Cloudflare dropped EmDash on April 1, 2026 — and no, it’s not an April Fools joke. It’s a fully open-source CMS written in TypeScript, running on serverless infrastructure, with every plugin sandboxed in its own isolated environment. They’re calling it the “spiritual successor to WordPress.”
We manage 27+ WordPress sites across a dozen verticals. We’ve built an entire AI-native operating system on top of WordPress REST APIs. So when someone announces a WordPress replacement with a built-in MCP server, we pay attention.
Here’s our honest take.
What EmDash Gets Right
Plugin isolation is overdue. Patchstack reported that 96% of WordPress vulnerabilities come from plugins. That’s because WordPress plugins run in the same execution context as core — they get unrestricted access to the database and filesystem. EmDash puts each plugin in its own sandbox using Cloudflare’s Dynamic Workers, and plugins must declare exactly what capabilities they need. This is how it should have always worked.
Scale-to-zero economics make sense. EmDash only bills for CPU time when it’s actually processing requests. For agencies managing dozens of sites where many receive intermittent traffic, this could dramatically reduce hosting costs. No more paying for idle servers.
Native MCP server is forward-thinking. Every EmDash instance ships with a Model Context Protocol server built in. That means AI agents can create content, manage schemas, and operate the CMS without custom integrations. They also include Agent Skills — structured documentation that tells an AI exactly how to work with the platform.
x402 payment support is smart. EmDash supports HTTP-native payments via the x402 standard. An AI agent hits a page, gets a 402 response, pays, and accesses the content. No checkout flow, no subscription — just protocol-level monetization. This is the right direction for an agent-driven web.
MIT licensing opens the door. Unlike WordPress’s GPL, EmDash uses MIT licensing. Plugin developers can choose any license they want. This eliminates one of the biggest friction points in the WordPress ecosystem — the licensing debates that have fueled years of conflict, most recently the WP Engine-Automattic dispute.
Why We’re Staying on WordPress
We already solved the plugin security problem. Our architecture doesn’t depend on WordPress plugins for critical functions. We connect to WordPress from inside a GCP VPC via REST API — Claude orchestrates, GCP executes, and WordPress serves as the database and rendering layer. Plugins don’t touch our operational pipeline. EmDash’s sandboxed plugin model solves a problem we’ve already engineered around.
27+ sites don’t migrate overnight. We have thousands of published posts, established taxonomies, internal linking architectures, and SEO equity across every site. EmDash offers WXR import and an exporter plugin, but migration at our scale isn’t a file import — it’s a months-long project involving URL redirects, schema validation, taxonomy mapping, and traffic monitoring. The ROI doesn’t exist today.
WordPress REST API is our operating layer. Every content pipeline, taxonomy fix, SEO refresh, schema injection, and interlinking pass runs through the WordPress REST API. We’ve built 40+ Claude skills that talk directly to WordPress endpoints. EmDash would require rebuilding every one of those integrations from scratch.
v0.1.0 isn’t production-ready. EmDash has zero ecosystem — no plugin marketplace, no theme library, no community of developers stress-testing edge cases. WordPress has 23 years of battle-tested infrastructure and the largest CMS community on earth. We don’t run client sites on preview software.
The MCP advantage isn’t exclusive. WordPress already has REST API endpoints that our agents use. We’ve built our own MCP-style orchestration layer using Claude + GCP. A built-in MCP server is convenient, but it’s not a switching cost — it’s a feature we can replicate.
When EmDash Becomes Interesting
EmDash becomes a real consideration when three things happen: a stable 1.0 release with production guarantees, a meaningful plugin ecosystem that covers essential functionality (forms, analytics, caching, SEO), and proven migration tooling that handles large multi-site operations without breaking URL structures or losing SEO equity.
Until then, it’s a research signal. A very good one — Cloudflare clearly understands where the web is going and built the right primitives. But architecture doesn’t ship client sites. Ecosystem does.
The Takeaway for Other Agencies
If you’re an agency considering your CMS strategy, EmDash is worth watching but not worth chasing. The lesson from EmDash isn’t “leave WordPress” — it’s “stop depending on WordPress plugins for critical infrastructure.” Build your operations layer outside WordPress. Connect via API. Treat WordPress as a database and rendering engine, not as your application platform.
That’s what we’ve done, and it’s why a new CMS launch — no matter how architecturally sound — doesn’t threaten our stack. It validates our approach.
Frequently Asked Questions
What is Cloudflare EmDash?
EmDash is a new open-source CMS from Cloudflare, built in TypeScript and designed to run on serverless infrastructure. It isolates plugins in sandboxed environments, supports AI agent interaction via a built-in MCP server, and includes native HTTP-native payment support through the x402 standard.
Is EmDash better than WordPress?
Architecturally, EmDash addresses real WordPress weaknesses — particularly plugin security and serverless scaling. But WordPress has 23 years of ecosystem, tens of thousands of plugins, and the largest CMS community in the world. EmDash is at v0.1.0 with no production track record. Architecture alone doesn’t make a platform better; ecosystem maturity matters.
Should my agency switch from WordPress to EmDash?
Not today. If you’re running production sites with established SEO equity, taxonomies, and content pipelines, migration risk outweighs any current EmDash advantage. Revisit when EmDash reaches a stable 1.0 release with proven migration tooling and a meaningful plugin ecosystem.
How does EmDash handle plugin security differently?
WordPress plugins run in the same execution context as core code with full database and filesystem access. EmDash isolates each plugin in its own sandbox and requires plugins to declare exactly which capabilities they need upfront — similar to OAuth scoped permissions. A plugin can only perform the actions it explicitly declares.
What should agencies do about WordPress security instead?
Minimize plugin dependency. Connect to WordPress via REST API from external infrastructure rather than running critical operations through plugins. Treat WordPress as a content database and rendering engine, not as your application platform. This approach neutralizes the plugin vulnerability surface that EmDash was designed to solve.
Leave a Reply