For as long as there has been WordPress, there have been WordPress detractors, those who feel that some alternative would do the job better—often with good justification.
First released in 2003, the WordPress content management system (CMS) is a rickety structure, built on PHP and first-generation web architectures. Yet, WordPress remains the most popular blogging platform (running 40% of the Internet currently), largely because of its simplicity for users; its time-to-post remains unbeatable.
On April 1, Cloudflare Senior Product Manager Matt “TK” Taylor and Cloudflare Senior Principal Systems Engineer Matt Kane, introduced what they called the “spiritual successor to WordPress,” called EmDash.
Taylor helped manage CMSes for several U.K. news outlets, and Kane is a backend engineer, so together they have a good overview of the benefits and shortcomings of modern CMSes for both users and administrators.
WordPress is an outdated dinosaur in today’s cloud-native serverless world, they argue. It basically stuffs HTML content into database fields. Its plug-in system is horribly broken from a security viewpoint.
Their software—like the typography symbol it was named after—represents a strong break from the past, in this case the WordPress architecture, even as it emulates the software’s functionality—sometimes to a fault. And it also offers a better security posture—as long as you run EmDash on Cloudflare, an edge connectivity cloud.
Because most WordPress instances are self-managed (even if they are hosted in the cloud), the user is responsible for managing updates to all the core components. So, any alternative to ease platform deployments and Day 2 maintenance would certainly catch the attention of the WP admin, not to mention all the dedicated WordPress service providers.
WordPress vs. EmDash: The Architecture
Setting up a WordPress installation typically requires a dedicated virtual server, along with a database and server software (usually Apache). It scales like a traditional web application. When traffic is heavy, more servers are required. And a certain number of servers must be pre-provisioned in case these spikes happen.
Built on workerd (a V8-based reimplementation of Node.js), EmDash is inherently more scalable. In effect, EmDash is serverless, able to scale up as needed with no pre-provisioning.
EmDash is scaffolded on top of the Astro web framework (an open-source project backed by Cloudflare), which renders the HTML pages. Astro’s “Server Islands” technology eliminates the need to rebuild the entire site when a page is updated, a problem that has plagued headless CMSes.
Storage is based on AWS’ S3 object storage service (or Cloudflare’s R2-compatible equivalent), which means effectively unlimited storage. So, no worries about all those images filling up the server space. (It also supports SQLite for home installations).
The engineers claim that EmDash matches WordPress functionality and that WordPress files, taxonomies and metadata can be imported into an EmDash instance, via an AI assistant. The code, written in TypeScript, was created from scratch (with the assistance of AI agents), and is available as open source, under the MIT license.
Curious users can test out the software on EmDash Playground, where they will find an interface almost identical to WordPress’ own.
WordPress vs. EmDash: Security
One of the chief selling points for EmDash is better security for plug-ins.
“Plug-ins were one of the most important things that we needed to get right. It is one of the biggest issues with WordPress,” Kane said on a Cloudflare videocast. “So I was trying to think of a way that we could do this that was going to be at least more secure than WordPress, if not completely secure. And then suddenly I realized that we had in Cloudflare, this product that was perfect for adapting to [Cloudflare’s] Dynamic Workers.”
Traditionally, WordPress plug-ins must be written in PHP (though practice has lately been augmented with PHP wrapper support for other languages). But PHP plug-ins are a security threat: the plug-in gets admin control over the entire web server process, making it an ideal route to, say, hijack the admin account.
Approximately 96% of all WordPress vulnerabilities come from the plug-ins, according to Patchstack’s “State of WordPress Security 2025.” In this report, the WordPress security firm even cast doubts on whether WordPress could meet the requirements of the EU’s Cyber Resilience Act (CRA).
With EmDash, plug-ins are sandboxed in their own V8 Isolate, a secure container managed by the V8 JavaScript/TypeScript/WebAssembly engine. They can access data only through bindings.
This approach “does solve the vast majority” of plug-in-related security problems, Kane said on the videocast. A bad EmDash plug-in “cannot do very much at all,” he said. “It’s not going to take down your whole site. It’s not going to read your entire database, and it’s not going to start crypto mining on your servers.”

