For more than two decades, WordPress has been the default choice for people who want to publish on the web. Bloggers, journalists, businesses, and hobbyists have relied on it to power their sites, and today it still runs more than 40 percent of the internet. That kind of dominance does not happen by accident. WordPress helped democratize publishing in a way few other open source projects ever have.
But now one of the biggest infrastructure companies on the internet is openly questioning whether WordPress still makes sense.
Cloudflare engineers recently introduced a new open source CMS called EmDash, and the message behind it is hard to miss. In their view, the architecture behind WordPress belongs to a different era of the web. Hosting environments have changed, development workflows have evolved, and the rise of AI driven tools is reshaping how software gets built. Instead of trying to modernize WordPress piece by piece, Cloudflare decided to start fresh.
EmDash is written entirely in TypeScript and designed around serverless infrastructure. While it can run on any Node.js server, it is clearly built with Cloudflare’s Workers platform in mind. That means sites can scale automatically, spin up instantly when traffic arrives, and drop to zero compute usage when nobody is visiting. Compared to traditional WordPress hosting, which still depends heavily on pre provisioned servers and PHP applications, Cloudflare argues this model better reflects how the modern web operates.
Where Cloudflare’s critique becomes sharper is around security. According to the company, most vulnerabilities in the WordPress ecosystem originate from plugins. The reason is simple. A typical WordPress plugin runs directly inside the same environment as the CMS itself, meaning it often has broad access to the database and filesystem. If a plugin contains a flaw, it can expose the entire site.
EmDash approaches this problem very differently. Each plugin runs inside its own isolated sandbox. Instead of having unlimited access, a plugin must declare exactly what capabilities it needs before installation. Those permissions might include things like reading content or sending an email notification. If a plugin wants network access or other capabilities, it has to explicitly request them.
The idea is similar to the permission systems used by modern mobile apps. Administrators can see upfront what a plugin wants to do before installing it, rather than blindly trusting that the code behaves responsibly.
Cloudflare also made a deliberate licensing decision. While WordPress is released under the GPL, EmDash uses the MIT license and was written without using any WordPress code. That choice gives developers more freedom when building plugins and themes without inheriting the licensing constraints tied to the WordPress ecosystem.
Another unusual feature is something called x402 support, which is built directly into the CMS. This concept is based on the rarely used HTTP 402 Payment Required status code. In theory, it allows websites to charge small payments for content access on demand rather than relying on ads or subscriptions. Cloudflare frames this as a potential solution for publishers in a future where AI agents, rather than humans, may increasingly be the ones requesting content.
There is also a heavy focus on AI integration throughout the project. Each EmDash installation includes tools designed for AI coding agents, including a command line interface, built in automation hooks, and support for the Model Context Protocol. The goal is to make repetitive CMS tasks easier to automate, whether that means migrating content, restructuring fields, or building new plugins.
On the frontend side, EmDash themes are built using the modern web framework Astro. Developers create layouts, components, and routes using Astro rather than the traditional PHP template system used by WordPress themes. For developers already working in modern JavaScript frameworks, that approach will probably feel far more familiar.
Importing an existing WordPress site is also possible. Users can export their content through the standard WordPress WXR format or use a dedicated exporter plugin to migrate posts, pages, and media into EmDash.
It is important to keep expectations realistic, though. EmDash is still extremely early software. The current release is labeled version 0.1.0 preview and is primarily aimed at developers curious about experimenting with the platform.
WordPress is not going anywhere anytime soon. Its ecosystem of themes, plugins, hosting providers, and developers is enormous. But Cloudflare clearly believes the next generation of publishing platforms should look very different from the CMS that dominated the blogging era.
Whether EmDash ever becomes that platform remains to be seen. What is clear is that Cloudflare just threw a very public challenge at the biggest CMS on the internet.
can you add dark mode on your website?
I will look into it!