Cloudflare Just Built a WordPress Replacement

A $30 Billion Company Just Said WordPress Is Broken

On April 2, 2026, Cloudflare announced EmDash. They did not call it a content management system. They did not call it a website builder. They called it the "spiritual successor to WordPress."

That language matters. Cloudflare is not a startup chasing headlines. They are a $30 billion infrastructure company that handles roughly 20% of all internet traffic. When they look at the state of WordPress and decide the right move is to build a replacement from scratch, that is not a trend piece. That is a verdict.

EmDash was built in roughly two months using AI-assisted development. It runs on TypeScript and Astro, deploys serverless on Cloudflare Workers, and scales to zero when nobody is visiting your site. The entire project is MIT open source.

"Cloudflare called EmDash the spiritual successor to WordPress. When a company that handles 20% of internet traffic builds a replacement for your platform, the message is clear.

But here is the part that matters most for business owners: Cloudflare did not build EmDash because they wanted to sell you a new product. They built it because they see what we have been saying for years. WordPress, as it exists today, is a liability for businesses that depend on their websites.

96% of WordPress Security Issues Come From Plugins

This is Cloudflare's own data, and it is the most important number in their entire announcement. 96% of all WordPress security vulnerabilities come from plugins. Not from WordPress itself. From the plugins you install to make it do what you need.

Think about that for a moment. Every contact form plugin, every SEO tool, every caching plugin, every page builder. Each one is a potential door that hackers can walk through. The average WordPress site runs 20 to 30 plugins. That is 20 to 30 potential vulnerabilities sitting on your server right now.

EmDash addresses this by running plugins inside sandboxed isolates on Cloudflare's runtime. If a plugin has a security flaw, it cannot reach the rest of your site. That is genuinely smart engineering. But it raises a bigger question that Cloudflare does not answer: why are you running 30 plugins in the first place?

• ✓
  96% of WordPress security issues originate from third-party plugins
• ✓
  The average WordPress site runs 20 to 30 plugins, each one a potential vulnerability
• ✓
  WordPress sites are the target of 90% of all CMS-based hacking attempts
• ✓
  A single compromised plugin can expose your entire database, customer data, and payment information
• ✓
  EmDash sandboxes plugins to contain breaches, but custom-coded sites eliminate the plugin problem entirely

A custom-coded website does not need plugins. Forms, SEO, performance, security. All of it is built directly into the code. There is nothing to hack because there are no third-party dependencies running on your server. The plugin problem is not something you solve by sandboxing plugins better. You solve it by not needing plugins at all.

What EmDash Gets Right (and What It Does Not)

Credit where it is due. EmDash makes several smart architectural decisions that show Cloudflare genuinely understands what is wrong with WordPress.

What EmDash gets right: It is serverless, so there is no server to maintain or pay for when traffic is low. It uses TypeScript instead of PHP, which is a modern language that catches errors before they reach your visitors. Plugin isolation is genuinely innovative. And the AI-native approach, where the system was partly built with and designed for AI workflows, points toward where the industry is heading.

Matt Mullenweg, the co-creator of WordPress, responded publicly. He acknowledged the engineering quality but criticized EmDash for Cloudflare vendor lock-in, arguing that its plugin security model only works on Cloudflare's runtime and breaks down on any other host. Meanwhile, Joost de Valk, the creator of Yoast SEO (the most popular WordPress plugin with over 13 million installs), publicly endorsed EmDash. When the person who built the biggest WordPress plugin endorses the replacement, that tells you something about where the industry is heading.

What EmDash gets wrong: Almost everything that matters for a business that needs a working website today.

• ✓
  Zero plugin ecosystem. WordPress has 60,000 plugins. EmDash has effectively none.
• ✓
  CLI setup required. You need to use a command line terminal to get started. WordPress has a famous 5-minute install.
• ✓
  Cloudflare lock-in. The plugin sandboxing only works on Cloudflare Workers. Move to another host and you lose the key security feature.
• ✓
  No community. No forums, no tutorials, no agencies, no freelancers who specialize in EmDash. WordPress has millions of developers.
• ✓
  Beta only. This is not production-ready software. Cloudflare says so themselves.

Search Engine Journal listed six reasons EmDash cannot compete with WordPress today. CMSWire called it "the right architecture with an empty ecosystem." Both assessments are fair. EmDash is a technically impressive proof of concept. It is not a platform you should bet your business on in 2026.

Why This Matters Even If You Never Use EmDash

EmDash might never become a mainstream platform. That is beside the point. What matters is what Cloudflare's announcement signals about the direction of the entire industry.

WordPress market share dropped from 43.6% to 42.6% in the past year. That is the first decline in over 20 years.One percentage point might sound small, but at WordPress's scale, that represents millions of websites moving to other platforms.

The reasons are piling up. Google's March 2026 core update penalized slow sites harder than any previous update. 47% of slow sites lost rankings. Only 44% of WordPress sites pass Core Web Vitals on mobile. The math is simple: if Google rewards speed and your platform is slow, your platform is costing you money.

Industry data shows that 61% of companies now use multiple content management systems, and roughly half of those are actively trying to escape legacy platforms. WordPress is the legacy platform they are leaving.

Cloudflare building a WordPress replacement is not an isolated event. It is part of a pattern. Vercel, Netlify, Deno, and now Cloudflare. The biggest infrastructure companies in the world are all building tools that make WordPress unnecessary. They are not doing this for fun. They are doing it because they see the market shifting.

For business owners, the question is not whether WordPress will decline. It already is. The question is how long you wait before the decline affects your revenue.

Mullenweg (WordPress CEO) Fired Back. And He Has a Point.

EmDash is not perfect either. Mullenweg responded immediately with a detailed critique.

His points: EmDash's plugin security only works on Cloudflare's runtime. Host it anywhere else and you lose the main selling point. The plugin sandboxing restricts what plugins can do, which breaks compatibility with 60,000 existing WordPress plugins. And the whole thing ties you to Cloudflare's ecosystem, which is the opposite of WordPress's open web mission.

He is not wrong.

EmDash solves the security problem by creating a new dependency. You are trading WordPress lock-in for Cloudflare lock-in.

There Is a Third Option Nobody in This Debate Is Talking About

No plugins at all. No sandboxing needed because there is nothing to sandbox. A standard open source stack that deploys anywhere. You own the code, the data, and the infrastructure. Move it to any host, hire any developer, change anything without permission from a platform.

That is what we build. Not a WordPress successor. Not a Cloudflare product. Just clean architecture with zero dependencies you do not control.

Think about what both sides of this debate are admitting. Mullenweg is defending a platform where 96% of security issues come from plugins. Cloudflare is selling a fix that only works if you pay them forever. Neither side is asking the obvious question: what if you just did not need plugins at all?

A custom-coded site has forms, SEO, analytics, and performance built in from day one. No plugin marketplace. No sandboxing runtime. No vendor collecting monthly fees. Your WordPress site replaced with a modern framework that scores 99 on PageSpeed, loads in under 1 second, and costs $0 per month to host.

• ✓
  99 PageSpeed score from day one. Not 60 with optimization plugins.
• ✓
  Under 1 second load time on mobile. Your visitors see your content instantly.
• ✓
  $0 per month hosting. No server costs, no managed hosting fees, no scaling charges.
• ✓
  You own every line of code. No lock-in to Cloudflare, WordPress, or anyone else.
• ✓
  Zero plugins means zero vulnerabilities. Nothing to sandbox because there is nothing to exploit.
• ✓
  Deploy anywhere. Move hosts, hire any developer, change anything. No permission needed.

WordPress locks you into 23 years of technical debt. EmDash locks you into Cloudflare's ecosystem. A custom-coded site locks you into nothing. That is what real ownership looks like.

What a Post-WordPress Website Actually Looks Like

Numbers tell the story better than promises. Here is a direct comparison between a typical WordPress site and what we build for our clients.

These are not theoretical numbers. Every site we build at PandaCodeGen hits these benchmarks. Our detailed guide on achieving 100 PageSpeed explains the exact process we use and why template-based platforms cannot match it.

This is not just a WordPress problem either. Businesses on Webflow, Squarespace, Wix, and GoHighLevel are hitting the same ceiling. Different platforms, same problem: you are renting someone else's infrastructure and paying the price in speed, security, and flexibility. The gap between template platforms and modern custom code is not closing. It is widening with every Google update.

If you are on WordPress today, you have three options. Wait for EmDash to mature (two to three years, minimum). Stay on WordPress and hope the next Google update does not hit you harder. Or move to a custom-coded site that is already built for where the industry is going.

Our WordPress migration service takes 4 to 6 weeks from start to launch. We handle the entire process: design, build, content transfer, redirects, DNS, and post-launch monitoring. Your existing SEO equity is preserved with proper 301 redirects. And every site we deliver scores 95 to 100 on Google PageSpeed, guaranteed.

Cloudflare just confirmed what we have been building toward for years. The WordPress era is ending. The only question is whether you move now, while your rankings still have value, or wait until the next update forces the decision for you.