Technology and website security giant Cloudflare has launched EmDash CMS, a new content management system designed to challenge the dominance of WordPress. While WordPress currently powers over 40% of the internet, Cloudflare researchers noted that the 24-year-old platform is struggling with a “security crisis” that leaves millions of sites at risk.
Ending the plugin crisis
The move is a direct response to the massive safety risks found in traditional website add-ons. According to Cloudflare’s announcement of the new system, around 96% of WordPress security issues start within its plugins. In 2025, the number of high-severity flaws in the ecosystem actually surpassed the total from the previous two years combined.
The problem lies in how these tools are built, as researchers noted that most WordPress plugins use PHP and have total access to a site’s database. EmDash, however, uses a sandbox method where every plugin runs in its own isolated space, known as a Dynamic Worker. This means a plugin can only do exactly what it declares in a manifest file, such as a specific email:send permission, and cannot touch other parts of the website.
Built for the AI era
EmDash was developed in just two months using AI coding agents and is written entirely in TypeScript. It is powered by Astro, a framework built for speed, and uses serverless technology. This allows a site to “scale to zero,” which means it stays dormant and costs nothing until a visitor arrives, rather than needing a server running 24/7.
The system also prepares creators for a future dominated by AI. It features Agent Skills and a built-in Model Context Protocol (MCP) server, allowing AI assistants to manage the site or help move old WordPress themes over. Moreover, it includes a payment layer called x402, which uses an “HTTP 402 Payment Required” code to let owners charge automated AI bots for reading their content. To prevent unauthorised access, it ditches passwords entirely, using Passkeys by default.
A war of words
The launch has already sparked a row with WordPress co-founder Matt Mullenweg. On 2 April 2026, Mullenweg hit back, suggesting “EmDash was created to sell more Cloudflare services.” He argued in his response blog post that the unrestricted power of WordPress plugins is actually a feature and noted that WordPress remains more flexible because it can run on anything from a Raspberry Pi to a massive data centre.
While Mullenweg admitted EmDash’s engineering was “very solid,” he claimed a true successor should be “even more open.” Despite the criticism, Cloudflare has released the v0.1.0 preview as an open-source project under the MIT license on GitHub. For those looking to switch, a new migration tool can, reportedly, move an entire WordPress site over in just a few minutes.
Whether EmDash CMS can truly challenge WordPress is still an open question, but Cloudflare is clearly betting that security, automation, and AI-ready infrastructure will matter more than backward compatibility and plugin freedom. Nevertheless, it comes down to a choice between flexibility and control, openness and tighter security, or sticking with what works versus moving to a system built for how the web is starting to operate.
