects.
What WordPress Still Does Better
Ecosystem. WordPress has 59,000+ plugins and thousands of themes. EmDash has a handful of first-party plugins (forms, embeds, SEO, audit log) and three starter templates. For clients who need a specific integration, like a particular booking system, email marketing tool, or payment processor, WordPress probably has it. EmDash probably doesn't, not yet.
Community and talent. Finding a WordPress developer takes minutes. Finding someone who knows Astro, Cloudflare Workers, and EmDash's plugin API takes considerably longer. For clients who want to maintain their site independently or hire freelancers for updates, WordPress's talent pool is unmatched.
Battle testing. WordPress has been in production for 24 years. EmDash launched this week as a beta. We've seen enough "WordPress killers" to know that production stability takes years to prove, not weeks.
Admin UX maturity. WordPress's admin panel is familiar to millions of non-technical users. Content editors, marketing teams, and business owners know where things are. EmDash's admin is clean and modern, but new. Training costs are real.
Hosting simplicity. Any $5/month shared hosting account runs WordPress. EmDash requires either a Cloudflare account or a Node.js server. For non-technical clients who want the simplest possible setup, WordPress still wins.
Where EmDash Makes Sense Right Now
Based on our analysis, EmDash is a viable replacement for a specific category of WordPress sites:
Simple content sites with 3 to 6 plugins. Blog, contact form, SEO, maybe analytics. EmDash's first-party plugins cover these basics. The security improvement alone justifies the switch for clients who don't need exotic WordPress plugins.
Sites where security is a priority. Legal firms, healthcare providers, financial services. Any client where a plugin vulnerability could mean regulatory consequences. EmDash's sandboxed plugin model is a genuine security upgrade.
New projects starting from scratch. No migration needed. If the required functionality exists in EmDash's ecosystem, starting here avoids accumulating WordPress technical debt.
Teams already using TypeScript. If your development team writes TypeScript and finds PHP maintenance painful, EmDash eliminates that friction entirely.
Where WordPress Is Still the Right Choice
Complex sites with many integrations. E-commerce with WooCommerce, LMS with LearnDash, membership sites with MemberPress. The specialized plugin ecosystem doesn't exist in EmDash yet.
Non-technical teams managing content. If the content team knows WordPress and doesn't have development support for migration and training, switching creates more problems than it solves.
Sites that need to launch this month. EmDash is beta software. For production sites with paying customers, waiting for v1.0 is the pragmatic choice.
Our Take
EmDash is the most credible WordPress alternative we've seen. Not because of hype, but because it solves the right problem. Plugin security isn't a theoretical concern. It's the reason we spend hours every month updating and auditing WordPress plugins for clients, and it's the reason sites still get compromised.
The plugin sandbox architecture is genuinely innovative. The portable content model is forward-thinking. The AI-native design reflects where development is heading.
But WordPress didn't become 40% of the internet overnight, and EmDash won't replace it overnight either. The ecosystem gap is real. The production maturity gap is real. Cloudflare's involvement cuts both ways: it brings resources and infrastructure, but it also means the best features are tied to their platform.
For our WordPress clients at Cafali, we're watching EmDash closely. For new simple content sites, we're evaluating it as an option. For existing WordPress sites with complex plugin dependencies, we're not recommending migration yet.
The smartest move right now: try the demo, build a test site, and see if it covers your needs. If it does, you might never go back to worrying about plugin vulnerabilities.
EmDash is open source and available at github.com/emdash-cms/emdash. Try the playground at emdashcms.com.
At Cafali, we build and maintain websites across multiple platforms including WordPress and Laravel. If you need help evaluating whether EmDash is right for your project, let's talk.
