WordPress is 24 years old. It powers 40% of the internet. And until now, installing a plugin has always meant trusting a stranger with root access to your server.
That’s about to change.
Cloudflare just spent two months rebuilding WordPress from scratch in TypeScript, using AI agents to do most of the heavy lifting. The result is called EmDash, and it’s the first CMS that actually takes security and modern architecture seriously. It’s open source, self-hostable, and honestly? It might be the thing WordPress should have been all along.
The WordPress Problem Nobody Talks About (Loud Enough)
Here’s the thing about WordPress plugins: they’re running in the exact same PHP process as your database, your user authentication, your payment processor, your everything. One compromised plugin—and we’re talking about a plugin with millions of installations like Simple Analytics or Popup Maker—and your entire server is gone. Not just the plugin. The server.
This isn’t theory. It happens constantly. A plugin gets acquired by a sketchy company, they inject a backdoor, and suddenly 500,000 websites are serving malware. The owner probably didn’t even notice the update because WordPress updates plugins silently.
WordPress’s response has always been: “Use reputable plugins!” and “Update regularly!” which is, frankly, asking users to solve an architectural problem through sheer willpower. Your 2 AM self isn’t reviewing plugin code. Neither are you.
EmDash fixes this at the foundation.
What EmDash Actually Is
EmDash is a CMS—content management system—but it’s not WordPress. It’s what WordPress would be if it were designed in 2026 instead of 2003.
Built entirely in TypeScript (no PHP), it’s powered by Astro under the hood—the same static-site framework that powers this blog, actually. But it’s not just a static site generator slapped together with a dashboard. It’s a proper, modern CMS with:
- A slick content editor
- Plugin and theme support
- Full self-hosting capability
- Serverless-first deployment (Cloudflare Pages) or on-prem on your own hardware
- AI-native design with MCP support and Agent Skills
The secret sauce? How it handles plugins and themes.
Sandboxed Plugins: The One Thing WordPress Got Wrong
Here’s where EmDash gets serious about security.
Instead of running plugins in the same process as everything else, EmDash runs each plugin in an isolated Cloudflare Worker (what Cloudflare calls a “Dynamic Worker isolate”). That isolation is hard. A plugin literally cannot access your database unless you explicitly grant it permission. It can’t read your config files, can’t monkey-patch core functions, can’t call system() and run arbitrary shell commands.
Think of it like hiring a contractor: WordPress hands them the keys to your house and trusts them not to steal your silverware. EmDash hands them a toolbox and a specific room, and they can’t leave that room.
This isn’t theoretical. The isolation is enforced by the browser and the runtime. A malicious plugin can’t escalate privileges any more than JavaScript in your browser can access your hard drive.
Astro Themes: No More functions.php Hell
WordPress themes are haunted by functions.php, a file where you can basically do anything. Modify database queries, hook into authentication, serve ads in the admin panel—the list goes on.
EmDash themes are Astro projects. Just pages, layouts, components, and CSS. Themes literally cannot access the database. They can’t modify business logic. They can’t run arbitrary code on page load. A theme is a skin. That’s it.
Want to build a theme? Clone an EmDash starter, edit some Astro components, push to git. Want to add functionality? Write a plugin. The separation of concerns isn’t optional—it’s baked in.
AI-Native From Day One
EmDash comes with:
- MCP support — Connect Claude (or any LLM) directly to your CMS. Ask your AI agent to publish a blog post, migrate content, or adjust themes.
- CLI — Manage your entire site from the command line
- Agent Skills — Built-in prompts for doing complex things (migrating WordPress themes to EmDash, building new plugins, etc.)
This means you can actually use AI agents to manage your content and infrastructure, not just generate words.
Running It: Local or Self-Hosted
Clone and run locally:
git clone https://github.com/emdash-cms/emdash.gitcd emdashnpm installnpm run devIt’ll start on http://localhost:3000. You get a full CMS dashboard.
For self-hosting on your own hardware, you can run it with Docker or directly on a VPS:
docker run -it \ -p 3000:3000 \ -e DATABASE_URL="postgresql://user:pass@localhost/emdash" \ emdash-cms/emdash:latestOr deploy to Cloudflare Pages:
npm run deployIt’ll handle the rest. No server management, no Docker, no headaches.
Who Should Care
If you run WordPress and you’re tired of plugin anxiety, this is for you.
If you self-host and you want an actual modern CMS, this is for you.
If you use Astro and you want to give non-technical users a CMS interface, this is absolutely for you.
If you’re building a site from scratch, this is worth the experiment.
It’s new, so it won’t do everything WordPress does. Some niche plugins won’t exist yet. But the foundation is solid, the security model is actually sound, and—this matters—the code is open source under MIT.
EmDash won’t replace WordPress overnight. But for new projects, or for anyone who’s had a 3 AM “we got hacked” panic? This is genuinely interesting.
GitHub: https://github.com/emdash-cms/emdash
Your 2 AM self will appreciate the sandboxed architecture.
