On April 1, 2026, Cloudflare previewed EmDash. It's a TypeScript CMS built on Astro, MIT licensed, and they're calling it "the spiritual successor to WordPress."
The name is a joke. The project isn't.
Here's what matters, and it's not the software. Cloudflare sits between your website and everyone who visits it. They move roughly half the web's traffic. And they just looked at WordPress, which runs 42.5% of every site on the internet, and decided to ship a replacement.
That's the story. The infrastructure company your site already depends on just told you the application layer you built on is obsolete.
The numbers behind the reframe
WordPress isn't dying. But it's not growing either. It peaked at 43.6% of the web in mid-2025. By April 2026 it's at 42.5% and slipping. First sustained decline in over a decade.
Meanwhile, the security picture got ugly. Patchstack counted 11,334 new WordPress ecosystem vulnerabilities in 2025. That's up 42% year over year. 96% of those issues live in plugins, not core. 57% of the first-half vulnerabilities needed no authentication to exploit. Median time from public disclosure to mass exploitation is five hours.
Five. Hours.
The average SMB pays around $14,500 to recover from a WordPress compromise. Malware cleanup, dev time, SEO damage, downtime. About 13,000 WordPress sites get hacked every day. Most of them aren't Fortune 500. They're your dentist, your contractor, your cousin's bakery.
None of that is news to people paying attention. What's new is that Cloudflare published the whole argument on their own blog as justification for building something else.
What Cloudflare actually shipped
EmDash has a real feature list. Admin panel. REST API. Passkey auth, no passwords. Media library. A sandboxed plugin system that runs each plugin in isolation on Cloudflare's runtime. An MCP server so AI agents can talk to your content directly. A WordPress content importer.
It also ships with something nobody else has: a payment protocol called x402 that charges AI agents per content request. Your blog, monetized by bots.
Joost de Valk, the guy who built Yoast, migrated his personal blog to it during early access. His take: "Every architectural decision in EmDash seems to have been made with the same question: what if an AI agent needs to do this."
That's not a CMS for humans writing blog posts. That's a CMS for a web where the primary reader is a machine.
The WordPress founder fired back, and conceded one thing
Matt Mullenweg, WordPress co-founder, was direct. He argued EmDash exists to sell more Cloudflare services. He pointed out that WordPress runs on a Raspberry Pi, on a 99-cent host in Indonesia, on a datacenter. Same code. EmDash's plugin sandbox only works on Cloudflare's runtime. Self-host it and you get a plain TypeScript app with no isolation.
He's right. That's a real lock-in critique.
But Cloudflare's CEO replied and called the criticism "fair." That's the part worth sitting with. The infrastructure vendor isn't pretending the trade-off doesn't exist. They're betting you'll take it anyway.
Why this matters if you run a small business site
If you're on WordPress because "everyone is," that answer just got weaker. Not because EmDash is ready (it isn't -- reviewers tested it and noted you still need a terminal to deploy it), but because the default shifted.
The real question was never "WordPress vs. something else." It was: what's my actual exposure when a plugin I didn't audit gets a zero-day on a Tuesday afternoon, and how fast does my site get hit?
Five hours, apparently.
We've been managing WordPress sites for clients since 2012. Our longest-running client is still on managed WordPress hosting with automated updates, a clean security record, and near-100% uptime across 13 years. It's not that WordPress is unusable. It's that WordPress running unmanaged, with a pile of premium plugins nobody's watching, is a liability that finally has a dollar figure attached to it.
76% of vulnerabilities in paid plugins are exploitable in real attacks. Paid plugins had three times more known exploited vulnerabilities than free ones. The premium marketplace you trusted because you paid for it is actually the worst part of the stack.
What we'd tell you if you asked
Don't panic-migrate. EmDash is a v0.1.0 preview. It can't be operated by non-developers yet. Its plugin security model only works on one specific cloud provider. Your site is fine today.
But use this moment to ask a different question. Not "is WordPress safe?" but "is my site actually being managed, or am I just hoping?" Because that's the gap the 11,334 vulnerabilities are walking through.
Managed hosting with real patching. Plugin audits that happen on a schedule. Backups you've actually tested. Isolation between your site and the next one on the box. These aren't exotic asks. They're the baseline, and most SMB WordPress installations don't have them.
The CMS you run matters less than who's watching it. If the answer to that question is "nobody, my cousin set it up in 2019," Cloudflare's critique of WordPress isn't the problem. Your operations are.
The bigger shift
The reason this story has legs isn't EmDash. It's the signal. The infrastructure layer is no longer neutral. Cloudflare, the company that sees your traffic, has opinions about the application you're running on top of them. And they shipped code to back those opinions up.
That happens more, not less, from here.
We build, manage, and secure sites for creators, businesses, and agencies. WordPress, static, custom, whatever actually fits the business. The platform is a tool. The operations behind it are the product. First conversation is free. Reach out at kief.studio/contact.