EmDash – a spiritual successor to WordPress that solves plugin security

As a (unfortunately) wordpress dev this seems to solve my single biggest painpoint with WP. Which isn't plugin security, but the overall plugin architecture.

WP treats plugins as content, literally in the same top level `wp-content` directory as uploaded images. This makes CI/CD among other things, a nightmare. But EmDash plugins are just TS modules, which has got to make things easier even if plugin configuration does end up in the db somewhere.

Convince me this isn’t vibeslop.

If Cloudflare really have radically changed their software development philosophy lately, this would actually be an interesting project, being based on Astro and coming with some APIs for programmatic management.

Them being so happy about the „cost of software development“ and not going very deep into ecosystem, community or project management doesn’t convince me that this is going to be a worthwhile project, even if, unlike their previous vibe coding demos, this one actually works.

I don't think it's the code that makes WordPress valuable. I've been learning WordPress recently and haven't been too impressed with the internals. WordPress is valuable because of the ecosystem and support. I have no doubt that WordPress will still be a thing in ten years. What's the support plan for EmDash? I see commits are mostly from a single developer.

E: Oh, I think it's an April fools joke, I'm embarrassed.

E2: Apparently not a joke.

A WordPress spiritual successor backed by Cloudflare sounds great in theory, but the headline feature, plugin isolation via Dynamic Workers, only works on Cloudflare's runtime. On any other host it's just a TypeScript CMS without the security model that justifies its existence. Open source but architecturally locked in.

> Our name for this new CMS is EmDash. We think of it as the spiritual successor to WordPress. It’s written entirely in TypeScript. It is serverless, but you can run it on your own hardware or any platform you choose. Plugins are securely sandboxed and can run in their own isolate, via Dynamic Workers, solving the fundamental security problem with the WordPress plugin architecture. And under the hood, EmDash is powered by Astro, the fastest web framework for content-driven websites.

To me this sounds of the polar opposite of the direction CMS's need to go, instead simplify and go back to the "websites" roots where a website are static files wherever, it's fast, easy to cache and just so much easier to deal with than server-side rendered websites.

But of course, then they wouldn't be able to sell their own "workers" product, so suddenly I think I might understand why they built it the way they built it, at the very least to dogfood their own stuff.

I'm not sure it actually solves the "fundamental security problem" in actuality though, but I guess that remains to be seen.

Serious question: Why is everyone still using JavaScript to AI-code projects? You can vibe-code apps with real languages now.

There's no reason to use an interpreted, bloated, weird language anymore. The only reason interpreted languages were a thing was so you could edit a file and re-run it immediately without a compile step. Compiling is now cheap, and you don't have to build expertise in a new language anymore. Ask AI to write your app in Go, it'll happily comply. Run it and it's faster with less memory use and disk space. The code is simpler and smaller making reviewing easier. Distribution is as easy as "copy the file".

I'll grant you, interpreted languages skip the "portability" compiling/distributing step, and let you avoid the stupid MacOS code signing. But Go is stupid easy to cross-compile, and (afaik?) the user can un-quarantine a self-signed app pretty easily.

> But for the past two months our agents have been working on an even more ambitious project: rebuilding the WordPress open source project from the ground up.

> no WordPress code was used to create EmDash

Hm. Do you think those agents were trained on WP code?

> While EmDash aims to be compatible with WordPress functionality, no WordPress code was used to create EmDash. That allows us to license the open source project under the more permissive MIT license.

Ha ha, that's really funny timing given the recent launch of Cleanroom As A Service, promising that you can licensewash other peoples' code quickly and easily: https://malus.sh/

I'm not saying they did that, but it's ironic timing.

It looks like I'm in the minority after reading this comments, but I'm quite happy to see this announcement.

A "good" standard, free CMS with theming and plugin support without the issues of Wordpress is _welcome_. (And the issues are many: Licensing, trust, drama, security, and cost).

I'm guessing that a lot of cynicism here is coming from this crowd not being the target market of Wordpress in the first place? What were you recommending to non-technical friends and family who wanted a good, open source, affordable CMS to back their website? Wordpress has all the right _ideas_, but the wrong implementation.

> x402 is an open, neutral standard for Internet-native payments. It lets anyone on the Internet easily charge, and any client pay on-demand, on a pay-per-use basis. A client, such as an agent, sends a HTTP request and receives a HTTP 402 Payment Required status code. In response, the client pays for access on-demand, and the server can let the client through to the requested content.

Fascinating. Cloudflare is envisioning a future where agents are given debit cards by their owners, so they can autonomously send microtransactions to website owners to scrape content or possibly purchase goods on the owner's behalf. I don't know how I feel about that but there's no doubt it's a fascinating concept.

Brb, setting up a honeypot that always responds with HTTP 402 Payment Required demanding 10cents per visit... That's the next "selling 1 million pixels on my website for $1 each", I guess

Curious about the architectural choice: Why not build it as a pure headless CMS separate from Astro, and then ship an Astro adapter alongside it?

I don't like that they see the main selling point that the license, is not GPL, and that plugins don't have to license it that way either. I understand that not all developers are comfortable with the GPL license, but it allows to the code continue to be open source and that most plugins are open source also

"solve security" - that's an April Fools joke if I ever heard one.

> Solving scale-to-zero for WordPress hosting platforms > WordPress is not serverless

Just not accurate. WordPress doesn't prevent this.. It's up to hosting providers to work on their infra so it can run in a serverless fashion.

For example: https://www.agiler.io

That's serverless wordpress that scales to zero.. no changes to WordPress, plugins or anything else.. just platform infra.

Serious question: Who actually builds stuff on Cloudflare workers? I mean large software projects / services, and not just side projects where the ability to scale-to-zero is perhaps more important than the scale-to-infinity direction. I feel like Cloudflare keeps pushing workers with its full force yet I fail to see the appeal.

the plugin security problem in WordPress was never really a code quality problem - it was a trust model problem. any developer could publish a plugin and any site owner could install it with one click, with no vetting layer in between. TypeScript and serverless doesn't change that dynamic unless the trust model changes too. curious how EmDash handles third-party plugin permissions at the API boundary.

Its kind of annoying that CF would use an LLM to build something and try to pass it off as something built from "the ground up". Its just copying the library that was already build and passing it off as their own.

Spiritually hollow; at this point, it reads more like marketing material than anything of genuine substance.

I dunno, with the constant firehose of debate and disdain for AI this is a joke I'm too burned out about to feel like laughing at.

It's a shame they don't seem to try to address the divide between CMS's and static sites.

Most WordPress sites could just be static, but WordPress has a nice editor interface, so they're not - unless you use a SSG plugin. Building that into the core workflow (which I believe Astro supports) and giving users a nice hosted editor that produces a static site would be welcome innovation.

It's great that they are recreating much of the fundamental software stack using LLMs. But if you're going to 'vibeslop,' at least do it in a language other than JavaScript.

I struggle to understand why anyone would want to generate code in TypeScript - unless what you're building truly can't be done in Go, Rust, or Kotlin; anything but JS.

I’m not sure how much of an improvement it really is to rewrite something from PHP to TypeScript while claiming security benefits.

The power of WordPress is not the ease of use, but PHP.

Anything built on PHP will be widely used, like Laravel

It's kind of ironic that the name of this product is also the most obvious marker of LLM generated content

I think wordpress, woo commerce and elementor are in a Mexican standoff. Wordpress cant fork or change in a major way because the other two are so popular no one would use the new variant. woo commercere and elementor can't just walk away and make their own wordpress-less platform because they rely on each other and the other constellation of plugins that run on wordpress.

Why would I want to publish my writing online when it can just be copied by an AI?

Will you look at it. Another Wordpress “killer”. Wordpress has that market share because it can be easily installed in a wide variety of servers and because of its plugin ecosystem of dozens of thousands of plugins and huge flexibility/customizability. Wordpress is one of the most flexible pieces of software out there and none of the competition seem to get why Wordpress is so popular.

Yes definitely compare it multiple times to WordPress and nobody will think of calling their lawyers.

Is this April fools? With real products launching on this date you can't really be too sure.

Lately Cloudflare is trying to create alternatives to big ones, like first Vercel & now Wordpress.

Reading the comments below, have we all fallen for a 1st April Fools' joke?

Actually, rebuilding WordPress without the ecosystem is kind of the point. For example, would Divi or the major page builders rebuild their entire products to support this? I doubt it

This part is interesting:

"Plugin security is the root of this problem. Marketplace businesses provide trust when parties otherwise cannot easily trust each other. In the case of the WordPress marketplace, the plugin security risk is so large and probable that many of your customers can only reasonably trust your plugin via the marketplace. But in order to be part of the marketplace your code must be licensed in a way that forces you to give it away for free everywhere other than that marketplace. You are locked in."

There was much drama with wordpress some time ago and the plugin marketplace.

I mean it's cool your created a new CMS and all, but beyond the look of the admin interface and publishing flow, I don't see how this is a "Spirtual Successor" to WordPress at all.

Its a CMS, designed from scratch, for a serverless world. It has a stricter, well defined API that plugins are forced to use instead of directly calling/overriding core functionality like in WP. But that benefit comes with a CMS that's built on top of, and seems to prefer, a ton of CF proprietary capabilities (D1 Databases, R2 for image/media storage, their workers for running things).

The web need less consolidation on CF, not more.

If you need a reliable source for WordPress plugins, check out https://github.com/fairpm/fair-plugin?tab=readme-ov-file#fai...

A system for using Federated and Independent Repositories in WordPress

The UI doesn't seem geared to power users. E.g. Why is the featured image taking up so much space above the content editing area when it's sized appropriately for the sidebar? Imagine you need to update the text of several posts... Well, now you gotta scroll down half the page to the content area of each one.

And all that padding gets you quite the narrow content area. Not to mention it looks like a very basic TinyMCE. Seems like more of a POC than an actual "spiritual successor".

I don't like where any of this is going

I'm all for creating new frameworks that are faster and more secure. But I don't see how this one relates to Wordpress (not in PHP, serverless, not "plug and play", dependent on Astro, "AI Native"…).

It looks like a good open source project, but just call it a new CMS. I think calling it a "spiritual successor to WordPress" is just to gain some marketing points.

You want a spiritual successor? We have Ghost.

You want anything beyond ghost? Find a way to port the vast market of 100,000+ cheap and free themes and components that are available to enable tech-illiterate, low-budget users to basically build an entire business platform on a $5/mo shared hosting plan.

A vibe coded CMS that's 3 months in the making is not capable of taking that place in the market, no matter how much VC funding you put behind it.

This is great, but if the plugin ecosystem isn't compatible will it take off?

Most WordPress users use at least one plugin: it is the appeal of the product.

I've been wanting a CMS on top of Cloudflare workers for a while, so I hope this pays off!

Who wants to vibe code an open source Cloudflare?

Wordpress is PHP, which has developer base insanely larger then typescript. Also, a lot cheaper. Compete with that.

Thanks, but I'll stick to WordPress.

I am not sure if this is an April fool joke anymore in the age of AI.

Plugin security is one thing. Plugin budget is another thing... much larger of a problem in some cases.

Here to say -- great name. It's not just a reference to our modern times, it's a sign of brilliance. (I wrote this myself with no clanker support)

I really hope Cloudflare is ready and willing to stand by this thing for the next 20 years, and drive it as a first class product with a huge open source team. Because short of that you can just add this to the mile-long list of "successors to WordPress" we've been through over the decades. Maybe they're in it for the long haul. We'll see. But it takes time, and mountains of integrations and acceptance into the wider web authoring ecosystem for anything like this to gain real adoption.

I for one am glad that WordPress has some competition. This sounds like a killer rewrite.

Good one, at last, April fools joke with some effort.

From the people who brought you "we used AI to undercut a project we use rather than pay them fairly for the work we relied on" comes an exciting new lawsuit by Mullenweg for using Wordpress in their product description.

Spiritually bankrupt, that should just be considered marketing material.

The problem is that it doesn't solve the network-effect problem.

People aren't on WordPress because of WordPress.

They're on WordPress because of WooCommerce, a million themes, BuddyPress, integrations for every stupid internal business API on the planet (many of which are terrible and were written by an idiot with a crayon).

The APIs will have no testing because they are bad. In many cases the WordPress implementation of the API written in the codeblock, ran on page-load to the pain of the person responsible for SEO, is the API contract.

And yes those plugins are also terrible, but they solve business problems, even if they are tech problems.

You can't just launch a better wp-core and expect it to replace any of that.

EmDash needs to actually run the existing insecure WP plugins to takeover.