EmDash – A spiritual successor to WordPress that solves plugin security

Original Article ↗ Hacker News Discussion ↗

Overall Reception

  • Mix of interest and skepticism. Many like the idea of a more secure, modern CMS; many others see it as “just another CMS” with heavy marketing.
  • Launch date, name (“EmDash”), and strong AI emphasis make several commenters unsure whether it’s a serious product or an April Fools–style stunt.
  • Some who tried the playground or demo report bugs, janky UX, and mobile issues, reinforcing the “prototype” perception.

WordPress Comparison & Ecosystem

  • Broad agreement that WordPress’s real moat is its ecosystem: plugins, themes, hosting options, and cheap non-expert labor.
  • EmDash does not run existing PHP plugins or themes; it only imports WP exports as data. Many argue that without compatibility it cannot be a true “successor.”
  • Commenters stress that both tiny small-business sites and large publishers rely on that ecosystem; replacing “wp-core” alone doesn’t solve their problems.

Security & Plugin Architecture

  • WordPress plugin security is widely acknowledged as a real problem: arbitrary PHP, no sandboxing or permissions, plugin abandonment.
  • EmDash’s model of plugins as TypeScript modules running in isolated Workers with declared capabilities is seen as a fundamentally better security design by some.
  • Others note that:
    • Trusted plugins in-process are only “documented” by capabilities, not enforced.
    • When not on Cloudflare’s runtime, isolation may vanish.
    • The underlying trust model and plugin-to-plugin interactions remain complex.

Cloudflare Platform & Lock‑In

  • Key differentiator (Dynamic Workers sandboxing) only exists on Cloudflare’s stack; elsewhere EmDash is “just a TS CMS.”
  • Several see this as “open source but architecturally locked in.” Workerd itself is open source, but the orchestration and global platform are not.
  • Some draw parallels to Vercel/Next.js–style coupling and flag vendor lock‑in as a major concern.

AI / Agent‑Coded Development & “Vibeslop”

  • Project is heavily marketed as built by agents; reactions:
    • Supporters: this showcases real, substantial AI-built software; AI coding with strong process can produce good code.
    • Critics: Cloudflare has previously shipped AI demos that were overhyped or insecure; fear of another rushed “slop” release.
  • Long meta‑thread on “vibe coding” vs serious AI‑assisted development:
    • Concerns about maintainability, hidden trade‑offs, and code nobody fully understands.
    • Others argue modern agents + good engineers can outperform traditional processes, but acknowledge trust must be earned over time.

Tech Stack, Hosting & CMS Philosophy

  • Some applaud using TypeScript + Astro + Workers: static‑first with islands, edge‑first, type safety, better plugin isolation.
  • Others argue this misses why WordPress won:
    • PHP + FTP + shared hosting is still the simplest deployment story for non‑experts.
    • Many clients care more about a familiar web UI and self‑editing than about serverless, Astro, or TypeScript.
  • Debate over static vs dynamic:
    • One camp wants “back to static files” simplicity; another notes real‑world sites inevitably need dynamic features and plugins.
    • Astro’s hybrid static/dynamic model is seen as a reasonable compromise by some.

Licensing & Legal / Ethical Questions

  • EmDash is MIT‑licensed; some praise this as more permissive than GPL and friendlier to commercial use.
  • Others argue GPL’s reciprocity is a feature, preserving community leverage and preventing proprietary capture.
  • Questions raised about:
    • Calling it a “reimplementation of WordPress” while claiming no WP code was used.
    • Use of WordPress concepts (roles, menus, Gutenberg parser) and whether agents were trained on WP code.
  • Legal status is viewed as unclear in the thread; several expect potential friction with the WordPress side.

Payments (x402) & Agents

  • Built‑in HTTP 402 / x402 micro‑payment support attracts attention:
    • Vision: agents with “debit cards” paying sites per request to access content or APIs.
    • Some find this fascinating; others see it as naive or ripe for abuse (honeypots, tarpit content).
  • Skepticism that AI companies or scrapers will actually pay per request is common.