> Our name for this new CMS is EmDash. We think of it as the spiritual successor to WordPress. It’s written entirely in TypeScript. It is serverless, but you can run it on your own hardware or any platform you choose. Plugins are securely sandboxed and can run in their own isolate, via Dynamic Workers, solving the fundamental security problem with the WordPress plugin architecture. And under the hood, EmDash is powered by Astro, the fastest web framework for content-driven websites.
To me this sounds of the polar opposite of the direction CMS's need to go, instead simplify and go back to the "websites" roots where a website are static files wherever, it's fast, easy to cache and just so much easier to deal with than server-side rendered websites.
But of course, then they wouldn't be able to sell their own "workers" product, so suddenly I think I might understand why they built it the way they built it, at the very least to dogfood their own stuff.
I'm not sure it actually solves the "fundamental security problem" in actuality though, but I guess that remains to be seen.
I love building static (or statically generated) websites, but all too often, customers want dynamic content. And what's worse, they don't tell you up-front, because they don't really understand the difference.
"I need a website for my bakery". "What's supposed to be on it?" "Our address, opening times, a few pictures". I build them a static website.
"Now I need a contact form". Ok, that doesn't really fit into a static website, but I can hack something together. "Now I need to show inventory, and allow customers to pre-order". A static website won't cut it anymore.
When you develop for clients, especially those that you don't know very well, it's a bad idea to back yourself into a corner that's not very extensible. So from that perspective, I really get why they give plugins such a central spot.
This is the main reason why WordPress is so popular still to this day. You can cache the crap out of the frontend to the point that it’s basically a static site at that point but then it’s still all running on top of a dynamic platform if you need that flexibility in the future.
I got my start in webdev slinging WordPress sites like a lot of self taught devs and I definitely see the pain points now that I’ve moved on to more “engineering” focused development paradigms but the value proposition of WP has always been clear and present.
Given how WP leadership is all over the place at the moment, I can see how Cloudflare sees this as an opportunity to come in and peel away some market share when they can convince these current WP devs to adopt a little AI help and write applications for their platform instead.
I've managed a couple of WordPress installs for friends and family and my experience has largely been the opposite in that there's very little truly dynamic content. Of the dynamic content, the vast majority could just be an API (either home-grown or paid 3rd party SaaS).
The flip side of the dynamic content is that every Wordpress I've ever worked on is a horrifying mountain of plugins managed by the world's worst package manager. Plugin A needs to be updated because it has a vulnerability, which requires plugin B to be updated, but the theme hasn't gotten updates in 6 years and plugin B is using new stuff the theme doesn't support, so either the site has to be re-built with a new theme or plugin A just needs to be left at a vulnerable version.
Static sites get around some of that because vulnerable plugins only exist at build-time. I'm not worried about using an old version of Hugo or Jekyll, but I'm very worried about using old Wordpress plugins.
I've done so, so little work with Wordpress, but that experience was enough to convince me that I'd rather spend my days looking for dropped coins on the sidewalk than work with Wordpress again.
Is EmDash built with static sites as a focus? I haven't found too much about it yet, I was assuming it does (or will) focus on server rendering with cloudflare caching when possible.
Are you referring to static vs SSR, or caching? I'd expect static vs SSR to be an Astro concern rather than an EmDash concern. If they didn't integrate at all with Cloudflare for caching out of the box that seems like a miss, though I could see it needing to be a separate plugin if they want to expose all the configurability possible.
My wife's wordpress blog has at least 5 different plug-ins for publishing an article without a header. Every time I fix it for her by removing all but 1 plug-in, she'll install a million others because that's what ChatGPT told her to do.
I have no hope nor expectations of non-technical people performing technical tasks no matter how advanced AI becomes. The only solution is a platform/CMS that already has the all bells and whistles included.
a friend of mine owns a very popular psych/stoner label
until 3 days ago the website was a bunch of static pages, updated by the "webmaster", no shopping cart, no search, no contact form, just the email on the website
he and his employers have been living out of selling records and band merchandising for more than a decade, before he even created a real company
wanna buy a record?
press a button that sends you to the paypal cart
wanna pre order?
there is a preorder product on paypal, were you can put your shipping address and when it's ready, it'll be shipped to you
he's been selling in Europe and overseas in the US since the day he started
Now it got to the point where he needed to put different currencies for different regions, taxes, tariffs (UK, USA) so he built a new website that (automatically I guess) show the prices in the local currencies and stuff like that
I don't think they disagree? They said that okay, that doesn't perfectly fit into the static site philosophy but he can hack something together. Which is correct.
I think this is true, however, when it comes to non-coding clients I've worked with they really do like the ability to make minor edits to a site with a UI rather than having to continually ping a developer.
The problem with WordPress (and it looks like this solution largely just replicated the problem) is that it's way too cumbersome and bloated.
It really is unlike any modern UI for really any SaaS or software in general.
It's filled with meaningless admin notices, the sidebar is 5 miles long and about 98% of what the user sees is meaningless to them.
Creating a very lightweight, minimal UI for the client to edit exactly what they need or like you said, just static files really is the best solution in most cases. The "page builders" always just turn into a nightmare the clients end up handing over for a dev to "fix" anyways.
Not sure why so many people feel the need to continue on the decades of bloat and cruft WordPress has accumulated, even if it's "modernized."
But "back to CMS roots" is absolutely not what the WordPress ecosystem is about. It's about the absolute galaxy of plugins that provide you with an entire digital experience "in a box". You can just install whatever plugins for ecommerce, CRM, forms management, payments, event calendars. They will all plugin to both the template system and the MySQL database. There are a lot of well-known and reputable plugins with huge installed bases (woocommerce, gravity forms, yoast seo) but there's a ton of shady ones that can infect your install. Cloudflare is directly addressing the shortcomings of the existing plugin architecture indicating they intend for EmDash to fill a similar niche as an All-in-One digital experience and not just a simple CMS.
If it uses Astro, then it's a literal static website generator. But with modern React components if you need anything on top of this. The same with plugins, I assume people don't have to use those but the important thing is that you can if you want to.
The question is then they'd be building some brand new thing not compatible with wordpress. Supposedly the proposition is to steal people away from wordpress. Not just get people building something from scratch looking for a new framework. I'm guessing the recent lawsuits also provide some momentum.
Slightly late to this party, but in my opinion, this doesn't go nearly far enough. This solution will be relevant for 12 months in it's current form. If it adapts further, it might have legs.
I've built Wordpress sites for 12 years. Very few Wordpress developers are trying to swap to a slightly upgraded version of the same thing with no ecosystem and much of the same solutions. This will see some adoption, no doubt, but not a serious dent.
The main reason for that: in 12 months, 24 months, 36 months, this solution will be outdated and unimportant, same as Wordpress. Wordpress will still be kicking because it already has a 40% market share on the entire internet. This, however, will not be.
The CMS is dead tech in six to twelve months. I might have a million people who will disagree with me (and yes, people will still use CMS's after twelve months), but people actually moving into the future will have dropped CMS's for architectures that are AI first with strong, intuitive, easy-to-leverage guardrails.
In my opinion, the vast majority of people are still looking at AI through the lens of "how does it alter my current work/tech stack/strategy" and failing to ask the proper question: "what the hell is even important in a world where AI is as competent as 90% of humans and 100x faster?"
What do you need a CMS for? You think you'll be managing the content? Why? Why do I want a human managing content when the AI does it 100x as fast? Why do I want Astro? It compiles down nicely? Okay, maybe its a god-tier solution, but more likely... AI can just code extremely fast vanilla html/css/js. Why do I need a component library when AI can steal all the best components from all the best libraries? Why do I need "Portable Text"?
This is still not big picture enough. Think further out than 12 months.
Reminds me of Vercel and NextJS, where a popular framework design is constrained by, or optimally runs, on their infra, but then comes with pains or unusualness if self-hosted (eg. middleware). Vendor lock-in plays are a big red flag
Distribution of the content as static html or in any other format is a very tiny aspect of managing content and mostly a solved problem for any CMS nowadays. Focusing on that minimal aspect seems grotesque as there are much bigger challenges in making potentially large amounts of content actually manageable by a potentially very heterogeneous group of content creators with varying skills, responsibilities and relationships.
> To me this sounds of the polar opposite of the direction CMS's need to go, instead simplify and go back to the "websites" roots where a website are static files wherever, it's fast, easy to cache and just so much easier to deal with than server-side rendered websites.
To me this wording is strange, since traditional web frameworks do render pages server-side. The specific functions of their templating engines are often even called "render" (https://jinja.palletsprojects.com/en/stable/api/#jinja2.Temp...) or "render_template" or similar (https://docs.djangoproject.com/en/6.0/topics/templates/#djan...). I guess "server-side rendered" is being coopted by the JS ecosystem for some time now, as if they had come up with the very idea of rendering pages on the server side.
It would do the world some good, if people could just look at a technical term, understand its meaning by its components, and then not go: "Ah yes, I will use the same term, but no, no, no, I mean something different by that!"
For this example:
(1) "server-side": happening on the server
(2) "rendering pages": various meanings in different contexts, but on the web meaning filling in information and creating parts of the HTML tree, to get a full HTML document.
This has been done for decades and the result are usually, for the browser, static web pages. Static as in the opposite of dynamic. Dynamic meaning that the pages react to user interaction, meaning scripting, meaning JS.
It looks like they rolled it so you can plug in local components of your choice, though? The security model does assume you have MAC containerized environments available at your fingertips though, so having something like DHH's once is probably a soft minimal dependency if you want to do-it-yourself.
This is very interesting. I've worked with WordPress on and off for 10 years, and I'm convinced that this project has got 2 things absolutely spot on. TypeScript and Worker plugins.
I've given the security, or lack of, WP a lot of thought recently. In WP malicious plugin has access to the database, enfironment variables, rendering text on screen (think XSS). Luckily, a thoughtfully designed plugin system can mitigate all of those issues.
I've been working on a headless CMS in my spare time that is eirily similar to EmDash in a few ways. It's in very early development, but I will share regardless. It's called HotsauceCMS - https://github.com/hotsauce-team/hotsauce
- I went with optional NodeJS or Deno Worker plugins, this means that first-party plugins can benefit from the speed of in-process, and other plugins can be run in Workers. For fine grained permission control, you can use Deno Workers.
- I went with absolute minimal dependencies, I am so fed up with Dependabot alerts and npm supply chain hacks. My CMS has only 4 dependencies, 0 transistive dependencies.
- It's Drizzle schema first, and headless. So you have full controll of the database structure, use cms hints in your schema for features like file upload.
- It's database-agnostic, so it works with any Drizzle-supported database (Postgres, MySQL, SQLite)
- Being headless, you can use any frontend, my preference is JSX w/o react, but anything goes.
Feedback is absolutely welcomed on HotsauceCMS, did I miss a trick, am I on the right track?
Anyway, congratulations on EmDash. I'll be following closely, excited to see how the next few months unfold.
In my opinion, Cloudflare are coming at this from the wrong angle. WordPress is so popular because back in the day it was the easiest way to get a website built. So it got a network effect of engineers behind it which is why it persists at 40% of websites today. Same thing happened with React - majority of Typescript sites are written in React and NextJS because of the network effect around it.
Yeah the security aspect is important, but how many of those Wordpress engineers are going to jump ship to this because of security when they've been fine with the risk so far? My money is not a lot. If someone is a WordPress dev in 2026, they're probably not the type of dev that likes to upskill and learn new tech. Similarly, if you're looking to target the average joe looking to build a fresh website, would that consumer really choose this over Wix or Squarespace? It doesn't look easier to use so I wouldn't count on it. So where is the network effect going to come from to make this the new WordPress?
I could see Vinext being successful if they keep at it— I think there are a sizeable amount of people who would like to move away from Vercel (and who will probably migrate to Tanstack when the ecosystem is more stable). But I'm not sure people on WordPress really want to leave. If they really want to make this successful I think they need a better angle which in my opinion would be making it easier, quicker, cheaper and more flexible than Squarespace/Wix/Shopify etc
> x402 is an open, neutral standard for Internet-native payments. It lets anyone on the Internet easily charge, and any client pay on-demand, on a pay-per-use basis. A client, such as an agent, sends a HTTP request and receives a HTTP 402 Payment Required status code. In response, the client pays for access on-demand, and the server can let the client through to the requested content.
Fascinating. Cloudflare is envisioning a future where agents are given debit cards by their owners, so they can autonomously send microtransactions to website owners to scrape content or possibly purchase goods on the owner's behalf. I don't know how I feel about that but there's no doubt it's a fascinating concept.
Brb, setting up a honeypot that always responds with HTTP 402 Payment Required demanding 10cents per visit... That's the next "selling 1 million pixels on my website for $1 each", I guess
Serious question: Why is everyone still using JavaScript to AI-code projects? You can vibe-code apps with real languages now.
There's no reason to use an interpreted, bloated, weird language anymore. The only reason interpreted languages were a thing was so you could edit a file and re-run it immediately without a compile step. Compiling is now cheap, and you don't have to build expertise in a new language anymore. Ask AI to write your app in Go, it'll happily comply. Run it and it's faster with less memory use and disk space. The code is simpler and smaller making reviewing easier. Distribution is as easy as "copy the file".
I'll grant you, interpreted languages skip the "portability" compiling/distributing step, and let you avoid the stupid MacOS code signing. But Go is stupid easy to cross-compile, and (afaik?) the user can un-quarantine a self-signed app pretty easily.
I run a handful of WordPress sites. The plugin problem is real. I've spent more time managing plugin updates, conflicts, and security patches than actually building content for the sites.
But the reason I'm still on WordPress isn't loyalty. It's that my clients can maintain their own sites without me. A small business owner updates their own pages, adds blog posts, changes a phone number. No developer needed. That's not a feature of WordPress. That IS the product.
EmDash solves a developer problem (sandboxed plugins, TypeScript, Workers) by building a developer product. Nothing wrong with that. But calling it a WordPress successor misses why WordPress won in the first place. It wasn't the code quality. It was the guy who runs a bakery being able to edit his own website on a Sunday morning.
I don't think it's the code that makes WordPress valuable. I've been learning WordPress recently and haven't been too impressed with the internals. WordPress is valuable because of the ecosystem and support. I have no doubt that WordPress will still be a thing in ten years. What's the support plan for EmDash? I see commits are mostly from a single developer.
E: Oh, I think it's an April fools joke, I'm embarrassed.
As a (unfortunately) wordpress dev this seems to solve my single biggest painpoint with WP. Which isn't plugin security, but the overall plugin architecture.
WP treats plugins as content, literally in the same top level wp-content directory as uploaded images. This makes CI/CD among other things, a nightmare. But EmDash plugins are just TS modules, which has got to make things easier even if plugin configuration does end up in the db somewhere.
A WordPress spiritual successor backed by Cloudflare sounds great in theory, but the headline feature, plugin isolation via Dynamic Workers, only works on Cloudflare's runtime. On any other host it's just a TypeScript CMS without the security model that justifies its existence. Open source but architecturally locked in.
Welp, it looks like if you selfhost, the sandboxing of plugins benefit goes out thr window from what I'm reading. What kind of open source is that? Opencore? More like openinsecure, for thr security version, pay the Piper. I might still give it a try, but I sure hope we can put monthly monetary ceiling, had ceilings on our accounts. Anyone knows if cost-caps are possible on CLOUDFLARE??
> While EmDash aims to be compatible with WordPress functionality, no WordPress code was used to create EmDash. That allows us to license the open source project under the more permissive MIT license.
Ha ha, that's really funny timing given the recent launch of Cleanroom As A Service, promising that you can licensewash other peoples' code quickly and easily: https://malus.sh/
I'm not saying they did that, but it's ironic timing.
> A full-stack TypeScript CMS built on Astro and Cloudflare. EmDash takes the ideas that made WordPress dominant -- extensibility, admin UX, a plugin ecosystem -- and rebuilds them on serverless, type-safe foundations.
Someone should introduce the authors to the lovely em dash character. It's perfect for such sentences!
I really hope Cloudflare is ready and willing to stand by this thing for the next 20 years, and drive it as a first class product with a huge open source team. Because short of that you can just add this to the mile-long list of "successors to WordPress" we've been through over the decades. Maybe they're in it for the long haul. We'll see. But it takes time, and mountains of integrations and acceptance into the wider web authoring ecosystem for anything like this to gain real adoption.
The problem is that it doesn't solve the network-effect problem.
People aren't on WordPress because of WordPress.
They're on WordPress because of WooCommerce, a million themes, BuddyPress, integrations for every stupid internal business API on the planet (many of which are terrible and were written by an idiot with a crayon).
The APIs will have no testing because they are bad. In many cases the WordPress implementation of the API written in the codeblock, ran on page-load to the pain of the person responsible for SEO, is the API contract.
And yes those plugins are also terrible, but they solve business problems, even if they are tech problems.
You can't just launch a better wp-core and expect it to replace any of that.
EmDash needs to actually run the existing insecure WP plugins to takeover.
It looks like I'm in the minority after reading this comments, but I'm quite happy to see this announcement.
A "good" standard, free CMS with theming and plugin support without the issues of Wordpress is _welcome_. (And the issues are many: Licensing, trust, drama, security, and cost).
I'm guessing that a lot of cynicism here is coming from this crowd not being the target market of Wordpress in the first place? What were you recommending to non-technical friends and family who wanted a good, open source, affordable CMS to back their website? Wordpress has all the right _ideas_, but the wrong implementation.
So this is just a "similar" CMS to WordPress in that it has themes and plugins, and you can publish pages, posts, tags, categories, etc. But there are lots of similar CMS out there, and this one isn't "compatible" with WordPress since you obviously can't just take a WordPress theme or plugin and install it in your EmDash site. So I don't even know why the focus on WordPress here - this is just yet another CMS that offers similar features.
With WP you can find a plethora of cheap PHP hostings that offer WP preinstalled.
If you need to tweak a theme - just download a .php file via FTP, tweak it and upload back.
No server management or restart is required.
One big potential benefit that EmDash has - every WP deployment is basically a honeypot.
It's a shame they don't seem to try to address the divide between CMS's and static sites.
Most WordPress sites could just be static, but WordPress has a nice editor interface, so they're not - unless you use a SSG plugin. Building that into the core workflow (which I believe Astro supports) and giving users a nice hosted editor that produces a static site would be welcome innovation.
In my view, Astro is the most reasonable choice for a blog-like website these days. All the simplicity and all the capabilities that you need. Excited to check this out and see what they have added on top of it.
I don't like that they see the main selling point that the license, is not GPL, and that plugins don't have to license it that way either. I understand that not all developers are comfortable with the GPL license, but it allows to the code continue to be open source and that most plugins are open source also
It's great that they are recreating much of the fundamental software stack using LLMs. But if you're going to 'vibeslop,' at least do it in a language other than JavaScript.
I struggle to understand why anyone would want to generate code in TypeScript - unless what you're building truly can't be done in Go, Rust, or Kotlin; anything but JS.
I’m not sure how much of an improvement it really is to rewrite something from PHP to TypeScript while claiming security benefits.
Its kind of annoying that CF would use an LLM to build something and try to pass it off as something built from "the ground up". Its just copying the library that was already build and passing it off as their own.
Will you look at it. Another Wordpress “killer”. Wordpress has that market share because it can be easily installed in a wide variety of servers and because of its plugin ecosystem of dozens of thousands of plugins and huge flexibility/customizability. Wordpress is one of the most flexible pieces of software out there and none of the competition seem to get why Wordpress is so popular.
I can't believe as developers we were worried about AI training on licensed code. It turns out it didn't matter at all. You can just point an LLM at some source code and you're off scot-free.
Serious question: Who actually builds stuff on Cloudflare workers? I mean large software projects / services, and not just side projects where the ability to scale-to-zero is perhaps more important than the scale-to-infinity direction. I feel like Cloudflare keeps pushing workers with its full force yet I fail to see the appeal.
So this product has nothing to do with wordpress, it's just another CMS that mentioned WP only bcz they created a migration plugin that won't work on 90% of existing wp sites and won't work on 100% of woocommerce sites.
This is no successor, it's not even in the same universe.
- vendor lock-in, losing gpl, losing access to plugins source code, loosing ownership.
> But for the past two months our agents have been working on an even more ambitious project: rebuilding the WordPress open source project from the ground up.
> no WordPress code was used to create EmDash
Hm. Do you think those agents were trained on WP code?
base platform used - typescript - means for the average Joe out there - deploying is difficult - compared to php.
if they really wanted to be revolutionary - they would've made a single PHP script either on FrankenPHP backed by sqlite - single file deploy - with yeah a permission model Ala denojs for the security aspects.
The Deploy to Cloudflare button in the article is not working for me.
It takes me to the expected Cloudflare dashboard page, with title “Clone a repository” and with the GitHub repository URL field filled with https://github.com/emdash-cms/templates/tree/main/blog-cloud... but when I click Continue, the Continue button changes to “…” and animates indicating it’s thinking, but then nothing happens. No error messages shown, nothing. The Continue button switches back to having the Continue text and being clickable.
I tried deleting a couple of old applications I had in the Workers & Pages page of the Cloudflare dashboard thinking that maybe I had exhausted the number of such applications I can have on a free Cloudflare account. The number of applications I have is now down to 7, after deleting a couple of old ones. Still, attempting to deploy EmDash to my Cloudflare account fails in the same way as before without any error messages shown.
I was using Safari on iOS 18.7.1. I will try on a desktop browser, in case the problem is only happening in Safari on iOS.
You want anything beyond ghost? Find a way to port the vast market of 100,000+ cheap and free themes and components that are available to enable tech-illiterate, low-budget users to basically build an entire business platform on a $5/mo shared hosting plan.
A vibe coded CMS that's 3 months in the making is not capable of taking that place in the market, no matter how much VC funding you put behind it.
The thing that has always stood out to me about WordPress, is that you can get a site up without any of the usual technical steps I associate with creating a site, but still have access to the innards of the site. Does it often go wrong, sure, but it is a lot more approachable for less technical users.
In contrast, typical web frameworks (even static sites) require a code change, build, deploy, etc to update many aspects of a site.
the plugin security problem in WordPress was never really a code quality problem - it was a trust model problem. any developer could publish a plugin and any site owner could install it with one click, with no vetting layer in between. TypeScript and serverless doesn't change that dynamic unless the trust model changes too. curious how EmDash handles third-party plugin permissions at the API boundary.
This is naive thinking you can just rewrite WordPress and think it's going to solve any problems that exist with WordPress. The entire community of WordPress has been built over decades including its successes and failures, but people are not going to just stop using WordPress as I have seen people attempt this over and over in the last 20 years with little success.
I'm all for creating new frameworks that are faster and more secure. But I don't see how this one relates to Wordpress (not in PHP, serverless, not "plug and play", dependent on Astro, "AI Native"…).
It looks like a good open source project, but just call it a new CMS. I think calling it a "spiritual successor to WordPress" is just to gain some marketing points.
> Most abstractions in software exist because humans need help...It's not clear yet which abstractions are truly foundational and which ones were just crutches for human cognition... We took an API contract, a build tool, and an AI model, and the AI wrote everything in between.
An edge-first CMS is cool. I've wanted something that works well alongside Astro for ages.
That said, WordPress is a weird paradigm to be replicating in 2026. WP won on extensibility, but the actual legacy of that ecosystem is bloat, security disasters and dogshit performance.
What I think makes more sense is this kind of edge backend paired with a proper modern authoring experience with visual control like Framer/Webflow with Notion-style database primitives underneath.
And given how fast AI is getting at generating bespoke business logic, building another monolithic plugin ecosystem feels like solving the wrong problem.
Plugins were a workaround for the fact that most people couldn't write code. That's increasingly not true.
504 comments
> Our name for this new CMS is EmDash. We think of it as the spiritual successor to WordPress. It’s written entirely in TypeScript. It is serverless, but you can run it on your own hardware or any platform you choose. Plugins are securely sandboxed and can run in their own isolate, via Dynamic Workers, solving the fundamental security problem with the WordPress plugin architecture. And under the hood, EmDash is powered by Astro, the fastest web framework for content-driven websites.
To me this sounds of the polar opposite of the direction CMS's need to go, instead simplify and go back to the "websites" roots where a website are static files wherever, it's fast, easy to cache and just so much easier to deal with than server-side rendered websites.
But of course, then they wouldn't be able to sell their own "workers" product, so suddenly I think I might understand why they built it the way they built it, at the very least to dogfood their own stuff.
I'm not sure it actually solves the "fundamental security problem" in actuality though, but I guess that remains to be seen.
"I need a website for my bakery". "What's supposed to be on it?" "Our address, opening times, a few pictures". I build them a static website.
"Now I need a contact form". Ok, that doesn't really fit into a static website, but I can hack something together. "Now I need to show inventory, and allow customers to pre-order". A static website won't cut it anymore.
When you develop for clients, especially those that you don't know very well, it's a bad idea to back yourself into a corner that's not very extensible. So from that perspective, I really get why they give plugins such a central spot.
I got my start in webdev slinging WordPress sites like a lot of self taught devs and I definitely see the pain points now that I’ve moved on to more “engineering” focused development paradigms but the value proposition of WP has always been clear and present.
Given how WP leadership is all over the place at the moment, I can see how Cloudflare sees this as an opportunity to come in and peel away some market share when they can convince these current WP devs to adopt a little AI help and write applications for their platform instead.
Let’s see if it pays off!
The flip side of the dynamic content is that every Wordpress I've ever worked on is a horrifying mountain of plugins managed by the world's worst package manager. Plugin A needs to be updated because it has a vulnerability, which requires plugin B to be updated, but the theme hasn't gotten updates in 6 years and plugin B is using new stuff the theme doesn't support, so either the site has to be re-built with a new theme or plugin A just needs to be left at a vulnerable version.
Static sites get around some of that because vulnerable plugins only exist at build-time. I'm not worried about using an old version of Hugo or Jekyll, but I'm very worried about using old Wordpress plugins.
I have no hope nor expectations of non-technical people performing technical tasks no matter how advanced AI becomes. The only solution is a platform/CMS that already has the all bells and whistles included.
until 3 days ago the website was a bunch of static pages, updated by the "webmaster", no shopping cart, no search, no contact form, just the email on the website
he and his employers have been living out of selling records and band merchandising for more than a decade, before he even created a real company
wanna buy a record? press a button that sends you to the paypal cart
wanna pre order? there is a preorder product on paypal, were you can put your shipping address and when it's ready, it'll be shipped to you
he's been selling in Europe and overseas in the US since the day he started
Now it got to the point where he needed to put different currencies for different regions, taxes, tariffs (UK, USA) so he built a new website that (automatically I guess) show the prices in the local currencies and stuff like that
p.s. still no contact form :)
“ And under the hood, EmDash is powered by Astro, the fastest web framework for content-driven websites.”
The problem with WordPress (and it looks like this solution largely just replicated the problem) is that it's way too cumbersome and bloated.
It really is unlike any modern UI for really any SaaS or software in general.
It's filled with meaningless admin notices, the sidebar is 5 miles long and about 98% of what the user sees is meaningless to them.
Creating a very lightweight, minimal UI for the client to edit exactly what they need or like you said, just static files really is the best solution in most cases. The "page builders" always just turn into a nightmare the clients end up handing over for a dev to "fix" anyways.
Not sure why so many people feel the need to continue on the decades of bloat and cruft WordPress has accumulated, even if it's "modernized."
I've built Wordpress sites for 12 years. Very few Wordpress developers are trying to swap to a slightly upgraded version of the same thing with no ecosystem and much of the same solutions. This will see some adoption, no doubt, but not a serious dent.
The main reason for that: in 12 months, 24 months, 36 months, this solution will be outdated and unimportant, same as Wordpress. Wordpress will still be kicking because it already has a 40% market share on the entire internet. This, however, will not be.
The CMS is dead tech in six to twelve months. I might have a million people who will disagree with me (and yes, people will still use CMS's after twelve months), but people actually moving into the future will have dropped CMS's for architectures that are AI first with strong, intuitive, easy-to-leverage guardrails.
In my opinion, the vast majority of people are still looking at AI through the lens of "how does it alter my current work/tech stack/strategy" and failing to ask the proper question: "what the hell is even important in a world where AI is as competent as 90% of humans and 100x faster?"
What do you need a CMS for? You think you'll be managing the content? Why? Why do I want a human managing content when the AI does it 100x as fast? Why do I want Astro? It compiles down nicely? Okay, maybe its a god-tier solution, but more likely... AI can just code extremely fast vanilla html/css/js. Why do I need a component library when AI can steal all the best components from all the best libraries? Why do I need "Portable Text"?
This is still not big picture enough. Think further out than 12 months.
> To me this sounds of the polar opposite of the direction CMS's need to go, instead simplify and go back to the "websites" roots where a website are static files wherever, it's fast, easy to cache and just so much easier to deal with than server-side rendered websites.
To me this wording is strange, since traditional web frameworks do render pages server-side. The specific functions of their templating engines are often even called "render" (https://jinja.palletsprojects.com/en/stable/api/#jinja2.Temp...) or "render_template" or similar (https://docs.djangoproject.com/en/6.0/topics/templates/#djan...). I guess "server-side rendered" is being coopted by the JS ecosystem for some time now, as if they had come up with the very idea of rendering pages on the server side.
It would do the world some good, if people could just look at a technical term, understand its meaning by its components, and then not go: "Ah yes, I will use the same term, but no, no, no, I mean something different by that!"
For this example:
This has been done for decades and the result are usually, for the browser, static web pages. Static as in the opposite of dynamic. Dynamic meaning that the pages react to user interaction, meaning scripting, meaning JS.I've given the security, or lack of, WP a lot of thought recently. In WP malicious plugin has access to the database, enfironment variables, rendering text on screen (think XSS). Luckily, a thoughtfully designed plugin system can mitigate all of those issues.
I've been working on a headless CMS in my spare time that is eirily similar to EmDash in a few ways. It's in very early development, but I will share regardless. It's called HotsauceCMS - https://github.com/hotsauce-team/hotsauce
- I went with optional NodeJS or Deno Worker plugins, this means that first-party plugins can benefit from the speed of in-process, and other plugins can be run in Workers. For fine grained permission control, you can use Deno Workers.
- I went with absolute minimal dependencies, I am so fed up with Dependabot alerts and npm supply chain hacks. My CMS has only 4 dependencies, 0 transistive dependencies.
- It's Drizzle schema first, and headless. So you have full controll of the database structure, use cms hints in your schema for features like file upload.
- It's database-agnostic, so it works with any Drizzle-supported database (Postgres, MySQL, SQLite)
- Being headless, you can use any frontend, my preference is JSX w/o react, but anything goes.
Feedback is absolutely welcomed on HotsauceCMS, did I miss a trick, am I on the right track?
Anyway, congratulations on EmDash. I'll be following closely, excited to see how the next few months unfold.
Yeah the security aspect is important, but how many of those Wordpress engineers are going to jump ship to this because of security when they've been fine with the risk so far? My money is not a lot. If someone is a WordPress dev in 2026, they're probably not the type of dev that likes to upskill and learn new tech. Similarly, if you're looking to target the average joe looking to build a fresh website, would that consumer really choose this over Wix or Squarespace? It doesn't look easier to use so I wouldn't count on it. So where is the network effect going to come from to make this the new WordPress?
I could see Vinext being successful if they keep at it— I think there are a sizeable amount of people who would like to move away from Vercel (and who will probably migrate to Tanstack when the ecosystem is more stable). But I'm not sure people on WordPress really want to leave. If they really want to make this successful I think they need a better angle which in my opinion would be making it easier, quicker, cheaper and more flexible than Squarespace/Wix/Shopify etc
> x402 is an open, neutral standard for Internet-native payments. It lets anyone on the Internet easily charge, and any client pay on-demand, on a pay-per-use basis. A client, such as an agent, sends a HTTP request and receives a HTTP 402 Payment Required status code. In response, the client pays for access on-demand, and the server can let the client through to the requested content.
Fascinating. Cloudflare is envisioning a future where agents are given debit cards by their owners, so they can autonomously send microtransactions to website owners to scrape content or possibly purchase goods on the owner's behalf. I don't know how I feel about that but there's no doubt it's a fascinating concept.
Brb, setting up a honeypot that always responds with HTTP 402 Payment Required demanding 10cents per visit... That's the next "selling 1 million pixels on my website for $1 each", I guess
There's no reason to use an interpreted, bloated, weird language anymore. The only reason interpreted languages were a thing was so you could edit a file and re-run it immediately without a compile step. Compiling is now cheap, and you don't have to build expertise in a new language anymore. Ask AI to write your app in Go, it'll happily comply. Run it and it's faster with less memory use and disk space. The code is simpler and smaller making reviewing easier. Distribution is as easy as "copy the file".
I'll grant you, interpreted languages skip the "portability" compiling/distributing step, and let you avoid the stupid MacOS code signing. But Go is stupid easy to cross-compile, and (afaik?) the user can un-quarantine a self-signed app pretty easily.
But the reason I'm still on WordPress isn't loyalty. It's that my clients can maintain their own sites without me. A small business owner updates their own pages, adds blog posts, changes a phone number. No developer needed. That's not a feature of WordPress. That IS the product.
EmDash solves a developer problem (sandboxed plugins, TypeScript, Workers) by building a developer product. Nothing wrong with that. But calling it a WordPress successor misses why WordPress won in the first place. It wasn't the code quality. It was the guy who runs a bakery being able to edit his own website on a Sunday morning.
E: Oh, I think it's an April fools joke, I'm embarrassed.
E2: Apparently not a joke.
WP treats plugins as content, literally in the same top level
wp-contentdirectory as uploaded images. This makes CI/CD among other things, a nightmare. But EmDash plugins are just TS modules, which has got to make things easier even if plugin configuration does end up in the db somewhere.> While EmDash aims to be compatible with WordPress functionality, no WordPress code was used to create EmDash. That allows us to license the open source project under the more permissive MIT license.
Ha ha, that's really funny timing given the recent launch of Cleanroom As A Service, promising that you can licensewash other peoples' code quickly and easily: https://malus.sh/
I'm not saying they did that, but it's ironic timing.
> A full-stack TypeScript CMS built on Astro and Cloudflare. EmDash takes the ideas that made WordPress dominant -- extensibility, admin UX, a plugin ecosystem -- and rebuilds them on serverless, type-safe foundations.
Someone should introduce the authors to the lovely em dash character. It's perfect for such sentences!
> Solving scale-to-zero for WordPress hosting platforms > WordPress is not serverless
Just not accurate. WordPress doesn't prevent this.. It's up to hosting providers to work on their infra so it can run in a serverless fashion.
For example: https://www.agiler.io
That's serverless wordpress that scales to zero.. no changes to WordPress, plugins or anything else.. just platform infra.
People aren't on WordPress because of WordPress.
They're on WordPress because of WooCommerce, a million themes, BuddyPress, integrations for every stupid internal business API on the planet (many of which are terrible and were written by an idiot with a crayon).
The APIs will have no testing because they are bad. In many cases the WordPress implementation of the API written in the codeblock, ran on page-load to the pain of the person responsible for SEO, is the API contract.
And yes those plugins are also terrible, but they solve business problems, even if they are tech problems.
You can't just launch a better wp-core and expect it to replace any of that.
EmDash needs to actually run the existing insecure WP plugins to takeover.
A "good" standard, free CMS with theming and plugin support without the issues of Wordpress is _welcome_. (And the issues are many: Licensing, trust, drama, security, and cost).
I'm guessing that a lot of cynicism here is coming from this crowd not being the target market of Wordpress in the first place? What were you recommending to non-technical friends and family who wanted a good, open source, affordable CMS to back their website? Wordpress has all the right _ideas_, but the wrong implementation.
With WP you can find a plethora of cheap PHP hostings that offer WP preinstalled. If you need to tweak a theme - just download a .php file via FTP, tweak it and upload back.
No server management or restart is required.
One big potential benefit that EmDash has - every WP deployment is basically a honeypot.
Most WordPress sites could just be static, but WordPress has a nice editor interface, so they're not - unless you use a SSG plugin. Building that into the core workflow (which I believe Astro supports) and giving users a nice hosted editor that produces a static site would be welcome innovation.
I struggle to understand why anyone would want to generate code in TypeScript - unless what you're building truly can't be done in Go, Rust, or Kotlin; anything but JS.
I’m not sure how much of an improvement it really is to rewrite something from PHP to TypeScript while claiming security benefits.
Anything built on PHP will be widely used, like Laravel
This is no successor, it's not even in the same universe. - vendor lock-in, losing gpl, losing access to plugins source code, loosing ownership.
> But for the past two months our agents have been working on an even more ambitious project: rebuilding the WordPress open source project from the ground up.
> no WordPress code was used to create EmDash
Hm. Do you think those agents were trained on WP code?
base platform used - typescript - means for the average Joe out there - deploying is difficult - compared to php.
if they really wanted to be revolutionary - they would've made a single PHP script either on FrankenPHP backed by sqlite - single file deploy - with yeah a permission model Ala denojs for the security aspects.
end of day this is vibeslop.
Is this April fools? With real products launching on this date you can't really be too sure.
It takes me to the expected Cloudflare dashboard page, with title “Clone a repository” and with the GitHub repository URL field filled with https://github.com/emdash-cms/templates/tree/main/blog-cloud... but when I click Continue, the Continue button changes to “…” and animates indicating it’s thinking, but then nothing happens. No error messages shown, nothing. The Continue button switches back to having the Continue text and being clickable.
I tried deleting a couple of old applications I had in the Workers & Pages page of the Cloudflare dashboard thinking that maybe I had exhausted the number of such applications I can have on a free Cloudflare account. The number of applications I have is now down to 7, after deleting a couple of old ones. Still, attempting to deploy EmDash to my Cloudflare account fails in the same way as before without any error messages shown.
I was using Safari on iOS 18.7.1. I will try on a desktop browser, in case the problem is only happening in Safari on iOS.
> no WordPress code was used to create EmDash.
Oh, neat. Which model wasn't trained on WordPress?
You want anything beyond ghost? Find a way to port the vast market of 100,000+ cheap and free themes and components that are available to enable tech-illiterate, low-budget users to basically build an entire business platform on a $5/mo shared hosting plan.
A vibe coded CMS that's 3 months in the making is not capable of taking that place in the market, no matter how much VC funding you put behind it.
In contrast, typical web frameworks (even static sites) require a code change, build, deploy, etc to update many aspects of a site.
It looks like a good open source project, but just call it a new CMS. I think calling it a "spiritual successor to WordPress" is just to gain some marketing points.
> Most abstractions in software exist because humans need help...It's not clear yet which abstractions are truly foundational and which ones were just crutches for human cognition... We took an API contract, a build tool, and an AI model, and the AI wrote everything in between.
That said, WordPress is a weird paradigm to be replicating in 2026. WP won on extensibility, but the actual legacy of that ecosystem is bloat, security disasters and dogshit performance.
What I think makes more sense is this kind of edge backend paired with a proper modern authoring experience with visual control like Framer/Webflow with Notion-style database primitives underneath.
And given how fast AI is getting at generating bespoke business logic, building another monolithic plugin ecosystem feels like solving the wrong problem.
Plugins were a workaround for the fact that most people couldn't write code. That's increasingly not true.