Cloudflare this week launched EmDash, a new open source content management system written in TypeScript, positioning it as a next-generation alternative to WordPress - and immediately drawing a sharp public rebuke from WordPress co-founder Matt Mullenweg.

The announcement, published on April 1, 2026, describes EmDash as "the spiritual successor to WordPress." That framing did not sit well with Mullenweg, who published his own detailed response on his personal blog accusing Cloudflare of misunderstanding the spirit of the WordPress project and using the CMS as a vehicle for selling infrastructure services.

What EmDash is

According to Cloudflare, EmDash was built over two months using AI coding agents, following a similar exercise in which the company claims to have rebuilt Next.js in one week. The system is written entirely in TypeScript, runs on serverless infrastructure, and is powered by Astro - a web framework designed for content-driven websites. Cloudflare describes it as MIT licensed and fully open source, with the code available on GitHub.

The project is positioned at version 0.1.0 preview and is available as an early developer beta. Developers can deploy it to a Cloudflare account or to any Node.js server. A hosted playground allows users to explore the admin interface without setting up local infrastructure.

The plugin security argument

Cloudflare's case for EmDash rests heavily on the claim that WordPress plugin security is structurally broken. According to the announcement, 96% of security issues on WordPress sites originate in plugins. The company states that in 2025 alone, more high-severity vulnerabilities were found in the WordPress ecosystem than in the previous two years combined.

The root problem, according to Cloudflare, is architectural. A WordPress plugin is a PHP script that hooks directly into the platform and has unrestricted access to the site's database and filesystem. There is no isolation layer. When a plugin is installed, it receives access to virtually everything.

EmDash takes a different approach. Each plugin runs inside its own isolated sandbox - what Cloudflare calls a Dynamic Worker. Rather than giving plugins broad access, the system requires each plugin to declare specific capabilities in a manifest file. A plugin that sends an email when content is published must explicitly request two capabilities: read:content and email:send. It can do nothing outside those declared permissions. If the plugin needs network access, it must specify the exact hostname - not a general internet connection.

This design means that a site administrator can review exactly what a plugin will be permitted to do before installing it. Cloudflare compares the model to OAuth, where a third-party application is granted a defined set of scoped permissions.

The consequences for plugin marketplaces are significant. According to Cloudflare, WordPress.org currently manually reviews each plugin before it appears in the marketplace, and the review queue stands at over 800 plugins with a wait time of at least two weeks. That manual process exists precisely because the security risk of unreviewed WordPress plugins is considered too high to ignore. Because WordPress plugins run in the same execution context as WordPress itself and are deeply intertwined with its code, many legal experts argue they must carry the GPL license - a requirement that restricts how commercial plugin developers can monetize their work.

EmDash plugins carry no such constraint. Plugin authors choose their own license. The plugin code runs independently in a secure sandbox, meaning a plugin can be trusted and deployed without the EmDash site ever needing to inspect or receive the source code. This separation, according to Cloudflare, reduces reliance on centralized marketplace vetting and removes the licensing lock-in that affects WordPress plugin developers today.

Mullenweg's response

Matt Mullenweg published a post on his blog on April 2, 2026, titled "EmDash Feedback," in which he argued that EmDash is not spiritually tied to WordPress at all. His central point concerns what he calls the spirit of WordPress: the ability to run the same code on a Raspberry Pi, on a shared host in Indonesia, on a desktop, or on large-scale cloud infrastructure, without lock-in.

"WordPress exists to democratize publishing," according to Mullenweg's post. "That means we put it everywhere."

He was direct about his view of EmDash's commercial purpose. According to his post: "I think EmDash was created to sell more Cloudflare services." He acknowledged that he likes Cloudflare as an engineering organization and owns shares in the company's stock, but argued that the CMS is optimized for Cloudflare's own infrastructure in ways that create vendor dependency.

Mullenweg also challenged the plugin security claim. He stated that the plugin architecture's ability to modify every aspect of WordPress is a feature rather than a bug, and that the sandboxing breaks down when dealing with most real-world WordPress plugins. He also noted that the plugin security model works only on Cloudflare's own infrastructure, limiting its practical portability.

He disclosed that Cloudflare held a call with him on March 23, 2026, to solicit feedback on a product whose name was not shared, and which was described as likely to launch during Cloudflare's developer week toward the end of April. The launch happened nearly a month earlier than that, on April 1.

His feedback on the product itself was mixed. He described the engineering as solid and the migration tools as useful. He praised what EmDash calls "Agent Skills" as a brilliant strategy. He criticized the admin interface as being in the "uncanny valley" between WordPress and something new, and suggested the use of a rich text editor was a regression. He also stated that parts of EmDash appear to copy features that Automattic is planning to remove from its own roadmap.

According to Search Engine Journal, which covered the story on April 3, 2026, Mullenweg's original blog post concluded with the line: "please keep the WordPress name out of your mouth" - a phrase that invoked Will Smith's remark to Chris Rock at the 2022 Oscars. He subsequently edited the post to remove that sentence. Cloudflare's co-founder and CEO Matthew Prince responded on X, writing that the criticism was fair while simultaneously using the word "WordPress" in his reply, an act of subtle irony noted in Search Engine Journal's coverage.

The Reddit community was divided. Several users on r/Wordpress noted that Cloudflare had a history of releasing real products on April 1, citing the 1.1.1.1 DNS resolver as a precedent. Others expressed skepticism about long-term support, with some pointing out that Cloudflare manages many projects simultaneously. One commenter observed that "there is a massive graveyard of CMSs that have tried to replace WordPress."

The serverless and AI-native architecture

Beyond plugin security, EmDash differs from WordPress in several structural ways. WordPress requires traditional server provisioning, with administrators managing scaling and idle compute. EmDash is built for serverless execution on Cloudflare Workers, which operate using V8 isolates. On an incoming request, the runtime spins up an isolate, executes the code, serves the response, and scales back to zero when there are no requests. Billing covers only CPU time spent on actual computation.

Cloudflare states that users can run millions of independent EmDash instances using Cloudflare for Platforms, each scaling independently from zero to whatever request volume is required.

The system includes several components aimed at AI-assisted site management. Agent Skills provide an EmDash instance with structured documentation that describes the platform's capabilities to an AI agent, including how to structure plugins, how to port WordPress themes, and how to customize a site programmatically. The EmDash CLI allows agents to interact with a local or remote EmDash instance to upload media, manage schemas, and perform administrative tasks. Every instance also includes a built-in Model Context Protocol (MCP) server, enabling agents to perform the same tasks that are available through the admin interface.

Themes in EmDash are built using Astro projects. A theme consists of pages, layouts, components, styles, and a seed file that defines content types and fields. This approach aligns with how frontend developers increasingly build content sites. WordPress themes, by contrast, operate through functions.php, a broad execution context that carries similar security risks to plugins. EmDash themes cannot perform database operations.

The x402 payment layer

One of the more technically distinctive elements of EmDash is its built-in support for x402, an open standard for internet-native payments. The protocol works by having a client - such as an AI agent - send an HTTP request and receive an HTTP 402 Payment Required status code in response. The client then pays for access on-demand, and the server grants entry to the requested content.

Cloudflare has been developing infrastructure around the 402 status code for some time. Cloudflare launched pay-per-crawl in private beta on July 1, 2025, allowing content creators to charge AI crawlers using the 402 response code. The company expanded that protocol on August 28, 2025 with general availability and customizable messaging. By January 2026, Cloudflare had updated an open source x402 proxy template enabling per-route pricing and micropayment flows.

The inclusion of x402 in EmDash means that any site running the CMS can charge agents or other automated clients for content access without subscription systems and without custom engineering. Site operators configure which content requires payment, set a price, and provide a wallet address. The technical flow handles the rest.

For publishers and content creators, this addresses a pressure that has been building throughout 2024 and 2025: AI systems consuming content without generating the advertising revenue or other returns that traditionally accompanied web traffic. Cloudflare itself processes over one billion 402 response codes daily, indicating the scale of demand for payment-gated content infrastructure.

Authentication and content management

EmDash uses passkey-based authentication by default, eliminating passwords and the brute-force attack vectors that come with them. Role-based access control includes administrators, editors, authors, and contributors, with each role scoped to specific actions. Authentication is pluggable, allowing integration with single sign-on providers.

Content types in EmDash are defined directly in the admin panel. Unlike WordPress, which requires heavy plugins like Advanced Custom Fields to create custom post types and then squeezes the results into a single overcrowded posts table, EmDash creates entirely new database collections for each content type.

Migration from WordPress is handled through a WXR export from the WordPress admin, or through an EmDash Exporter plugin that creates a secure endpoint protected by a WordPress Application Password. According to Cloudflare, migrating content takes a few minutes, and media files are automatically imported into EmDash's media library. Custom post types can be mapped to EmDash content types during the import process.

Context for the marketing community

The launch of EmDash arrives at a moment of significant turbulence for the WordPress ecosystem. The legal conflict between Automattic and WP Engine that erupted publicly in September 2024 has continued through 2025 and into 2026. A federal court dismissed several of WP Engine's most serious claims in September 2025, including antitrust and extortion counts, while Automattic filed comprehensive counterclaims in October 2025. The dispute has raised persistent questions about the governance and commercial future of a platform that powers over 40% of the web.

For marketing teams and digital agencies, WordPress has long been the default choice for client websites, landing pages, and content platforms. The plugin ecosystem is a major reason: thousands of tools for SEO, e-commerce, analytics, forms, and campaign tracking are built specifically for WordPress. The plugin security vulnerabilities that Cloudflare cites are real operational risks that have affected marketing deployments. A compromise in a popular plugin can expose customer data, deface campaign pages, or introduce malicious code that undermines attribution and analytics.

At the same time, the marketing and publishing worlds are adjusting to a landscape where AI agents increasingly access content on behalf of users rather than human browsers loading pages and viewing ads. The traditional model - open access to content in exchange for advertising impressions - faces structural pressure when the "visitor" is a language model consuming text without rendering a display environment. EmDash's built-in x402 support is a direct response to that shift, offering a monetization model that does not depend on human attention.

Whether EmDash achieves meaningful adoption is an open question. WordPress has 24 years of development, millions of installations, and a global plugin and theme ecosystem that no CMS at version 0.1.0 can replicate. Mullenweg acknowledged in his feedback that he would be surprised if EmDash does not reach tens of thousands of sites. That would be a notable result. It would also leave WordPress' installed base largely untouched.

Timeline

Summary

Who: Cloudflare, the internet infrastructure and security company, launched EmDash. WordPress co-founder Matt Mullenweg responded with public criticism. Cloudflare CEO Matthew Prince replied on X.

What: Cloudflare announced EmDash v0.1.0, an open source CMS written in TypeScript, built on Astro, with sandboxed plugins using Dynamic Workers, built-in x402 payment support, passkey authentication, and AI-native management tools including an MCP server, CLI, and Agent Skills documentation.

When: The announcement was published on April 1, 2026. Mullenweg's response appeared on April 2. Search Engine Journal covered the exchange on April 3, 2026.

Where: EmDash is available on GitHub under the MIT license. It can be deployed to Cloudflare Workers or any Node.js server. Mullenweg's feedback was published on his personal blog at ma.tt. The public dispute played out on X and in the WordPress community on Reddit.

Why: Cloudflare built EmDash to address structural security problems in the WordPress plugin architecture, to offer a serverless CMS model suited to modern infrastructure, and to provide content creators with a built-in monetization path for AI agent traffic through the x402 payment protocol. The launch generated controversy because Cloudflare described EmDash as a spiritual successor to WordPress, a claim Mullenweg disputed on grounds of platform portability, open standards, and what he characterized as Cloudflare's commercial interest in locking users into its own infrastructure.

Share this article
The link has been copied!