Cloudflare has introduced EmDash, a new open-source Content Management System (CMS) positioned as the “spiritual successor” to WordPress, aiming to challenge its market dominance.
The company’s announcement highlighted a significant concern within the current WordPress ecosystem, pointing out that an overwhelming majority, 96%, of its vulnerabilities originate from plugins. These plugins often possess full access to the database and filesystem, operating within the same environment as the core code without any isolation, creating potential security risks.
To directly address these security shortcomings, Cloudflare has engineered EmDash with a fundamentally different approach. Each EmDash plugin is placed within an isolated sandbox environment, which the company calls Dynamic Workers. Furthermore, plugins are required to explicitly declare the exact permissions they need upfront before operation.
Cloudflare asserts that EmDash offers a more secure platform compared to WordPress. The company criticized the existing model where WordPress plugins must be implicitly trusted, and their presence on centralized plugin marketplaces can inadvertently confer an unearned reputation. WordPress.org, for instance, manually reviews and approves every plugin, currently facing a queue of approximately 800 plugins awaiting verification.
In contrast to a trust-based model, EmDash mandates that its plugins are “secure by design.” This architecture also enables developers to distribute plugins under any license, allowing them to run independently of EmDash within these secure sandboxes, thereby eliminating the marketplace lock-in that Cloudflare views as problematic.
EmDash is also built upon the “scale-to-zero” principle, designed for optimal resource efficiency. This means the system only incurs billing for CPU time when it is actively operational, effectively scaling down to zero requests when not in use. Senior Product Manager Matt Taylor and Senior Principal Systems Engineer Matt Kane noted that Cloudflare has embraced this architecture to support low-cost and free tiers, ensuring that everyone has the capability to build scalable websites.
For its front-end capabilities, EmDash leverages Astro, empowering users to construct themes for pages, layouts, components, and various styling elements. Cloudflare further describes EmDash as an “AI native CMS,” incorporating features such as Agent Skills, a Command Line Interface (CLI), and a built-in Multi-Cloud Platform (MCP) server.
Users contemplating a transition from WordPress to EmDash are provided with migration options. They can either import their existing WordPress eXtended RSS (WXR) file or, somewhat ironically, install a dedicated plugin known as the EmDash Exporter to facilitate the move.
Source: GitHub