"Marketplace businesses provide trust when parties otherwise cannot easily trust each other. In the case of the WordPress marketplace, the plugin security risk is so large and probable that many of your customers can only reasonably trust your plugin via the marketplace. But in order to be part of the marketplace your code must be licensed in a way that forces you to give it away for free everywhere other than that marketplace. You are locked in."

"If EmDash gains traction, developers face a choice: maintain WordPress plugins under GPL, or build once for EmDash and license commercially. The installed base of WordPress is enormous—over 40% of websites—but if EmDash captures even 5% of new CMS deployments over the next 24 months, the economic incentive shifts."

"The 40% figure includes dormant sites, abandoned blogs, and legacy installations. Active, well-maintained WordPress deployments are a smaller subset. Headless CMS platforms (Contentful, Sanity), static site generators (Next.js, Astro), and proprietary platforms (Shopify, Wix) have already captured significant market share in specific segments."

"Cloudflare's timing suggests it believes WordPress's architectural debt has reached a tipping point. The 2025 spike in high-severity vulnerabilities—described as exceeding the previous two years combined—is the trigger."

"Cloudflare states it rebuilt Next.js in one week and WordPress in eight weeks using AI coding agents. This is not equivalent to building WordPress from scratch with human engineers. AI agents excel at generating boilerplate, scaffolding, and porting existing patterns to new languages. What they do not do well is architectural innovation or security auditing. Cloudflare has likely used AI to accelerate routine development while maintaining human oversight on security and core design decision."

"On 1 April 2026, Cloudflare announced EmDash, a TypeScript-based content management system positioned as a direct successor to WordPress. The company claims to have rebuilt the world's most widely deployed CMS—which powers over 40% of the internet—in eight weeks using AI coding agents, addressing what it identifies as an unsolvable architectural flaw: WordPress's plugin security model."

"The cost of building software has drastically decreased. We recently rebuilt Next.js in one week using AI coding agents. But for the past two months our agents have been working on an even more ambitious project: rebuilding the WordPress open source project from the ground up."

"WordPress powers over 40% of the Internet. It is a massive success that has enabled anyone to be a publisher, and created a global community of WordPress developers. But the WordPress open source project will be 24 years old this year. Hosting a website has changed dramatically during that time."

"EmDash isolates each plugin in its own sandbox—a 「Dynamic Worker」—with explicit capability declarations. Cloudflare's example shows a plugin that sends email notifications with only two declared capabilities: 「read:content」 and 「email:send」. The plugin cannot access the database, filesystem, or external networks beyond what it explicitly requests."

"96% of security issues for WordPress sites originate in plugins. In 2025, more high severity vulnerabilities were found in the WordPress ecosystem than the previous two years combined."

"WordPress's plugin architecture has no isolation layer. A plugin has direct access to the database, filesystem, and core WordPress functions. This is not a design flaw—it is a design choice made in 2003 when WordPress was a blogging platform, not a global CMS."

"WordPress.com manually reviews plugins in a queue exceeding 800 items with a two-week review cycle. The backlog exists because the security risk is so high that marketplace reputation is the primary trust mechanism."

"By using MIT rather than GPL, Cloudflare removes the constraint that forced WordPress plugin developers to open-source their code. This could unlock commercial plugin development outside the WordPress.com marketplace, breaking what Cloudflare calls 「marketplace lock-in」."

"EmDash directly threatens the moat that Automattic has built around WordPress.com's managed hosting. If plugin developers can license their work commercially and run it in a sandboxed environment, they no longer need the WordPress.com marketplace. Automattic's plugin review queue—currently over 800 items—becomes a liability, not a feature."