I Tried Cloudflare's EmDash CMS So You Don't Have To

Last week, Cloudflare dropped a new CMS called EmDash. They called it "the spiritual successor to WordPress."

Matt Mullenweg, WordPress co-founder, responded by telling Cloudflare to "keep WordPress out of your mouth." He later edited that line out of his blog post. But by then, the internet had already screenshot it.

I read the announcement, spun up a local instance, clicked around, broke a few things, and came away with thoughts. As someone who spent six years building WordPress sites before walking away from it entirely, I have some context here.

I Need 10 Plugins Just to Make WordPress Functional

Let me paint you a picture. Every single WordPress project I ever took on started the same way. Before I could even think about what the client actually needed, I had to install the essentials:

1. Security plugin (Wordfence or Sucuri)
2. Caching (WP Rocket or LiteSpeed Cache)
3. SEO (Yoast or Rank Math)
4. Backup (UpdraftPlus)
5. Forms (Gravity Forms or WPForms)
6. Anti-spam (Akismet)
7. Image optimization (Imagify or ShortPixel)
8. Code snippets (WPCode, because WordPress won't let you add custom code cleanly)
9. Page builder (Elementor or Bricks, because the default editor still frustrates people)
10. Update management (ManageWP, because updating 10+ plugins monthly is its own job)

That's ten dependencies before your site does anything your client actually asked for. I literally wrote a guide to WordPress security plugins because every single site needs one. That should tell you something about the state of things.

And here's the kicker: Patchstack reported 106 new plugin vulnerabilities in a single week in 2025. More than half of developers who received vulnerability reports didn't even patch before disclosure. Every plugin you add is another door you're leaving unlocked.

Sound familiar?

Then WordPress Decided to Implode

The plugin problem was frustrating but manageable. What happened next wasn't.

In September 2024, Matt Mullenweg published a blog post calling WP Engine "a cancer to WordPress." What followed was one of the ugliest episodes in open-source history. 159 Automattic employees resigned, including the head of WordPress.com and the principal AI architect. That's 8.4% of the company walking out the door.

Then came the ACF takeover. WordPress.org seized control of Advanced Custom Fields, a plugin installed on millions of sites, renamed it, and auto-updated it without consent. The ACF team called it "a supply chain attack." A court later granted WP Engine a preliminary injunction. The litigation is still ongoing.

I was deep enough in the WordPress world to build my own plugin. That's how invested I was. Watching all of this unfold felt like watching a friend make terrible decisions and being unable to do anything about it.

The numbers tell the story. WordPress active domains dropped from 5.8 million to 4.67 million. That's a 19% decline, the first sustained contraction in 20 years. Market share slipped from 43.6% to 42.6%. Meanwhile, the Classic Editor plugin sits at 9 million downloads. Nine million people voting with their installs against Gutenberg.

Instead of fixing the house, WordPress is adding a swimming pool. WordPress 7.0 is all about AI: Abilities API, MCP Adapter, WP AI Client baked into core. The foundation is cracking and leadership is picking out pool tiles.

Enter EmDash: What Cloudflare Actually Built

So when Cloudflare announced EmDash on April 1st (yes, everyone thought it was a joke), I paid attention.

Here's what it actually is: a full-stack serverless CMS built on Astro 6.0, written entirely in TypeScript, running on Cloudflare Workers with a D1 database. It's MIT licensed and fully open source.

The headline feature is plugin sandboxing. Each plugin runs in its own isolated V8 sandbox. Plugins have to declare what capabilities they need upfront: read content, send email, whatever. They can't touch the database or filesystem directly. Cloudflare's argument: 96% of WordPress security issues originate in plugins, so they attacked that problem at the architecture level.

It ships with a built-in MCP server. If you've been following the AI tooling space, you know why that matters. It means AI agents can interact with your CMS natively: create content types, manage entries, deploy changes. This isn't bolted on. It's part of the foundation.

There's a WordPress importer that handles WXR files, so migration isn't starting from zero.

And the pricing? The free tier gives you 100,000 requests per day on Cloudflare's free plan. The paid tier is $5/month for 10 million requests. For a brochure website, that's essentially free hosting with a real CMS.

This isn't a half-baked side project. Someone thought hard about why WordPress breaks and designed around it.

What It's Actually Like to Set Up

I ran a local instance using Node.js and SQLite. No Cloudflare account needed. Clone the repo, install dependencies, seed the database, run the dev server. For someone comfortable with a terminal, it took about ten minutes to have a working CMS.

Themes are standard Astro projects. If you've built anything with Astro before, you'll feel at home immediately. There's a seed.json file for defining content types, and the admin interface is clean. Not revolutionary, but clean.

Here's where it gets honest though.

There's no visual page builder. None. If your client wants to drag and drop blocks around, EmDash isn't the answer today. Setting up requires the command line. You need to be comfortable with GitHub, npm, and config files.

Search Engine Journal pointed out that 73% of the EmDash announcement is developer-centric content. They're not wrong. This was built by developers, for developers.

For me, the setup felt clean and fast. For any of my non-technical clients? Not a chance. Not yet.

The Cloudflare Lock-in Problem Nobody's Talking About Enough

Here's the thing that gave me pause.

That headline security feature, the plugin sandboxing? It only works on Cloudflare's infrastructure. If you self-host EmDash, plugins run in-process without V8 isolation. The very thing that makes EmDash's security story compelling disappears the moment you leave Cloudflare.

As one Hacker News commenter put it: "Open source but architecturally locked in."

Mullenweg called it out too. He said EmDash was "created to sell more Cloudflare services." That's reductive, but there's a kernel of truth in it. The irony is rich: his original blog post included the line "please keep the WordPress name out of your mouth," channeling Will Smith at the Oscars. He edited it out hours later, but Cloudflare CEO Matthew Prince had already seen it. Prince acknowledged the criticism as "fair" while pointedly using the word "WordPress" in his response. Understated irony at its finest.

The Hacker News crowd was predictably skeptical. Many initially assumed it was an April Fool's joke since it launched on April 1st. The lead engineer had to confirm on the thread: "The project is real." General sentiment? Interesting architecture, but we've heard this before.

Joost de Valk, the guy who created Yoast SEO, offered a different take. He called EmDash "the most interesting thing to happen to content management in years" and already migrated his blog content to it. But even he flagged concerns about the empty plugin ecosystem and governance clarity.

Part of why I moved to self-hosting was to avoid exactly this kind of dependency. I like what Cloudflare built. I don't love that its best feature only works on their platform.

Who EmDash Is Actually For Right Now

Let me be direct about this.

EmDash is not for non-technical users. It's not for anyone who needs a plugin ecosystem today. It's not for agencies doing client handoffs where the client needs to manage their own site. And it's not for anyone uncomfortable with being tied to Cloudflare for the security features that make it interesting.

EmDash is for developers building simple brochure sites who want a modern developer experience. TypeScript and Astro enthusiasts. People who care deeply about security architecture. Developers building for themselves or tech-savvy clients. And anyone curious about where CMS technology is heading.

For simple brochure websites, that free tier is genuinely compelling. Zero dollars for 100,000 requests a day with a real, modern CMS underneath. That's hard to argue with.

But it's version 0.1.0. You're betting on a future, not a present. The plugin ecosystem is essentially empty. The community barely exists yet. As I wrote in The Tailor Who Can't Sew His Own Pants, we're always tinkering with our own tools. EmDash is a tool worth tinkering with, but not one I'd bet a client project on today.

My current stack is Next.js, Directus, and Coolify. I'm not switching. But I'm watching.

WordPress Isn't Dead. But It's Not Listening.

WordPress still powers 42.6% of the web. For a lot of people, it's still the right choice. I'm not here to tell anyone to abandon it.

But the fact that Cloudflare, one of the largest infrastructure companies on the internet, looked at WordPress and said "we can build something better" should be a wake-up call. Not because EmDash is going to replace WordPress tomorrow. It won't. But because it means the market is open. The trust is eroding.

Mullenweg's response was telling. He praised the engineering as "very solid" and called the Skills feature "brilliant." But he couldn't resist getting defensive. His claim that AI will fix WordPress plugin security "in 18 months" is classic WordPress leadership: promising the future instead of fixing the present.

EmDash might not be the thing that replaces WordPress. But something will. And WordPress leadership seems more interested in fighting lawsuits, taking over plugins, and chasing AI features than listening to the developers and users who actually build on their platform.

WordPress doesn't need more features. It needs new leadership that listens. Until that happens, alternatives like EmDash will keep showing up. And eventually, one of them will stick.

If you're trying to figure out what platform actually fits your business, that's literally what I do. Let's talk.