Sign in Subscribe

WordPress Is 23 Years Old. Cloudflare Just Rebuilt It From Scratch. Here's What Changed.

WordPress Is 23 Years Old. Cloudflare Just Rebuilt It From Scratch. Here's What Changed.

WordPress runs about 40 percent of the internet. It has been a remarkable run. It has also been a security nightmare for two decades.

The fundamental problem has never been secret: WordPress plugins share a single namespace with the core application. A vulnerability in one plugin can compromise an entire site. This is not a bug. It is the design. And it has led to thousands of compromised websites, endless cat-and-mouse security updates, and a global cottage industry of WordPress malware cleanup.

Cloudflare just tried to fix it by starting over.

EmDash is a full CMS rebuilt from the ground up. TypeScript throughout. Built on Astro 6.0. No WordPress code used. MIT licensed. The entire thing was built by AI coding agents in about two months. It hit #1 on Hacker News within hours. And unlike most April 1 announcements that turn out to be jokes, this one has a live playground, a GitHub repo, and a one-click deploy button.

What EmDash Actually Is

EmDash is a content management system. It is meant to do what WordPress does: let people build websites, manage content, and extend functionality through plugins. The difference is in how it handles the extension model.

Every plugin in EmDash runs inside a Cloudflare Worker isolate. That means each plugin operates in its own isolated JavaScript context. A plugin cannot reach into the core application. It cannot read data from another plugin's memory space. It cannot exploit a vulnerability in one plugin to take over the whole site.

This is not a hardening measure layered onto an old architecture. It is a new architecture built around the assumption that plugins will sometimes be buggy or malicious, and the system should not trust any of them.

The practical result is a CMS where plugin security is solved by design rather than managed by policy.

The AI Buildout Story

Cloudflare did not hand this to a team of engineers and wait two years for results. Their AI coding agents built most of EmDash. Two months. No WordPress code. The company is calling this a proof point for vibe coding at serious scale.

That framing matters for the broader conversation happening right now. The developer tooling world has been arguing for months about whether vibe coding can produce production-quality software. EmDash is a CMS, not a toy project. It has routing, plugin isolation, a database layer, template rendering, and a deployment pipeline. If the vibe coding narrative needed a data point, this is one.

The MIT license is worth noting. Cloudflare did not build a proprietary platform and call it open. They released the source under terms that let anyone use, modify, and fork the project without restrictions. For a company using AI agents to build open infrastructure, this is a meaningful signal.

Where It Runs and What It Costs

EmDash deploys to Cloudflare Workers by default. The pricing model for Workers means most small sites will pay nothing or close to nothing for hosting. The global CDN, SSL, and edge caching come with the platform automatically.

But Cloudflare is not trying to lock anyone in. EmDash runs on any Node.js host. The serverless default is a choice, not a requirement. If you want to run it on your own infrastructure, you can.

The preview is live today at v0.1.0. The team has a playground where you can try the admin interface without deploying anything. There is a direct deploy button for Cloudflare Workers. The GitHub repo is public.

Is It Ready to Replace WordPress?

No. Not yet. This is a v0.1.0 preview. The plugin ecosystem does not exist. The theme system is early. The migration tooling from WordPress is not here yet. If you are running a WordPress site today, you are not switching this week.

But the architecture is right. The security model solves a problem that WordPress has had for 23 years and never fixed. The TypeScript foundation means type safety and tooling that WordPress developers have envied for years. The MIT license means the community can extend it without legal constraints.

If you are evaluating CMS options for a new project, EmDash belongs on your list. If you are running WordPress and security is on your risk register, start watching this one.

The WordPress era is not over. But the conversation about what comes after it just got more serious.

Sources: - Cloudflare Blog — EmDash Announcement - Hacker News Discussion - EmDash Source Code (GitHub)