The CDN Builds a CMS
In January 2026, Cloudflare acquired the Astro framework team. In April 2026, Cloudflare shipped EmDash — an open-source CMS built on Astro 6, running on Cloudflare Workers with D1 for the database and R2 for file storage. EmDash is a v0.1.0 preview, but its architecture reveals where the web platform industry is heading: the CDN that delivers your site now also builds the framework that generates it and the CMS that manages it.
EmDash is not a WordPress competitor in the traditional sense. It does not have 60,000 plugins. It does not have millions of themes. What it has is a single architectural decision that WordPress cannot retroactively adopt: every plugin runs inside an isolated Dynamic Worker sandbox. Plugins cannot access the filesystem. They cannot access the database directly. They cannot execute arbitrary code on the server. The entire class of vulnerabilities that accounts for 97% of WordPress CVEs — plugin-level remote code execution, SQL injection, file upload exploits — cannot exist in EmDash's model.
Why WordPress Cannot Copy This
WordPress's plugin architecture gives every plugin full access to the PHP runtime, the MySQL database, and the server filesystem. This is not a bug — it is the design. Plugins need database access to create custom post types. They need filesystem access to handle uploads. They need PHP execution to extend WordPress's templating system. The entire WordPress ecosystem of 60,000+ plugins depends on this unrestricted access model.
Sandboxing WordPress plugins would break every existing plugin. Retroactively isolating PHP execution while maintaining backwards compatibility with 60,000 plugins is an unsolvable engineering problem. WordPress 7.0 is migrating its admin interface to React 19, but the underlying PHP execution model — the source of 18,005 CVEs — remains unchanged. EmDash starts from the opposite premise: plugins are untrusted by default and must prove they need access to specific resources.
The Economics of Zero
EmDash scales to zero when no requests arrive. A WordPress site requires a running PHP process, a MySQL database, and a web server — even when nobody is visiting. The minimum cost of running WordPress is the cost of keeping three services alive 24/7. EmDash's minimum cost is zero: Workers bill only for active CPU time, D1 bills only for queries, R2 bills only for storage.
For a small business website that receives 1,000 visits per day, the infrastructure cost difference is significant. WordPress on shared hosting costs $5–15/month minimum. WordPress on managed hosting costs $25–100/month. EmDash on Cloudflare's free tier costs nothing — Workers' free tier includes 100,000 requests per day, D1 includes 5 million reads per day, and R2 includes 10 GB of storage. The economics are not comparable.
The Maturity Gap
EmDash is a v0.1.0 preview. Its plugin marketplace is minimal. Its theme ecosystem does not exist. Its community is a fraction of WordPress's. No enterprise has migrated a production CMS to EmDash. These are real limitations that will take years to resolve, if they ever do. WordPress's network effects — the themes, the plugins, the developers, the hosting providers — represent two decades of accumulated ecosystem value.
But the architectural bet matters independent of adoption. EmDash demonstrates that a CMS can function with sandboxed plugins, structured content, and serverless deployment. It proves that the WordPress model — unrestricted PHP execution for every plugin — is a design choice, not a technical necessity. Whether EmDash succeeds or not, the question it raises will shape every CMS architecture decision going forward: should plugins have full server access by default?


