Introducing EmDash — the non secular successor to WordPress that solves plugin safety

The price of constructing software program has drastically decreased. We just lately rebuilt Subsequent.js in a single week utilizing AI coding brokers. However for the previous two months our brokers have been engaged on an much more bold venture: rebuilding the WordPress open supply venture from the bottom up.

WordPress powers over 40% of the Web. It’s a large success that has enabled anybody to be a writer, and created a world neighborhood of WordPress builders. However the WordPress open supply venture will likely be 24 years outdated this yr. Internet hosting a web site has modified dramatically throughout that point. When WordPress was born, AWS EC2 didn’t exist. Within the intervening years, that job has gone from renting digital non-public servers, to importing a JavaScript bundle to a globally distributed community at nearly no price. It’s time to improve the most well-liked CMS on the Web to benefit from this transformation.

Our identify for this new CMS is EmDash. We consider it because the non secular successor to WordPress. It’s written fully in TypeScript. It’s serverless, however you’ll be able to run it by yourself {hardware} or any platform you select. Plugins are securely sandboxed and might run in their very own isolate, by way of Dynamic Employees, fixing the elemental safety downside with the WordPress plugin structure. And below the hood, EmDash is powered by Astro, the quickest internet framework for content-driven web sites.

EmDash is totally open supply, MIT licensed, and accessible on GitHub. Whereas EmDash goals to be appropriate with WordPress performance, no WordPress code was used to create EmDash. That enables us to license the open supply venture below the extra permissive MIT license. We hope that permits extra builders to adapt, prolong, and take part in EmDash’s improvement.

You’ll be able to deploy the EmDash v0.1.0 preview to your individual Cloudflare account, or to any Node.js server at the moment as a part of our early developer beta:

Or you’ll be able to check out the admin interface right here within the EmDash Playground:

The story of WordPress is a triumph of open supply that enabled publishing at a scale by no means earlier than seen. Few initiatives have had the identical recognisable influence on the era raised on the Web. The contributors to WordPress’s core, and its many hundreds of plugin and theme builders have constructed a platform that democratised publishing for tens of millions; many lives and livelihoods being reworked by this ubiquitous software program.

There’ll all the time be a spot for WordPress, however there’s additionally much more area for the world of content material publishing to develop. A decade in the past, individuals selecting up a keyboard universally realized to publish their blogs with WordPress. At the moment it’s simply as doubtless that particular person picks up Astro, or one other TypeScript framework to study and construct with. The ecosystem wants an possibility that empowers a large viewers, in the identical manner it wanted WordPress 23 years in the past. 

EmDash is dedicated to constructing on what WordPress created: an open supply publishing stack that anybody can set up and use at little price, whereas fixing the core issues that WordPress can’t clear up. 

WordPress’ plugin structure is basically insecure. 96% of safety points for WordPress websites originate in plugins. In 2025, extra excessive severity vulnerabilities have been discovered within the WordPress ecosystem than the earlier two years mixed.

Why, after over twenty years, is WordPress plugin safety so problematic?

A WordPress plugin is a PHP script that hooks instantly into WordPress so as to add or modify performance. There isn’t any isolation: a WordPress plugin has direct entry to the WordPress web site’s database and filesystem. While you set up a WordPress plugin, you’re trusting it with entry to almost every thing, and trusting it to deal with each malicious enter or edge case completely.

EmDash solves this. In EmDash, every plugin runs in its personal remoted sandbox: a Dynamic Employee. Somewhat than giving direct entry to underlying information, EmDash gives the plugin with capabilities by way of bindings, based mostly on what the plugin explicitly declares that it wants in its manifest. This safety mannequin has a strict assure: an EmDash plugin can solely carry out the actions explicitly declared in its manifest. You’ll be able to know and belief upfront, earlier than putting in a plugin, precisely what you’re granting it permission to do, much like going by way of an OAuth move and granting a third celebration app a particular set of scoped permissions.

For instance, a plugin that sends an electronic mail after a content material merchandise will get saved appears to be like like this:

import { definePlugin } from "emdash";

export default () =>
  definePlugin({
    id: "notify-on-publish",
    model: "1.0.0",
    capabilities: ["read:content", "email:send"],
    hooks: {
      "content:afterSave": async (occasion, ctx) => {
        if (occasion.assortment !== "posts" || occasion.content material.standing !==    "published") return;

        await ctx.electronic mail!.ship({
          to: "[email protected]",
          topic: `New submit revealed: ${occasion.content material.title}`,
          textual content: `"${event.content.title}" is now dwell.`,
         });

        ctx.log.data(`Notified editors about ${occasion.content material.id}`);
      },
    },
  });

This plugin explicitly requests two capabilities: content material:afterSave to hook into the content material lifecycle, and electronic mail:ship to entry the ctx.electronic mail perform. It’s unattainable for the plugin to do something apart from use these capabilities. It has no exterior community entry. If it does want community entry, it might probably specify the precise hostname it wants to speak to, as a part of its definition, and be granted solely the power to speak with a specific hostname.

And in all circumstances, as a result of the plugin’s wants are declared statically, upfront, it might probably all the time be clear precisely what the plugin is asking for permission to have the ability to do, at set up time. A platform or administrator may outline guidelines for what plugins are or aren’t allowed to be put in by sure teams of customers, based mostly on what permissions they request, reasonably than an allowlist of authorized or protected plugins.

WordPress plugin safety is such an actual threat that WordPress.com manually opinions and approves every plugin in its market. On the time of writing, that evaluation queue is over 800 plugins lengthy, and takes no less than two weeks to traverse. The vulnerability floor space of WordPress plugins is so extensive that in apply, all events depend on market status, scores and opinions. And since WordPress plugins run in the identical execution context as WordPress itself and are so deeply intertwined with WordPress code, some argue they need to carry ahead WordPress’ GPL license.

These realities mix to create a chilling impact on builders constructing plugins, and on platforms internet hosting WordPress websites.

Plugin safety is the foundation of this downside. Market companies present belief when events in any other case can’t simply belief one another. Within the case of the WordPress market, the plugin safety threat is so massive and possible that a lot of your prospects can solely fairly belief your plugin by way of {the marketplace}. However in an effort to be a part of {the marketplace} your code have to be licensed in a manner that forces you to provide it away at no cost in all places apart from that market. You might be locked in.

EmDash plugins have two essential properties that mitigate this market lock-in:

1. Plugins can have any license: they run independently of EmDash and share no code. It’s the plugin creator’s selection.

2. Plugin code runs independently in a safe sandbox: a plugin may be offered to an EmDash web site, and trusted, with out the EmDash web site ever seeing the code.

The primary half is easy — because the plugin creator, you select what license you need. The identical manner you’ll be able to when publishing to NPM, PyPi, Packagist or another registry. It’s an open ecosystem for all, and as much as the neighborhood, not the EmDash venture, what license you utilize for plugins and themes.

The second half is the place EmDash’s plugin structure breaks freed from the centralized market.

Builders must depend on a 3rd celebration market having vetted the plugin far much less to have the ability to make choices about whether or not to make use of or belief it. Contemplate the instance plugin above that sends emails after content material is saved; the plugin declares three issues:

• It solely runs on the content material:afterSave hook

• It has the learn:content material functionality

• It has the electronic mail:ship functionality

The plugin can have tens of hundreds of traces of code in it, however in contrast to a WordPress plugin that has entry to every thing and might speak to the general public Web, the particular person including the plugin is aware of precisely what entry they’re granting to it. The clearly outlined boundaries permit you to make knowledgeable choices about safety dangers and to zoom in on extra particular dangers that relate on to the capabilities the plugin is given.

The extra that each websites and platforms can belief the safety mannequin to supply constraints, the extra that websites and platforms can belief plugins, and break freed from centralized management of marketplaces and status. Put one other manner: if you happen to belief that meals security is enforced in your metropolis, you’ll be adventurous and take a look at new locations. In case you can’t belief that there is likely to be a staple in your soup, you’ll be consulting Google earlier than each new place you attempt, and it’s tougher for everybody to open new eating places.

The enterprise mannequin of the net is in danger, significantly for content material creators and publishers. The outdated manner of creating content material broadly accessible, permitting all shoppers free entry in trade for visitors, breaks when there isn’t a human a web site to promote to, and the shopper is as a substitute their agent accessing the net on their behalf. Creators want methods to proceed to generate income on this new world of brokers, and to construct new sorts of internet sites that serve what individuals’s brokers want and pays for. Many years in the past a brand new wave of creators created web sites that turned nice companies (typically utilizing WordPress to energy them) and an identical alternative exists at the moment.

x402 is an open, impartial customary for Web-native funds. It lets anybody on the Web simply cost, and any shopper pay on-demand, on a pay-per-use foundation. A shopper, resembling an agent, sends a HTTP request and receives a HTTP 402 Cost Required standing code. In response, the shopper pays for entry on-demand, and the server can let the shopper by way of to the requested content material.

EmDash has built-in assist for x402. This implies anybody with an EmDash web site can cost for entry to their content material with out requiring subscriptions and with zero engineering work. All it is advisable to do is configure which content material ought to require fee, set how a lot to cost, and supply a Pockets handle. The request/response move finally ends up trying like this:

Each EmDash web site has a built-in enterprise mannequin for the AI period.

WordPress just isn’t serverless: it requires provisioning and managing servers, scaling them up and down like a conventional internet software. To maximise efficiency, and to have the ability to deal with visitors spikes, there’s no avoiding the necessity to pre-provision cases and run some quantity of idle compute, or share assets in ways in which restrict efficiency. That is significantly true for websites with content material that have to be server rendered and can’t be cached.

EmDash is completely different: it’s constructed to run on serverless platforms, and take advantage of out of the v8 isolate structure of Cloudflare’s open supply runtime workerd. On an incoming request, the Employees runtime immediately spins up an isolate to execute code and serve a response. It scales again right down to zero if there are not any requests. And it solely payments for CPU time (time spent doing precise work).

You’ll be able to run EmDash anyplace, on any Node.js server — however on Cloudflare you’ll be able to run tens of millions of cases of EmDash utilizing Cloudflare for Platforms that every immediately scale totally to zero or as much as as many RPS as it is advisable to deal with, utilizing the very same community and runtime that the largest web sites on the planet depend on.

Past price optimizations and efficiency advantages, we’ve guess on this structure at Cloudflare partially as a result of we consider in having low price and free tiers, and that everybody ought to be capable to construct web sites that scale. We’re excited to assist platforms prolong the advantages of this structure to their very own prospects, each massive and small.

EmDash is powered by Astro, the net framework for content-driven web sites. To create an EmDash theme, you create an Astro venture that features:

• Pages: Astro routes for rendering content material (homepage, weblog posts, archives, and so forth.)

• Layouts: Shared HTML construction

• Elements: Reusable UI components (navigation, playing cards, footers)

• Kinds: CSS or Tailwind configuration

• A seed file: JSON that tells the CMS what content material sorts and fields to create

This makes creating themes acquainted to frontend builders who’re more and more selecting Astro, and to LLMs that are already educated on Astro.

WordPress themes, although extremely versatile, function with quite a lot of the identical safety dangers as plugins, and the extra fashionable and commonplace your theme, the extra of a goal it’s. Themes run by way of integrating with features.php which is an all-encompassing execution atmosphere, enabling your theme to be each extremely highly effective and doubtlessly harmful. EmDash themes, as with dynamic plugins, turns this expectation on its head. Your theme can by no means carry out database operations.

The least enjoyable half about working with any CMS is doing the rote migration of content material: discovering and changing strings, migrating customized fields from one format to a different, renaming, reordering and transferring issues round. That is both boring repetitive work or requires one-off scripts and  “single-use” plugins and instruments which can be often neither enjoyable to write down nor to make use of.

EmDash is designed to be managed programmatically by your AI brokers. It gives the context and the instruments that your brokers want, together with:

1. Agent Abilities: Every EmDash occasion consists of Agent Abilities that describe to your agent the capabilities EmDash can present to plugins, the hooks that may set off plugins, steering on the right way to construction a plugin, and even the right way to port legacy WordPress themes to EmDash natively. While you give an agent an EmDash codebase, EmDash gives every thing the agent wants to have the ability to customise your web site in the way in which you want.

2. EmDash CLI: The EmDash CLI permits your agent to work together programmatically along with your native or distant occasion of EmDash. You’ll be able to add media, seek for content material, create and handle schemas, and do the identical set of issues you are able to do within the Admin UI.

3. Constructed-in MCP Server: Each EmDash occasion gives its personal distant Mannequin Context Protocol (MCP) server, permitting you to do the identical set of issues you are able to do within the Admin UI.

EmDash makes use of passkey-based authentication by default, which means there are not any passwords to leak and no brute-force vectors to defend towards. Consumer administration consists of acquainted role-based entry management out of the field: directors, editors, authors, and contributors, every scoped strictly to the actions they want. Authentication is pluggable, so you’ll be able to set EmDash as much as work along with your SSO supplier, and mechanically provision entry based mostly on IdP metadata.

You’ll be able to import an present WordPress web site by both going to WordPress admin and exporting a WXR file, or by putting in the EmDash Exporter plugin on a WordPress web site, which configures a safe endpoint that’s solely uncovered to you, and guarded by a WordPress Software Password you management. Migrating content material takes only a few minutes, and mechanically works to convey any hooked up media into EmDash’s media library.

Creating any customized content material sorts on WordPress that aren’t a Put up or a Web page has meant putting in heavy plugins like Superior Customized Fields, and squeezing the outcome right into a crowded WordPress posts desk. EmDash does issues otherwise: you’ll be able to outline a schema instantly within the admin panel, which is able to create fully new EmDash collections for you, individually ordered within the database. On import, you need to use the identical capabilities to take any customized submit sorts from WordPress, and create an EmDash content material kind from it. 

For bespoke blocks, you need to use the EmDash Block Equipment Agent Ability to instruct your agent of selection and construct them for EmDash.

EmDash is v0.1.0 preview, and we’d love you to attempt it, give suggestions, and we welcome contributions to the EmDash GitHub repository.

In case you’re simply taking part in round and need to first perceive what’s attainable — check out the admin interface within the EmDash Playground.

To create a brand new EmDash web site regionally, by way of the CLI, run:

npm create emdash@newest

Or you are able to do the identical by way of the Cloudflare dashboard beneath:

We’re excited to see what you construct, and if you happen to’re energetic within the WordPress neighborhood, as a internet hosting platform, a plugin or theme creator, or in any other case — we’d love to listen to from you. Electronic mail us at [email protected], and inform us what you’d prefer to see from the EmDash venture.

If you wish to keep updated with main EmDash developments, you’ll be able to go away your electronic mail handle right here.