We've cleaned over 3,000 hacked WordPress sites. After that many forensic investigations, patterns become obvious. The attack almost always starts in the same place: a plugin. Not WordPress core. Not the server. The plugin someone installed three years ago and forgot about. In 2024, security researchers logged 7,966 vulnerabilities in the WordPress ecosystem — 96% of them in plugins. Cloudflare noticed. On April 2, 2026, they launched EmDash — an open-source CMS built from scratch to fix this at the architecture level. Here's what it does, how it works, and what it honestly can't do yet.
The Plugin Security Problem in Plain English
Install a plugin in WordPress and it gets the keys to everything. Your entire database. Your filesystem. Any outbound network connection it wants to make. There's no permission system. A plugin that sends you weekly email reports has the same database access as your payment processor. A plugin that adds a cookie consent banner can read your users' passwords.
This isn't a bug. It's how WordPress was designed in 2003, when plugins were small tools built by people you trusted. The world changed. Today, a popular plugin gets acquired by an unknown company, a single update goes out to 400,000 sites, and overnight those sites redirect visitors to gambling pages or join a botnet. We've seen this exact scenario play out multiple times. We wrote about how the supply chain attack works in detail here.
In Matrix* terms: Agent Smith* doesn't break through the front door. He gets hired as staff. He walks in with a badge. He has the same access as everyone else — and then he turns. A compromised WordPress plugin is Agent Smith* inside your site. It already has full admin privileges. By the time you notice, the damage is done.
WordPress can't fix this without breaking backwards compatibility for 60,000+ plugins. The architecture is too deeply embedded. This is why, after 21 years, the plugin permission problem is still unsolved — and why a new CMS had to be built from scratch to solve it.
What Cloudflare's EmDash Does Differently
EmDash runs each plugin inside its own Dynamic Worker — a V8 isolate, the same sandboxing technology that powers Cloudflare Workers. Think of it as a sealed room with a very specific keycard. Each plugin must declare exactly what it needs before it runs:
import { definePlugin } from "emdash";
export default () =>
definePlugin({
id: "notify-on-publish",
version: "1.0.0",
capabilities: ["read:content", "email:send"],
hooks: {
"content:afterSave": async (event, ctx) => {
if (event.content.status !== "published") return;
await ctx.email.send({
to: "[email protected]",
subject: `New post: ${event.content.title}`,
});
},
},
});That plugin declared read:content and email:send. Those are the only bindings it receives from the ctx object. It can't touch ctx.db. It can't write to the filesystem. It can't make outbound HTTP requests to an unknown server. If a malicious actor compromises that plugin, the blast radius is limited to exactly what it declared — nothing more.
This is a fundamental shift. WordPress trusts plugins. EmDash constrains them.
What EmDash Actually Is
EmDash isn't just a security patch bolted onto an existing CMS — it's a complete rethink of how a modern CMS should be built. It's a full-stack, serverless CMS by Cloudflare engineer Matt Kane, built on Astro 6.0 and written entirely in TypeScript. MIT-licensed. It launched April 2, 2026 at github.com/emdash-cms/emdash and hit 5,200 GitHub stars within days.
Beyond plugin sandboxing, EmDash makes several architectural decisions that separate it from WordPress:
- No passwords by default. EmDash uses WebAuthn passkeys — the same phishing-resistant technology as Face ID. No username/password combination to steal.
- Content as JSON, not HTML. WordPress stores posts as serialized HTML blobs. EmDash uses Portable Text — structured JSON that any renderer can read. This matters for AI agents, multi-channel delivery, and long-term flexibility.
- AI-native from day one. EmDash ships with a built-in MCP server. AI tools like Claude can manage your site directly — create posts, update content, query data — without a custom plugin.
- Scale-to-zero hosting. WordPress needs an always-on PHP server. EmDash is serverless — it runs only when a request comes in, which cuts hosting costs for lower-traffic sites.
- MIT license. WordPress plugins must be GPL-licensed, which forces copyleft onto plugin authors. EmDash's MIT license lets developers choose any license they want.
Joost de Valk — founder of Yoast SEO — has already migrated his personal blog to EmDash and called the plugin sandboxing model "the right approach." That's not a small endorsement.
WordPress vs EmDash: Side by Side
| Feature | WordPress | EmDash |
|---|---|---|
| Language | PHP | TypeScript |
| Plugin security | No isolation — full DB/filesystem access | Sandboxed V8 isolates with capability manifests |
| Hosting model | Always-on PHP server | Serverless, scale-to-zero |
| Authentication | Username + password | Passkeys (WebAuthn) first |
| Content storage | Serialized HTML | Portable Text (JSON) |
| Plugin license | GPL (copyleft forced) | MIT (author chooses) |
| AI integration | Bolt-on via plugins | Built-in MCP server |
| Plugin ecosystem | 60,000+ plugins | Zero at launch |
| Maturity | 21 years, 43% of the web | v0.1.0 beta, April 2026 |
How to Get Started with EmDash
EmDash requires a developer to set up. This isn't a point-and-click installer. If you're comfortable in a terminal, here's the fastest path:
Option 1: CLI Setup (Recommended)
One command, then pick a starter template:
npm create emdash@latestThree templates ship out of the box:
- Blog — categories, tags, full-text search, RSS, dark/light mode toggle
- Marketing — hero sections, feature grids, pricing tables, contact forms
- Portfolio — project grids, tag filtering, case study pages
Start the dev server with npm run dev. The admin panel runs at http://localhost:4321/_emdash/admin. A three-step wizard walks you through site title, admin account, and passkey setup.
Option 2: One-Click Cloudflare Deploy
Cloudflare dashboard → Workers & Pages → name the project → create a D1 database and R2 bucket → click "Create and deploy." Cloudflare generates a private GitHub repo, builds it, and deploys it. Total time: around four minutes. This is the path that gives you full plugin sandboxing.
Migrating from WordPress
EmDash has a built-in WordPress import wizard. Export your content as a WXR file (WordPress Admin → Tools → Export) and import it into EmDash. Posts, pages, media, and taxonomies migrate cleanly. Your PHP theme and plugins don't — they must be rebuilt in TypeScript and Astro. Cloudflare provides AI Agent Skills to help, but plan for real rebuild work.
The Honest Limitations
EmDash is exciting. It's also a v0.1.0 beta built in two months with heavy AI coding assistance. Here's what you need to know before making any decisions:
1. Plugin sandboxing only works on paid Cloudflare
This is the most important caveat. Dynamic Workers — the V8 isolates that make sandboxing possible — only run on Cloudflare's paid infrastructure (from $5/month). If you self-host EmDash on a VPS, Netlify, Vercel, or anywhere else, plugins run in-process with zero isolation. You get a modern TypeScript CMS, but you lose the headline security feature. At this stage, sandboxing is a Cloudflare-exclusive feature.
2. It's a beta — a very early beta
Two months of development. Heavily AI-assisted. Real-world load testing is minimal. Edge cases are unproven. The Register found authentication issues in early testing. Don't migrate a production business site to EmDash today.
3. The plugin ecosystem is empty
WordPress has 60,000+ plugins for almost every use case. EmDash has zero community plugins at launch. Every integration — SEO tooling, ecommerce, forms, analytics, caching — must be built or coded from scratch. The sandboxing model is architecturally superior, but an empty ecosystem means years of catch-up before it can serve most real-world sites.
4. No non-technical path
EmDash requires GitHub, a terminal, database configuration, and either a Cloudflare account or self-hosting knowledge. There's no equivalent to WordPress.com or a cPanel one-click install. If your client can't open a terminal, EmDash isn't for them — yet.
5. Cloudflare controls the project
The code is MIT-licensed, but Cloudflare employs the lead developer and owns the infrastructure the security model depends on. There's no independent foundation — no equivalent of the WordPress Foundation. Long-term stewardship is an open question.
Should You Switch from WordPress to EmDash Right Now?
| Who you are | Verdict | Why |
|---|---|---|
| TypeScript/Astro developer, new project | Explore it now | Sound architecture, clean DX, first-mover advantage. Accept you'll build integrations yourself. |
| WordPress developer, next project | Watch it | Worth following closely. Give it 6–12 months of community testing before committing client work. |
| Existing WordPress site owner | Not yet | Migration requires rebuilding your theme and all plugins in a new language. Not worth it while EmDash is still in beta. |
| Non-technical user | Not for you today | Requires GitHub, a terminal, and database setup. Stick with WordPress and invest in proper security instead. |
At ProWebCare, we're watching EmDash closely. We've forked the repository and are testing it internally. We'll be among the first to know whether it delivers on its promise in real-world conditions — and we'll report back honestly when we do.
The WordPress plugin problem that EmDash was built to solve is very real and very present today. If your site runs WordPress and you're not actively managing plugin security, you're exposed. We have the forensic logs to prove it. If your site has already been compromised, we can clean it. If you want to prevent it happening, our maintenance plans keep your plugins audited, updated, and monitored 24/7.
Frequently Asked Questions
EmDash is an open-source, full-stack CMS built by Cloudflare engineer Matt Kane, launched April 2, 2026. It runs on Astro 6.0 and TypeScript, uses a serverless architecture, and is MIT-licensed. Its defining feature is plugin sandboxing: each plugin runs in its own V8 isolate with a declared capability manifest, so a compromised plugin can't access your database or filesystem beyond what it explicitly requested.
Not yet. EmDash solves WordPress's plugin security architecture problem, but it's a v0.1.0 beta with an empty plugin ecosystem. WordPress has 60,000+ plugins, 21 years of battle-testing, and the world's largest CMS talent pool. EmDash is a serious long-term contender, but it can't replace WordPress for most production use cases in 2026.
No. Dynamic Workers — the V8 isolates that sandbox each plugin — only run on Cloudflare's paid infrastructure (from $5/month). On any other host (VPS, Netlify, Vercel), plugins run in-process with no isolation. You get a modern TypeScript CMS, but the headline security feature requires paid Cloudflare.
Partially. EmDash includes a WordPress import wizard that migrates posts, pages, media, and taxonomies from a WXR export. Your content moves cleanly. Your PHP theme and plugins don't — they must be rebuilt in TypeScript and Astro. For most sites, this means a full rebuild, not a simple migration.
Not for most users. EmDash v0.1.0 was built in approximately two months with heavy AI coding assistance. It's a promising beta with a sound architecture — but it lacks the battle-testing, community ecosystem, and documentation depth needed for production business sites. We recommend watching its development for at least six to twelve months before committing client work to it.
EmDash was built by Matt Kane, a Cloudflare engineer, starting in mid-January 2026. Cloudflare acquired Astro (the framework EmDash is built on) in January 2026. The motivation was WordPress's unresolved plugin security problem: 96% of WordPress vulnerabilities originate in plugins, and WordPress's architecture makes it impossible to add permission isolation without breaking backwards compatibility with 60,000+ existing plugins.
Because WordPress has no plugin permission system. Every installed plugin gets unrestricted access to the database, filesystem, and network — the same as WordPress core itself. A single vulnerable or malicious plugin can read all user data, install backdoors, or exfiltrate credentials. In 2024, researchers found 7,966 vulnerabilities in the WordPress ecosystem, with 96% in plugins or themes. EmDash's sandboxed Dynamic Workers are the first architectural answer to this problem built into a CMS from the ground up.
Why We're Watching EmDash — And Why It Matters for Your Site
You might wonder why a WordPress and Joomla maintenance company is covering a brand-new TypeScript CMS that almost no one is running in production yet.
Because the problem EmDash was built to solve is the same problem we fight every day.
When a plugin on your site gets compromised, we're the ones who get the call. We run the forensics. We find the backdoor. We clean the database. We restore the site. We've done this over 3,000 times. The attack vector is almost always a plugin — outdated, abandoned, acquired by a bad actor, or simply written carelessly.
EmDash doesn't change that reality for WordPress sites today. But it represents the most serious architectural attempt we've seen to solve it from the ground up. We're testing it, tracking it, and will be honest about whether it delivers. That's the ProWebCare approach: we tell you what's real, not what sounds good.
If your WordPress site needs protection right now — not in twelve months when EmDash matures — our maintenance plans keep your plugins audited, patched, and monitored around the clock. And if the Agents* have already got in, our malware removal service finds every backdoor and gets you back online fast.
The Matrix* never stops. Neither do we.
