Cloudflare’s EmDash sharpens WordPress fault lines

Cloudflare Enters the CMS Arena

Cloudflare has launched EmDash, a TypeScript-based content management system built on Astro with sandboxed plugins. The company calls it a "spiritual successor" to WordPress. That phrasing drew an immediate response from WordPress co-founder Matt Mullenweg, who argued that EmDash only works well inside Cloudflare's own infrastructure, while WordPress runs almost anywhere.

The Plugin Security Problem

At the heart of EmDash is a real issue. Patchstack's 2025 security report found 7,966 new vulnerabilities across the WordPress ecosystem in 2024, with 96 percent in plugins and almost none in core. That makes the plugin model both WordPress's greatest strength and its most exploited weakness. EmDash addresses this by isolating plugins in separate runtime environments, so a compromised extension cannot take over the whole site.

WordPress Is Not Going Anywhere

WordPress still powers 42.5 percent of all websites according to W3Techs data from April 2026. No challenger comes close to that installed base, plugin library, or community. The ongoing legal battle between Automattic and WP Engine has added fuel to governance concerns, but it has not dented WordPress market share. Cloudflare's real play here may not be replacing WordPress, but creating a managed hosting alternative for publishers who want WordPress-level reach with fewer security headaches. For sites that need hardened WordPress security today, options like Sucuri, Wordfence, and Patchstack remain relevant.

WAFplanet Take

EmDash is not a WAF product, but it matters for the WAF world. If Cloudflare gains traction as a CMS platform, it deepens the moat around their security ecosystem. Site owners who build on EmDash will naturally adopt Cloudflare's WAF, DDoS, and CDN services by default. The WordPress community should watch this carefully. Mullenweg is right that freedom to run anywhere matters, but for many site owners, fewer security incidents will win the argument.