WordPress powers over 40% of the Internet, but 96% of its security vulnerabilities come from plugins. Cloudflare’s answer: rebuild the CMS from scratch with plugins that can’t escape their sandbox — and give every instance a built-in MCP server so AI agents can manage content alongside human editors.

EmDash v0.1.0 launched on April 1, 2026 as an MIT-licensed, open-source CMS written entirely in TypeScript. It runs on Cloudflare Workers or any Node.js server, uses Astro for themes, and treats AI agents as first-class users. Our analysis draws on Cloudflare’s official blog post, The Register’s coverage, SiliconANGLE’s reporting, and the EmDash GitHub repository — we research and analyze rather than testing implementations hands-on.

Why Cloudflare Built a CMS

Cloudflare already runs one of the largest edge networks in the world. They already serve and cache a significant percentage of WordPress traffic. But WordPress’s plugin architecture has become a liability: the plugin review queue is over 800 plugins long with at least two-week wait times, and plugins have direct access to the database, filesystem, and network — any one of them can compromise an entire site.

EmDash doesn’t try to fix WordPress. It reimagines the CMS for a world where serverless infrastructure, AI agents, and content-addressed security are the baseline expectations. Two Cloudflare engineers — product manager Matt Taylor and software engineer Matt Kane — built EmDash in two months using AI coding agents.

Architecture: Serverless, Sandboxed, AI-Native

EmDash’s architecture is built around three design principles: isolation by default, AI agents as first-class users, and portable abstractions that prevent vendor lock-in.

Plugin Sandbox via Dynamic Workers

This is EmDash’s most significant architectural decision. Every plugin runs in its own isolated Dynamic Worker — Cloudflare’s v8 isolate runtime via workerd. These are 100 times faster than traditional containers with millisecond startup times.

A plugin’s capabilities are strictly defined in its manifest:

  • No direct database access — plugins interact through provided bindings only
  • No filesystem access — capabilities are mediated through the runtime
  • Declared network access — plugins must specify exact hostnames they need to reach
  • Scoped permissions — similar to an OAuth flow, each plugin declares exactly what it can do (e.g., read:content, email:send)

This is the fundamental difference from WordPress, where a gallery plugin has the same access to your database as your e-commerce checkout. In EmDash, a misbehaving plugin can’t escalate beyond its declared permissions.

Content Model: Portable Text, Not HTML

EmDash stores content as structured JSON rather than HTML strings. This is a deliberate choice for AI compatibility — an agent can read, modify, and generate content without parsing markup. Custom content types get their own database tables with typed fields, so agents can reason about the schema programmatically.

Custom collections are separate from traditional posts and pages. Schema is definable directly in the admin panel, and WordPress custom post types convert to distinct EmDash collections during migration.

Database and Storage Portability

EmDash uses portable abstractions at every layer:

  • SQL: Kysely — works with SQLite, D1, Turso, or PostgreSQL
  • Storage: S3 API — works with R2, AWS S3, or local files
  • Deployment: Cloudflare Workers or any Node.js server

It runs best on Cloudflare but isn’t locked to it. The scale-to-zero serverless model means you only pay for CPU time during actual work.

The Built-In MCP Server

Every EmDash instance exposes a remote MCP server at a dedicated endpoint. This isn’t an add-on or plugin — it ships with every installation and provides the same capabilities as the admin UI.

What the MCP Server Exposes

Connect Claude Desktop, Cursor, Kiro, or any MCP-compatible client to your EmDash instance and you get tools for:

  • Content CRUD — create, read, update, and delete posts, pages, and custom collection entries
  • Schema management — define and modify content types and their fields
  • Media handling — upload, organize, and manage media library assets
  • Plugin administration — install, configure, and manage plugins
  • User management — manage roles and permissions (administrator, editor, author, contributor)

All operations are scoped by API token permissions — an agent managing blog posts doesn’t automatically get access to user administration.

Agent Skills: Documentation for AI

Beyond the MCP server, EmDash ships with Agent Skills files — structured documentation specifically designed for AI coding agents. When you give an agent access to an EmDash codebase, the Skills files describe:

  • The full hooks reference
  • Theme structure and components
  • Content schemas and collection types
  • Plugin capabilities and how to build them
  • WordPress migration instructions

This means an agent can build a plugin or port a WordPress theme autonomously, without step-by-step human instruction. The Skills files are available in the GitHub repository.

CLI for Programmatic Access

EmDash also provides a CLI that outputs JSON, enabling scripted workflows:

  • media upload [file] — upload media assets
  • search — search content
  • schema create [collection] — create and manage content schemas

The CLI works with both local and remote instances, giving agents and scripts an alternative to the MCP server for automation workflows.

Security Model

EmDash’s security goes beyond plugin sandboxing:

Passkey Authentication by Default

There are no passwords to leak and no brute-force vectors to defend against. EmDash uses passkeys (WebAuthn) as the default authentication method.

Role-Based Access Control

Four roles — administrator, editor, author, contributor — with scoped permissions. The same roles apply to both human users and AI agent access tokens.

Pluggable SSO

EmDash works with your existing SSO provider, so enterprise teams don’t need to manage a separate identity system.

x402: Native Payments Without Engineering

EmDash includes built-in support for x402, an open standard for Internet-native payments. The HTTP 402 status code (“Payment Required”) has existed since HTTP/1.1 but was never widely implemented. x402 makes it practical:

  1. Configure which content requires payment
  2. Set the price
  3. Provide a wallet address

That’s it. A client hitting paywalled content receives an HTTP 402 response, pays on-demand, and gets access — no subscriptions, no payment processing integration, no engineering work. This is pay-per-use at the protocol level.

WordPress Migration

EmDash provides two migration paths:

  1. WXR export — export from WordPress admin, import into EmDash
  2. EmDash Exporter plugin — install on your WordPress site to create a secure endpoint protected by a WordPress Application Password

Both paths import posts, pages, media library assets, and taxonomies. Custom post types convert to EmDash collections. Advanced Custom Fields workflows are replaced with EmDash’s native schema definition. Cloudflare says migration takes just a few minutes.

Competitive Context

EmDash enters a CMS market that looks very different from when WordPress launched in 2003:

Platform Architecture Plugin Security AI Integration Payments License
EmDash Serverless TypeScript (Astro) Sandboxed Dynamic Workers Built-in MCP server + Agent Skills Native x402 MIT
WordPress Monolithic PHP Full system access Via plugins only Via plugins only GPL
Ghost Node.js No plugin system Limited Built-in Stripe MIT
Strapi Node.js headless Plugin system Via plugins Via plugins MIT (v5)
Payload TypeScript headless Plugin system Via plugins Via plugins MIT

EmDash’s unique combination is the sandboxed plugin architecture with first-class MCP support. No other CMS ships a built-in MCP server with every instance.

WordPress co-founder Matt Mullenweg responded critically, suggesting EmDash was created primarily to sell more Cloudflare services. CMSWire’s assessment was “right architecture, empty ecosystem” — acknowledging the technical design while noting the lack of plugins, themes, and community that WordPress has built over two decades.

What This Means for the MCP Ecosystem

EmDash is notable not just as a CMS but as a signal for how MCP is evolving. When we reviewed Cloudflare’s infrastructure MCP servers — which expose 2,500+ API endpoints through a novel Code Mode approach — we noted how ambitious Cloudflare’s MCP strategy was. EmDash extends that strategy from infrastructure management into content management.

The implications:

  • MCP as a default interface — EmDash doesn’t add MCP support; it ships with MCP as a core feature. This normalizes MCP as something every web application should expose.
  • AI agents as CMS users — the role-based access control applies equally to humans and agents, with the same permission model. Content management becomes a conversation rather than a dashboard interaction.
  • Agent Skills as documentation standard — the idea that software should ship with structured documentation specifically for AI consumption could become a pattern across the industry.
  • Content creation at scale — with MCP access to structured JSON content, agents can create, edit, and manage content programmatically without screen-scraping admin panels or maintaining fragile API integrations.

The Honest Assessment

EmDash v0.1.0 is a preview release. The plugin ecosystem is empty. The theme library doesn’t exist yet. WordPress’s 60,000+ plugins and 12,000+ themes took 20 years to build.

What EmDash does have is architectural clarity. The plugin sandbox solves a real security problem that WordPress cannot fix without breaking backward compatibility. The MCP server gives AI agents a structured interface to content management. Passkey authentication eliminates the most common attack vector. And the MIT license with portable abstractions means sites aren’t locked to Cloudflare.

Whether EmDash gains adoption depends less on its technology and more on whether developers build the plugins and themes that make a CMS useful. But as a demonstration of what a CMS designed for the AI era looks like — with MCP as a first-class interface — it’s the most significant entry we’ve seen.

This article is part of ChatForest’s ongoing coverage of the MCP ecosystem. We research publicly available documentation, announcements, and community discussions — we do not test or operate the tools we write about. Have a correction or update? Let us know.