[{"data":1,"prerenderedAt":333},["ShallowReactive",2],{"blog-\u002Fblog\u002Fcloudflare-just-killed-wordpress":3},{"id":4,"title":5,"body":6,"date":322,"description":323,"extension":324,"meta":325,"navigation":131,"path":326,"seo":327,"stem":328,"tag":329,"thumbnail":330,"youtube_url":331,"__hash__":332},"blog\u002Fblog\u002Fcloudflare-just-killed-wordpress.md","Cloudflare Just Killed WordPress",{"type":7,"value":8,"toc":313},"minimark",[9,13,21,26,33,49,52,55,59,66,98,101,105,108,245,251,257,260,264,267,274,278,281,285,288,291,295,298,303,306,309],[10,11,12],"p",{},"I didn't think I'd be saying \"rest in peace WordPress\" for a long time. Sure, we all remember the WP Engine drama, but that was about hosting and copyright. This is something entirely different.",[10,14,15,16,20],{},"Cloudflare has introduced ",[17,18,19],"strong",{},"EmDash"," — a spiritual successor to WordPress built on their existing infrastructure. And yes, this dropped on April 1st, but so far it doesn't appear to be a joke. I've been vigilant.",[22,23,25],"h2",{"id":24},"wordpresss-real-problem-plugin-security","WordPress's Real Problem: Plugin Security",[10,27,28,29,32],{},"WordPress itself isn't fundamentally broken. Its biggest weakness has always been ",[17,30,31],{},"plugin security",".",[10,34,35,36,43,44,48],{},"If you've ever run a WordPress site, you're probably familiar with ",[37,38,42],"a",{"href":39,"rel":40},"https:\u002F\u002Fwww.wordfence.com\u002F",[41],"nofollow","WordFence"," — a plugin that scans your installation for vulnerabilities and tracks new ones as they're disclosed. Scrolling through their database is genuinely alarming. Vulnerabilities are being disclosed practically every day, there are ",[45,46,47],"em",{},"pages"," of them, and sorting by CVSS severity reveals multiple critical-severity issues discovered in just the past few months.",[10,50,51],{},"The vast majority of these vulnerabilities come from plugins. A WordPress plugin is just a PHP script that hooks directly into the WordPress ecosystem. It has direct access to the site's database and file system. When you install a plugin, you're trusting it with access to nearly everything — and trusting it to handle every malicious input perfectly. Think SQL injections, unsanitized inputs, the whole lot.",[10,53,54],{},"WordPress.org tries to address this by manually reviewing and approving each plugin submission. You submit a zip file, get an automated acknowledgment email, and wait in a queue for a human to download and review your code. With AI making it easier than ever for people to write plugins, that queue isn't getting shorter.",[22,56,58],{"id":57},"how-cloudflare-solved-it-isolated-sandboxes","How Cloudflare Solved It: Isolated Sandboxes",[10,60,61,62,65],{},"Cloudflare's approach is elegant because it leverages their existing stack. They've created ",[17,63,64],{},"isolated sandboxes"," using dynamic workers. Here's the architecture:",[67,68,69,77,84,91],"ul",{},[70,71,72,73,76],"li",{},"A ",[17,74,75],{},"trusted EmDash worker"," handles the core CMS operations",[70,78,79,80,83],{},"Plugins run in ",[17,81,82],{},"untrusted dynamic workers"," — completely isolated",[70,85,86,87,90],{},"Data access happens through ",[17,88,89],{},"bindings"," to Cloudflare services: D1 for the database, R2 for the media library",[70,92,93,94,97],{},"Each plugin declares specific ",[17,95,96],{},"capabilities"," (read posts, send email, etc.)",[10,99,100],{},"If a plugin has permission to read posts and requests posts, the EmDash worker passes them through. If it only has media read capability but tries to write a post — blocked.",[22,102,104],{"id":103},"the-contract-system-is-the-real-win","The Contract System Is the Real Win",[10,106,107],{},"This is where it gets interesting. Plugins declare a contract — a set of capabilities they need:",[109,110,115],"pre",{"className":111,"code":112,"language":113,"meta":114,"style":114},"language-javascript shiki shiki-themes github-light github-dark","import { definePlugin } from \"emdash\";\n\nexport default () =>\n  definePlugin({\n    id: \"notify-on-publish\",\n    version: \"1.0.0\",\n    capabilities: [\"read:content\", \"email:send\"],\n    hooks: {\n      \"content:afterSave\": async (event, ctx) => {\n        if (event.collection !== \"posts\" || event.content.status !== \"published\") return;\n\n        await ctx.email!.send({\n          to: \"editors@example.com\",\n          subject: `New post published: ${event.content.title}`,\n          text: `\"${event.content.title}\" is now live.`,\n        });\n\n        ctx.log.info(`Notified editors about ${event.content.id}`);\n      },\n    },\n  });\n","javascript","",[116,117,118,126,133,139,145,151,157,163,169,175,181,186,192,198,204,210,216,221,227,233,239],"code",{"__ignoreMap":114},[119,120,123],"span",{"class":121,"line":122},"line",1,[119,124,125],{},"import { definePlugin } from \"emdash\";\n",[119,127,129],{"class":121,"line":128},2,[119,130,132],{"emptyLinePlaceholder":131},true,"\n",[119,134,136],{"class":121,"line":135},3,[119,137,138],{},"export default () =>\n",[119,140,142],{"class":121,"line":141},4,[119,143,144],{},"  definePlugin({\n",[119,146,148],{"class":121,"line":147},5,[119,149,150],{},"    id: \"notify-on-publish\",\n",[119,152,154],{"class":121,"line":153},6,[119,155,156],{},"    version: \"1.0.0\",\n",[119,158,160],{"class":121,"line":159},7,[119,161,162],{},"    capabilities: [\"read:content\", \"email:send\"],\n",[119,164,166],{"class":121,"line":165},8,[119,167,168],{},"    hooks: {\n",[119,170,172],{"class":121,"line":171},9,[119,173,174],{},"      \"content:afterSave\": async (event, ctx) => {\n",[119,176,178],{"class":121,"line":177},10,[119,179,180],{},"        if (event.collection !== \"posts\" || event.content.status !== \"published\") return;\n",[119,182,184],{"class":121,"line":183},11,[119,185,132],{"emptyLinePlaceholder":131},[119,187,189],{"class":121,"line":188},12,[119,190,191],{},"        await ctx.email!.send({\n",[119,193,195],{"class":121,"line":194},13,[119,196,197],{},"          to: \"editors@example.com\",\n",[119,199,201],{"class":121,"line":200},14,[119,202,203],{},"          subject: `New post published: ${event.content.title}`,\n",[119,205,207],{"class":121,"line":206},15,[119,208,209],{},"          text: `\"${event.content.title}\" is now live.`,\n",[119,211,213],{"class":121,"line":212},16,[119,214,215],{},"        });\n",[119,217,219],{"class":121,"line":218},17,[119,220,132],{"emptyLinePlaceholder":131},[119,222,224],{"class":121,"line":223},18,[119,225,226],{},"        ctx.log.info(`Notified editors about ${event.content.id}`);\n",[119,228,230],{"class":121,"line":229},19,[119,231,232],{},"      },\n",[119,234,236],{"class":121,"line":235},20,[119,237,238],{},"    },\n",[119,240,242],{"class":121,"line":241},21,[119,243,244],{},"  });\n",[10,246,247,248,32],{},"A plugin can have tens of thousands of lines of code, but unlike WordPress — where a plugin can access everything and talk to the public internet — ",[17,249,250],{},"the person installing the plugin knows exactly what access they're granting",[252,253,254],"blockquote",{},[10,255,256],{},"The plugin code runs independently in a secure sandbox. A plugin can be provided to an EmDash site and trusted without the site ever seeing the source code.",[10,258,259],{},"This means Cloudflare can do away with manual code reviews entirely. You write your plugin, choose your license, and publish it like you would to an NPM registry. Even if someone writes malicious code, the contract system constrains what it can actually do.",[22,261,263],{"id":262},"scale-to-zero-finally","Scale to Zero — Finally",[10,265,266],{},"WordPress is not serverless. It needs an SQL database, a PHP backend, and some form of always-on server — typically a LAMP stack sitting there waiting for requests.",[10,268,269,270,273],{},"Cloudflare Workers are serverless, running in V8 isolates. Unlike AWS Lambdas where you spin up a container (and deal with cold starts or pay to keep it warm), ",[17,271,272],{},"Workers can serve different user code from the same processes",". They've effectively solved the scalability problem that has plagued WordPress hosting forever.",[22,275,277],{"id":276},"the-astro-connection","The Astro Connection",[10,279,280],{},"Cloudflare acquired the Astro web framework on January 16th, 2026. Astro is now Cloudflare's framework, so naturally it's the foundation here. And if you're running an existing WordPress site, there's an EmDash exporter plugin to migrate across.",[22,282,284],{"id":283},"i-tried-the-playground","I Tried the Playground",[10,286,287],{},"I found their playground and spun it up. It's simple, basic, and immediately familiar to anyone who's used WordPress — dashboard, pages, posts, media. You can edit content, publish, preview. It's not feature-complete, but it's a solid base.",[10,289,290],{},"You don't want the system to be over-bloated, and I think we all know WordPress has become a hefty system. EmDash strips it back to the essentials.",[22,292,294],{"id":293},"my-honest-take","My Honest Take",[10,296,297],{},"I'm not sure I'll be using this anytime soon. With Claude Code, Cursor, Codex, and some architectural experience, you can spin up a website and control every bit of it without needing a CMS. But having managed WordPress instances that grew more painful by the day, I get the appeal.",[252,299,300],{},[10,301,302],{},"The real question isn't whether this is better than WordPress technically — it clearly is in several ways. The question is whether it gains enough adoption to matter.",[10,304,305],{},"The isolated plugin architecture and contract system are genuinely clever. Scale to zero is a real operational win. But CMS adoption is as much about ecosystem and community as it is about technical merit. WordPress has decades of that. EmDash is starting from scratch.",[10,307,308],{},"Is Cloudflare the good guy here, or are they trying to quietly kill WordPress? Probably a bit of both.",[310,311,312],"style",{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":114,"searchDepth":128,"depth":128,"links":314},[315,316,317,318,319,320,321],{"id":24,"depth":128,"text":25},{"id":57,"depth":128,"text":58},{"id":103,"depth":128,"text":104},{"id":262,"depth":128,"text":263},{"id":276,"depth":128,"text":277},{"id":283,"depth":128,"text":284},{"id":293,"depth":128,"text":294},"2026-04-04T16:01:06Z","Cloudflare's new CMS sandboxes every plugin in its own worker — fixing WordPress's biggest security nightmare by design.","md",{},"\u002Fblog\u002Fcloudflare-just-killed-wordpress",{"title":5,"description":323},"blog\u002Fcloudflare-just-killed-wordpress","Tech","\u002Fblog\u002Fcloudflare-just-killed-wordpress.png","https:\u002F\u002Fyoutu.be\u002Ffj7tx8OHAkc","Yu6CqYbMX-gYGOh04jXYBWput67JfqU3KylLdqxmkx4",1775411755756]