Recently, Cloudflare introduced a new open-source CMS called EmDash, describing it as a “spiritual successor” to WordPress. That alone is a bold statement, especially considering WordPress still powers more than 40% of the web.
But what caught my attention wasn’t the ambition. It was the reason behind it.
The Problem WordPress Never Fully Solved
If you’ve worked with WordPress long enough, you’ve probably felt this tension.
Plugins are both its greatest strength and its biggest weakness.
The ecosystem is massive. You can build almost anything by installing a few plugins. But every plugin you install runs inside the same environment as your site, with full access to your database and filesystem. That means every plugin is essentially trusted code with full control.
According to Cloudflare, a large majority of WordPress vulnerabilities come from plugins. Whether the exact percentage is 96% or not, the underlying problem is real. The architecture makes it difficult to isolate risk.
And more importantly, it has never had a clean solution.
EmDash Takes a Different Approach
EmDash tries to solve this problem at the architectural level instead of patching it over time.
Instead of running plugins directly inside the CMS, each plugin runs in its own isolated environment using V8 isolates. That means plugins are sandboxed and do not automatically have full access to the system.
On top of that, plugins must explicitly declare what permissions they need before installation, similar to how mobile apps request access to features like storage or location. This changes the trust model completely. Instead of blindly installing code, developers and site owners can see what a plugin is allowed to do.
It’s a small shift in concept, but a big shift in responsibility and security.
A Modern Stack From the Ground Up
Another major difference is the technology stack.
EmDash is written entirely in TypeScript, avoiding PHP altogether. It uses modern tools like Astro and is designed to run on platforms such as Cloudflare Workers, Vercel, Netlify, or any Node.js environment. Data is stored in SQLite locally and can scale using Cloudflare D1 in production.
This makes it feel more aligned with how modern web applications are built today, rather than how traditional CMS platforms evolved over time.
It’s not just a new CMS. It’s a different starting point.
Built for AI-Native Workflows
What I find most interesting is that EmDash is designed with AI in mind from the beginning.
It includes a built-in MCP server, which allows tools like ChatGPT or Claude to interact directly with the system. Content is stored as structured JSON (Portable Text) instead of raw HTML, making it easier for AI tools to read, modify, and generate content programmatically.
This suggests a shift in how CMS platforms might evolve — not just as tools for humans, but as systems that collaborate with AI agents.
Whether that vision becomes mainstream or not is still an open question, but the direction is clearly intentional.
Can It Replace WordPress?
As someone who works with WordPress daily, I don’t see it disappearing anytime soon. Its ecosystem, community, and installed base are simply too large. It has survived many waves of “WordPress killers” over the years.
But EmDash is not trying to compete by doing the same thing better. It is trying to solve a problem that WordPress never fully addressed: safe extensibility.
That alone makes it worth paying attention to.
Why This Is Worth Watching
It’s too early to say whether EmDash will succeed. New CMS platforms often look promising but struggle to build an ecosystem strong enough to compete with WordPress.
Still, the ideas behind it feel important.
Isolated plugins.
Explicit permissions.
AI-native architecture.
These are not small improvements. They are fundamental shifts in how a CMS can be designed.
Even if EmDash itself doesn’t become dominant, the direction it represents might influence the next generation of tools.
And for developers, that’s always worth watching.