We’ve built hundreds of websites on WordPress. It’s been good to us and to our clients. But a new CMS launched this week that’s making us ask some hard questions about the platform we’ve relied on for over a decade.
WordPress turned 23 this year. For context: when it launched, there was no iPhone, no AWS, and “the cloud” wasn’t yet a word. We’ve been building client websites on it for most of its life, and we owe it a lot. But Cloudflare’s announcement of EmDash has sparked a conversation in our studio that’s worth sharing publicly.
This isn’t a hit piece on WordPress. It’s an honest attempt to understand what problem EmDash is actually solving, why that problem matters, and what it means for agencies like ours.
WordPress’s Biggest Problem: Plugin Security
Cloudflare isn’t being subtle about what EmDash is designed to fix. So let’s start there.
- 96% of WordPress vulnerabilities originate in plugins (Patchstack, 2025)
- 40% of the entire web runs on WordPress, making it an enormous target
- 4000+ plugins are currently awaiting review in the WordPress.org queue
The root issue is architectural. A WordPress plugin is a PHP script that runs with full, direct access to your database and filesystem. There is no sandbox. There is no permission scope. When you install a plugin, you are extending complete trust to its author and to every future update they ship.
For agencies, this is a genuine professional liability. We recommend plugins. Sometimes our clients install plugins we haven’t audited. Those plugins update automatically. A supply chain attack on a single popular plugin can compromise thousands of sites simultaneously and it has happened, repeatedly.
What WordPress Still Gets Right
Before we go further, credit where it’s due. WordPress’s dominance isn’t an accident and any honest evaluation has to acknowledge that.
The ecosystem is unmatched. With over 60,000 plugins and thousands of themes, WordPress lets agencies build almost anything without writing it from scratch. Booking systems, custom fields, e-commerce via WooCommerce — the breadth of tooling represents decades of community investment that no new CMS can replicate overnight.
Clients understand it. When we hand over a site, there’s a good chance the client has used WordPress before. The learning curve is shallow, the documentation is vast, and support is abundant. That reduces our post-launch overhead considerably.
The talent pool is enormous. Finding WordPress developers is straightforward. Finding someone fluent in a niche TypeScript CMS framework is a different challenge entirely, and one that matters when you’re scaling a team or planning a client handover.
WordPress is not going anywhere. It powers 40% of the internet and will remain a dominant force for a very long time. The question is whether it can continue to be the right answer for every new project.
How EmDash Answers the Problem
Cloudflare announced EmDash on 1 April 2026. Yes, we noticed the date… but the GitHub repository, working playground, and deploy button are all real. EmDash is a TypeScript-native, serverless CMS built on the Astro framework, and its core purpose is to solve exactly the plugin security problem described above.
The plugin model is genuinely different. EmDash runs each plugin in its own isolated sandbox and grants it only the capabilities explicitly declared in its manifest. A plugin that sends emails declares email:send. A plugin that reads posts declares read:content. It cannot do anything else, cannot make arbitrary network requests, and its permissions are visible before installation, much like an app permissions screen on your phone. This isn’t a cosmetic improvement. It’s a fundamentally different security model.
It’s built for the modern stack. Themes are standard Astro projects, familiar to any frontend developer working today. EmDash runs on Cloudflare’s global network, meaning it’s fast wherever your visitors are, and you only pay for actual usage rather than keeping a server running around the clock.
Passkey authentication is built in by default. Your clients and their website users log in with Face ID, Touch ID, or their device PIN rather than a traditional password. There are no passwords to be stolen in a data breach, no weak credentials to guess, and no login page for bots to hammer. For agencies managing sites on behalf of clients, this removes one of the most common and embarrassing security failure points entirely.
What This Means for Our Clients
We’re not recommending EmDash to clients yet, and we won’t be until the ecosystem matures. WordPress remains the right call for the vast majority of projects: it’s battle-tested, backed by an enormous support market, and has the plugin and theme depth that most client briefs demand.
What we are doing is watching closely. Cloudflare has the resources and infrastructure credibility to back a project like this seriously, but a v0.1.0 preview is still a preview. We want to see continued investment, a growing plugin ecosystem, and evidence that the project has long-term momentum before we put client work on it.
If that happens, EmDash becomes a genuinely compelling option for new content-focused builds where security is a priority and the client doesn’t need a vast library of pre-built plugins. For now though, it’s one to bookmark rather than deploy.