I Switched From WordPress to EmDash. Here's Why I'm Not Going Back.

For years, WordPress was just part of the furniture. You needed a website, you stood up WordPress. You needed a blog, WordPress. You needed anything with a CMS, WordPress. It was the default, and defaults are comfortable.

Then I heard an episode of a podcast where someone mentioned EmDash, a brand new open-source CMS that Cloudflare had just shipped, and something clicked. Not because I was actively unhappy with WordPress, but because I recognized a pattern I'd been ignoring for a long time.

The Security Problem I'd Learned to Live With

WordPress itself is fine. The core team does a reasonable job keeping it patched. The problem is the ecosystem around it, specifically plugins.

Over the years I'd accumulated the usual collection: a contact form plugin, an SEO plugin, a caching plugin, a gallery plugin, a backup plugin to protect me from the other plugins. Each one is a little door into your site. Each one is maintained by a different team with different priorities, different update cadences, and different security track records.

I'd gotten lucky. Nothing had ever gone seriously wrong for me. But I'd also read enough security bulletins to know that luck wasn't a strategy. The numbers are hard to ignore: the vast majority of WordPress vulnerabilities come from plugins, not core. And every plugin you install has essentially unrestricted access to your database, your filesystem, and your users' data.

That's not a quirk of WordPress. That's how it was designed. In 2003, it made sense. Today it feels like leaving your front door open because it was easier to build that way.

What Made EmDash Different

When I started digging into EmDash, the thing that grabbed me wasn't the tech stack (though TypeScript end-to-end and Astro-powered theming are genuinely nice). It was the plugin security model.

Every EmDash plugin runs in its own isolated sandbox. It declares upfront exactly what it needs access to, something like "I need to read content" and "I need to send email", and that's all it can do. It physically cannot touch your database directly. It cannot read files it wasn't given access to. There's no way for a compromised plugin to pivot into a full site takeover.

That's not a small thing. That's a fundamentally different architecture.

The other thing that caught my attention: Cloudflare built it. That's not a guarantee of quality, but it is a signal worth paying attention to. Cloudflare runs a meaningful chunk of internet infrastructure and has serious engineering chops. They built EmDash using AI coding agents over two months, shipped it as open source under the MIT license, and made it run on standard Node.js, not just their own cloud. That last part mattered to me.

The Setup

I'm not going to pretend the installation was as simple as a five-minute WordPress setup. EmDash is v0.1.0. It's new, and it shows in places. But if you're comfortable with a terminal, it's manageable.

I ran it as a Docker container behind Nginx on a Linux server, with Cloudflare handling TLS termination and proxying. The rough steps:

1. Scaffold the project with npm create emdash@latest
2. Write a Dockerfile that builds the Astro project and serves it via Node
3. Configure Nginx as a reverse proxy pointing at the container
4. Set up a Cloudflare Origin Certificate for encrypted traffic between Cloudflare and the server
5. Run npm run bootstrap inside the container to initialize the database and seed sample content

There were a few bumps: missing dependencies, Nginx config in the wrong directory, the usual first-time setup friction. Nothing that couldn't be worked through, but worth knowing going in.

The admin interface lives at /_emdash/admin and uses passkeys for authentication by default. No passwords, no brute force vectors. The dashboard will feel familiar if you've ever used WordPress. Posts, pages, media, menus, it's all there.

Where Things Stand

I just made the switch and so far it's done everything I need. The content editor works well, the site is fast, and I sleep a little better not worrying about a plugin vulnerability blowing up my site at 2am.

Is it ready for everyone? Probably not yet. The plugin ecosystem is nascent, documentation is still catching up, and breaking changes are expected as it matures. If you're running a complex WordPress site with dozens of plugins and a non-technical team managing content, this isn't the moment to migrate.

But if you're a developer running your own site, comfortable with some early-adopter friction, and tired of the WordPress security treadmill? It's worth a serious look.

The furniture is changing. I'm glad I got a new couch.