EmDash: Cloudflare's TypeScript-Based WordPress Successor with Sandboxed Plugins

EmDash: Cloudflare's TypeScript-Based WordPress Successor with Sandboxed Plugins

lschvn

Cloudflare launched EmDash this week, an open-source content management system it calls "the spiritual successor to WordPress." The project is notable for being built entirely in TypeScript, powered by Astro under the hood, and shipping with a fundamentally different approach to plugin security.

tldr

  • EmDash is a new open-source CMS built on Astro 6.0, written entirely in TypeScript, MIT licensed
  • Plugins run in sandboxed Dynamic Workers isolates instead of having direct filesystem/database access, fixing WordPress's core security problem
  • 96% of WordPress security vulnerabilities come from plugins; EmDash's capability-based model eliminates this attack surface
  • Deployable to Cloudflare Workers or any Node.js server; early beta available now /tldr

Why WordPress Needed a Successor

WordPress powers over 40% of the internet. It launched in 2003, before AWS EC2 existed, and its plugin architecture hasn't fundamentally changed since. A WordPress plugin is a PHP script with direct access to your database and filesystem. Installing a plugin means granting it full trust.

The numbers are stark: 96% of WordPress security vulnerabilities originate in plugins, and 2025 saw more high-severity WordPress plugin vulnerabilities than the previous two years combined. The model is the problem, not individual plugin developers.

EmDash's bet is that you can build a CMS for the serverless era, where plugins declare what they need via a manifest and receive only those capabilities, without sacrificing the accessibility that made WordPress dominant.

How the Sandboxing Works

In EmDash, each plugin runs in its own Dynamic Worker, Cloudflare's lightweight isolate technology. Rather than giving plugins direct access to data, EmDash provides capabilities via bindings.

Before installing a plugin, you can read its manifest and know exactly what permissions it requests, similar to an OAuth scopes screen. The security guarantee is structural: a plugin can only perform actions explicitly declared in its manifest.

// EmDash plugin manifest example
{
  "name": "email-on-publish",
  "capabilities": ["send-email", "read-content"],
  "runtime": "dynamic-worker"
}

This is a meaningful departure from the PHP include model that WordPress inherited from a different era of web hosting.

Built on Astro 6.0, Written in TypeScript

EmDash is not a WordPress fork. No WordPress code was used. It is built on Astro 6.0, Cloudflare's own Astro fork, which notably was rebuilt in one week using AI coding agents last year.

The project is MIT licensed, fully open source, and available on GitHub. You can deploy a blog template directly to Cloudflare Workers:

https://deploy.workers.cloudflare.com/?url=https://github.com/emdash-cms/templates/tree/main/blog-cloudflare

There's also an EmDash Playground where you can try the admin interface without deploying anything.

The Broader Context

Cloudflare has been on a building spree with AI coding agents. The company rebuilt Next.js in a week (producing Vinext), then turned that same tooling at WordPress. Whether the output of that experiment is production-ready is a separate question, EmDash is launching in beta, not as a mature product.

But the thesis is coherent: the marginal cost of building software has dropped dramatically when AI agents handle boilerplate, and the result can be a genuinely novel architecture rather than a WordPress theme. The plugin security model alone makes EmDash interesting to anyone who has had to audit a WordPress site with 30 plugins installed.

faq

  • Is EmDash compatible with WordPress themes and plugins? Not directly, EmDash is a from-scratch implementation. The team aims for feature compatibility, not code compatibility. No WordPress PHP was used.
  • Where can I deploy EmDash? Initially Cloudflare Workers and any Node.js server. Other platforms may follow.
  • Is this production-ready? No, EmDash v0.1.0 is an early developer beta. Expect breaking changes.
  • What license is it under? MIT, which Cloudflare chose specifically to allow broad adoption and contribution without GPL constraints. /faq

Related articles

More coverage with overlapping topics and tags.

Astro 6.1.8 Patches Critical Netlify Deploy Bug and Image Endpoint Security Flaw
security

Astro 6.1.8 Patches Critical Netlify Deploy Bug and Image Endpoint Security Flaw

Astro 6.1.8 fixes a regression where build output filenames containing special characters caused deploy failures on Netlify and Vercel, and patches a content-type confusion vulnerability in the built-in image endpoint that could serve non-SVG content as SVG.
React Router v8 Graduates Its Future Flags to Defaults, Goes ESM-Only, and Drops `react-router-dom`
frameworks

React Router v8 Graduates Its Future Flags to Defaults, Goes ESM-Only, and Drops `react-router-dom`

React Router v8.0.0 (June 17, 2026) is the first major release under the project's Open Governance model and the first on a planned yearly cadence. Every `future.v8_*` flag from v7 is now the default (always-on middleware, pass-through requests, the Vite Environment API, route-module splitting), the baseline moves to Node 22.22+, React 19.2.7+, and Vite 7+, all packages ship ESM-only with an ES2022 target, `react-router-dom` is removed, and the node adapters switch to a Remix-maintained fetch server while `create-react-router` drops its fetch polyfill for native `fetch`.
Nitro v3.0.260603-beta: Custom Framework Commands and Default Preset Config
frameworks

Nitro v3.0.260603-beta: Custom Framework Commands and Default Preset Config

Nitro's latest beta adds support for custom framework preview and deploy commands, introduces a defaultPreset config option for customizing the fallback preset, and fixes a type-stripping edge case.

Comments

Log in Log in to join the conversation.

No comments yet. Be the first to share your thoughts.