EmDash – A spiritual successor to WordPress that solves plugin security

Posted by elithrar 1 day ago

EmDash – A spiritual successor to WordPress that solves plugin security(blog.cloudflare.com)

673 points | 490 commentspage 5

halapro 1 day ago|

Yes definitely compare it multiple times to WordPress and nobody will think of calling their lawyers.

Is this April fools? With real products launching on this date you can't really be too sure.

rvz 1 day ago||

Not an April fools joke. [0]

[0] https://github.com/emdash-cms/emdash

quantummagic 1 day ago||

That makes it look more like an April fools joke. All the commits are from today.

george_perez 1 day ago|||

Cloudflare specifically launches things on April 1st a lot of times. https://x.com/Cloudflare/status/1907055975057506793

They announced 1.1.1.1 on April 1st way back in 2018 too.

gman83 1 day ago||

Gmail was also launched on April 1st. The fact that it came with 1GB of storage instead of Hotmail, which limited you to something like 20MB, made people think it was an April Fool's joke.

OJFord 1 day ago||||

That's not unusual though, large companies releasing something open source very often squash the history at launch.

bigbuppo 1 day ago|||

The best jokes are serious.

echelon 1 day ago||

> Yes definitely compare it multiple times to WordPress and nobody will think of calling their lawyers.

It's not illegal to make product comparisons. That's just competition.

halapro 1 day ago||

Tell that to the guy who got upset with WP Engine. EmDash is clearly "inspired" by WordPress including in its UI, so there's definitely something to it.

rectang 1 day ago|||

The phrase "spiritual successor to WordPress" is not likely to be judged a trademark violation, though. It doesn't create confusion in the marketplace as to whether Emdash is WordPress.

halapro 1 day ago||

Wording never stopped a-holes and lawyers from being annoying. The only difference in this case is that Matt is the small fish.

chuckadams 1 day ago||||

I'd really love to see Matt go after CloudFlare over the trademark. WPE might grind him into the dust, but CF will obliterate every constituent atom.

danudey 1 day ago||||

The problem with WP Engine was that the name is confusing to users who aren't familiar with it. Presumably the WordPress Engine is the core of Wordpress? Or it's the thing powering Wordpress? It's easy to see ways in which an end user could be confused which was which.

Conversely, this product is called something else, and while their blog post references Wordpress repeatedly it's in a way as to make it very clear that this is not that.

chuckadams 1 day ago||

Matt seemed pretty fine with the name for at least 14 years, including investing in them at one point.

Dylan16807 1 day ago||||

>> It's not illegal to make product comparisons. That's just competition.

> Tell that to the guy who got upset with WP Engine.

Why? That situation had nothing to do with comparisons.

halapro 1 day ago||

That situation had nothing to do with reality either. It was just some guy being upset at someone and starting a war all of the sudden. War it lost anyway.

echelon 1 day ago|||

Matt got upset because they forked his open source project and built a hundred million dollar revenue business on top of it without contributing anything back to WordPress.

He'd have more of a leg to stand on if WordPress wasn't itself a fork of an open source project.

Matt should have built something open core or fair source licensed - free for customers, but stops competitors from stealing your lunch. He has no legal ground to argue his case now.

It's a much bigger deal with hyperscalers poaching and stealing, like AWS and GCP ripping off and stealing most of the revenue from Redis and Elasticsearch. That's dishonest and evil in my mind.

Totally orthogonal to this issue of marketing comparisons.

halapro 1 day ago|||

Have you looked at the screenshots? The admin literally looks like WordPress.

You don't have to steal code to become liable. EmDash is an explicit direct competitor to WordPress and it copied the whole interface.

It's like Pepsi suddenly shipping red bottles with the (I can't believe it's not) Coca Cola branding.

If I did this and not CloudFlare, I would have gotten a cease and desist yesterday.

chuckadams 1 day ago|||

WPE never forked a thing. They were a successful company after he backed out of an investment with them, he resented the success, blackmailed them for 8% of their top-line revenue, then threw a tantrum when they told him to pound sand.

whh 1 day ago||

An edge-first CMS is cool. I've wanted something that works well alongside Astro for ages.

That said, WordPress is a weird paradigm to be replicating in 2026. WP won on extensibility, but the actual legacy of that ecosystem is bloat, security disasters and dogshit performance.

What I think makes more sense is this kind of edge backend paired with a proper modern authoring experience with visual control like Framer/Webflow with Notion-style database primitives underneath.

And given how fast AI is getting at generating bespoke business logic, building another monolithic plugin ecosystem feels like solving the wrong problem.

Plugins were a workaround for the fact that most people couldn't write code. That's increasingly not true.

JoostBoer 1 day ago|

[dead]

jdurban 1 day ago||

the plugin security problem in WordPress was never really a code quality problem - it was a trust model problem. any developer could publish a plugin and any site owner could install it with one click, with no vetting layer in between. TypeScript and serverless doesn't change that dynamic unless the trust model changes too. curious how EmDash handles third-party plugin permissions at the API boundary.

ascorbic 1 day ago|

It runs each sandboxed plugin inside its own dynamic worker, with a separate bridge worker to enforce permissions. The worker only has access to its permitted APIs.

jdurban 1 day ago||

the bridge worker as permission enforcement is a solid pattern - the plugin can't escalate by calling APIs directly, everything goes through the bridge. the edge case I'd be curious about is plugin-to-plugin interaction. if two plugins share state through a permitted API, does the bridge enforce granular enough boundaries there, or does the trust model flatten at that layer?

momojo 1 day ago||

A quote from their nextjs writeup but I like:

> Most abstractions in software exist because humans need help...It's not clear yet which abstractions are truly foundational and which ones were just crutches for human cognition... We took an API contract, a build tool, and an AI model, and the AI wrote everything in between.

bbx 1 day ago||

I'm all for creating new frameworks that are faster and more secure. But I don't see how this one relates to Wordpress (not in PHP, serverless, not "plug and play", dependent on Astro, "AI Native"…).

It looks like a good open source project, but just call it a new CMS. I think calling it a "spiritual successor to WordPress" is just to gain some marketing points.

givan 22 hours ago||

Most WordPress plugin vulnerabilities would not exist if Wordpress would expose only a public folder to the web without including `wp-content/plugins/`.

This would avoid plugin scanning and direct plugin code execution.

For the CMS I'm developing, Vvveb CMS, no plugin code is exposed, everything passes through the only exposed php file `public/index.php`

jacton81 1 day ago||

I like the where this is going. The plugins are always the biggest threat. The biggest hurdle will be adoption with all other platforms. One reason WP is still the most used is because all other services you'd ever want to integrate with offer some sort of plugin or integration with WP. Also, so many people use it you know there will always be someone to assist if needed.

Levitating 1 day ago||

I don't like where any of this is going

mmaunder 1 day ago||

If creating OSS is this low effort, the right question is: What high effort assets, that are valuable to other builders, should open communities be working on? And I think the answer is open source models with open training and open training data.

hessammehr 1 day ago|

Ine thing no other CMS tends to get right (for my needs) is Gutenberg. Tiptap, mantine etc.are just no substitute and for someone like me with next to no frontend knowledge Gutenberg was the only option that provided the flexibility and good defaults to keep a decent looking website that my students could also post on with no training.

A while ago I ran claude code in a custom loop (calling it autoclaude; this was last summer) to create a CMS with Gutenberg’s editor but a lean Python backend (github.com/hessammehr/nuCMS). This was in the Sonnet 3.7 days and even that model got quite far.

More comments...