- Convince me this isn’t vibeslop.
If Cloudflare really have radically changed their software development philosophy lately, this would actually be an interesting project, being based on Astro and coming with some APIs for programmatic management.
Them being so happy about the „cost of software development“ and not going very deep into ecosystem, community or project management doesn’t convince me that this is going to be a worthwhile project, even if, unlike their previous vibe coding demos, this one actually works.
- I'm the main engineer on this. I've also been on the Astro core team for two years, so I do think I understand real open source software and community.
As the post implies, I did use a lot of agent time on this, but this isn't a vibe-coded weekend project. I've been working full time on this since mid-January.
- "It's not a vibe-coded weekend project, it's a vibe-coded months long project" doesn't terribly instill confidence.
- There's a big difference between the two. If you still think agent-guided development doesnt work well, you need to update your priors
- [dead]
- Agent coded != vibe coded.
I don't write code manually anymore, but Im still getting the exact code output that I want.
- It's a tough pill for some HNers to swallow, but with a good process, you can vibe-code really good software, and software far more tested, edge-cased, and thoughtful than you would have come up with, especially for software that isn't that one hobby passion project that you love thinking about.
- vibe coding implies a complete lack of process. The definition is basically YOLO....
- My process is just getting claude code to generate a plan file and then rinsing it through codex until it has no more advice left.
I'd consider it vibe-coding if you never read the code/plan.
For example, you could package this up in a bash alias `vibecode "my prompt"` instead of `claude -p "my prompt"` and it surely is still vibe-coding so long as you remain arms length from the plan/code itself.
- I mean to be fair, if you are using agents more than likely you are not thinking about aspects of the code as deeply as you would have before. If you write things yourself you spend far more time thinking about every little decision that you're making.
Even for tests, I always thought the real valuable part of it was that it forced you to think about all the different cases, and that just having bunch of green checkboxes if anything was luring developers into a false sense of security
- There's definitely a trade-off, but it's a lopsided one that favors AI.
Before AI, you were often encumbered with the superficial aspects of a plan or implementation. So much that we often would start implementing first and then kinda feel it out as we go, saving advanced considerations and edge-cases for the future since we're not even sure what the impl will be.
That's useful for getting a visceral read on how a solution might feel in its fetal stage. But it takes a lot of time/energy/commitment to look into the future to think about edge cases, tests, potential requirement churn, alternative options, etc. and planning today around that.
With AI, agents are really good at running preformed ideas to their conclusion and then fortify it with edge-cases, tests, and trade-offs. Now your expertise is better spent deciding among trade-offs and deciding on what the surface area looks like.
Something that also just came to mind is that before AI, you would get married to a solution/abstraction because it would be too expensive to rewrite code/tests. But now, refactoring and updating tests is trivial. You aren't committed to a bad solution anymore. Or, your tests are kinda lame and brittle because they're vibe-coded (as opposed to not existing at all)? Ok, AI will change them for you.
I also think we accidentally put our foot on the scale in these comparisons. The pre-AI developer we'll imagine as a unicorn who always spends time getting into the weeds to suss out the ideal solution of every ticket with infinite time and energy and enthusiasm. The post-AI developer we'll imagine as someone who is incompetent. And we'll pit them against each other to say "See? There's a regression".
- I think I agree. Fast iteration in many cases > long thought out ideas going the wrong direction. The issue is purely a mentality one where AI makes it really easy to push features fast without spending as much time thinking through them.
That said, iteration is much more difficult on established codebases, especially with production workflows where you need to be more than extra careful your migration is backwards compatible, doesn't mess up feature x,y,z,d across 5 different projects relying on some field or logical property.
- Shhhhh stop telling them! We don’t need more competition :)
- its the same thing. no one can keep up with their plan mode/spec driven whatever process. All agent driven projects become vibe coded "this is not working" projects.
Lot of ppl are only in the beginning stages so they think its different because they came up with some fancy looking formal process to generate vibe.
- What are some other candidates in the "most meaningless new term" awards category? "Vibe coding" seems like the best in a generation. Even with a lot of clarifying qualifications, it often still seems fundamentally meaningless / open to interpretation / triggers commenters based on their priors.
- Using the word priors in the way you (and others) do.
- how long should it take to gain your confidence? how did you arrive at your number?
the state of the art of software engineering is to use AI. it's just reality
- how long? 10 years
- I started calling it LLM assisted coding. If you know what you’re doing but use LLMs to do tedious stuff and educate yourself on the unfamiliar bits you can move quite fast. The term vibe coding does not do that process justice imho.
- > The term vibe coding does not do that process justice imho.
Well that's because actual vibe coding is a completely separate thing from "LLM assisted coding, know what you’re doing but use LLMs to do tedious stuff".
I'm not entirely sure what you mean by "started calling it", but vibe coding doesn't need a new name, it needs people to be clear about what they mean.
- [dead]
- This crap thinking has to stop, not everything is "hey agent do this" then sit, wait and publish as is. Also this is a Cloudflare official software, do you REALLY think this is 100% vibe coded without human intervention? Come on...
- While I agree with your first sentence, I haven't been impressed with cloudflare's AI track record. I think my expectations for "cloudflare software on the HN front page that was significantly AI coded" are lower than "random guy's software on the HN front page that was significantly AI coded".
- After https://news.ycombinator.com/item?id=46781516 ? Yes, one can unfortunately put that into the realm of reality.
- Considering Cloudflare shat out slop in the form of a "complete rewrite of NextJS in one weekend" and proudly put out a blog post (https://blog.cloudflare.com/vinext/) despite how absolutely dogshit it is:
yeah.
- [flagged]
- Could you say a few things on your plans to develop the community and ecosystem then as requested?
That's the significant part of Wordpress after all, not the mediocre code.
- > I'm the main engineer on this. I've also been on the Astro core team for two years
That was worth a disclosure in the post. Knowing this now and then going back to Ctrl+F on "Astro" gives a definite feel on the second reading that wasn't obvious the first time around.
- Picking April First to launch is certainly a Decision.
- What does "While EmDash aims to be compatible with WordPress functionality" mean?
Compatible how?
- Why would you gut the credibility of the project for that tagline then: why not skip mentioning agents?
You even open the article by linking the toy project where you used agents to "recreate Next in a week" and released with critical vulnerabilities.
- will all my custom Wordpress themes and plugins run on EmDash?
- For plugins, no.
1- EmDash plugins are written in TypeScript, not PHP
2- EmDash plugins have a specific permissions model, where they need to explicitly request access to certain things.
3- WordPress plugins just invoke things. EmDash plugins have a defined API you use to talk to different capabilitites
4- Those capabilities are totally different, and at a different abstraction, than what WordPress provides.
Beyond the look of the admin interface and publishing flow, I don't see how this is a "Spirtual Successor" to WordPress at all. Its a CMS, designed from scratch, for a serverless world, using CF proprietary capabilities (D1 Databases, R2 for image/media storage, their workers for running things).
- I think one of the reasons people think this is slop is because of the name. How does the name EmDash relate to being a wordpress spiritual successor? It's clear the name was chosen as it relates to the use of em dashes in AI generated text, so why would you want to be associated with that? Why not choose a name like Astro Press given your experience on Astro?
- Not sure why you’re being downvoted. The name is so bad. WordPress is a great name for normies. Something like Cloudflare Press would make more sense. EmDash is at best a temporary meme.
- > It's clear the name was chosen as it relates to the use of em dashes in AI generated text
this is not clear to me, and is not discussed in the article
you can like or dislike the name. but criticizing the quality of work based on your affinity for the name is foolishness
- Well, an em dash is used in text to identify a pause or alternatives in the text.
..so like a fork in the way it's done, a new way of doing things.
But you need to remove the dev/ai hat in order to go back to writing rules and the real use.
- This doesn't really address the concern.
The question isn't whether this took longer than a weekend or whether you personally have open source experience, it's whether Emdash is actually being built as an open ecosystem or as a Cloudflare-bound platform. Bringing up your background reads like using prior credibility to justify the project's quality, instead of demonstrating it.
If it only runs properly on Cloudflare's infrastructure, then invoking "understanding open source and community" feels misleading. Those values usually imply portability and independent ecosystem growth, not tight platform coupling.
Also, "not vibeslop" here isn't about effort, it's about whether there's a clear, defensible reason this exists beyond being an AI-accelerated WordPress-like system tied to one vendor.
- I think Cloudflare has picked up that code velocity is only good if you can recruit users to a new open project, and have solid maintainers to keep the project going long term. Just from passive observance it feel like Cloudflare’s engineering team is chockful of seasoned maintainers. They then have a great social following already. So, code velocity, plus audience, plus maintainers, means you maybe can capture a lot of open projects under your umbrella while people are still trying to figure out how to fiddle with legacy software and AI. Meanwhile, “new is always better” puts pressure on legacy user bases. Finally, you allow these things to hook into your magnanimous global app development platform, and boom you have got it made in the shade.
- If you read the first few sentences...
> But for the past two months our agents have been working on an even more ambitious project: rebuilding the WordPress open source project from the ground up.
They have honed their AI OSS troll marketing chop and every step goes far and far. I'll take it more seriously once they start open sourcing vibe coded projects they actually use in their production.
- It is 100% vibe coded.
- It’s definitely slop of some kind.
Why mixed ”permission:scope” and ”scope:permission”?capabilities: ["read:content", "email:send"], - I'm getting so exhausted of the "slop" accusation on new project launches. There are legit criticisms of EmDash in the parent comment that are overshadowed by the implication it was AI coded and, thus, unusable quality.
The problem is there's no beating the slop allegation. There's no "proof of work" that can be demonstrated in this comment section that satisfies, which you can see if you just keep following the entire chain. I'd rather read slop comments than this.
The main engineer of this project is in the comments and all he's being engaged with on is the definition of vibes.
- I mean the name is a nod to that.
- Coded with AI != slop. AI in the hands of the right person can actually be good. That's gotten _especially_ true in the past few months.
- Maybe what the parent commenter was referring to is that recently CloudFlare have published multiple vibe-code demo blog posts whilst trying to pass it off as production grade, for example https://news.ycombinator.com/item?id=46781516 where they implemented an open standard communication protocol on CloudFlare Workers.
The blog post was chock full of factual errors, claimed to be based off project X but wasn't at all and even had the cheek to include that it was arguably the most secure way to deploy such a server, with their implementation apparently already being used by their team to serve real traffic. Meanwhile the repo was full of TODOs for all the security aspects of the protocol.
Of course after the backlash a lot of this was covered up so look at the archives if you are curious.
They have really done a disservice to themselves because their blog posts used to be excellent, but now I have to question whether it's another blogpost full of fakery like that one (and there was another since iirc). Given this blog post talks about reimplementing a popular project, it starts to give off the signs of being another one of these. Unfortunate if that's not the case
- CloudFlare announcements have caused them to lose credibility in this area.
- I don't think it's the code that makes WordPress valuable. I've been learning WordPress recently and haven't been too impressed with the internals. WordPress is valuable because of the ecosystem and support. I have no doubt that WordPress will still be a thing in ten years. What's the support plan for EmDash? I see commits are mostly from a single developer.
E: Oh, I think it's an April fools joke, I'm embarrassed.
E2: Apparently not a joke.
- Cloudflare doesn't do April fools jokes. In fact, 1.1.1.1 was released on April 1st back in 2018 and now it's one of the most used DNS service in the world.
- [dead]
- It's a legit April Fools'.
On the initial commit:
> Some content is hidden
> Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
This for "a spiritual successor to WordPress".
- I can assure you this is not an April Fools. Cloudflare does not do that. This is a real project.
- I can assure you this is not an April Fools. Cloudflare does not do that.
It should. I miss the days when tech was interesting and fun.
Even Steve Jobs, for all his later-day revisionist hard-assed reputation, enjoyed the occasional Easter egg, inside joke, or April Fool's joke.
- I appreciate a good April Fools joke, I also appreciate CloudFlare's approach of "we're extra serious today, here's some useful stuff for ya"
- I hated that shit. I'd load Slashdot and there was no real content or it was difficult to find real news amongst all the crap. It's not funny. It's annoying.
- Some of the april fools things can be annoying, but I have a big shrug for there being less real news for a day. Anything important will get through and most days don't have much interesting news anyway.
- I feel bad for you. That's a lot of anger over virtually nothing.
- Hm, you might want to catch up on the Wordpress “open source” drama with WP.com vs .org, WP engine and Matt.
- Oh, come on. It must be a joke. They can't be serious with this sloppy thing.
- There's always https://textpattern.com/ which is also as old as Wordpress (older?) and better coded. (See also thttps://textpattern.org/ ).
- It stores plugins as strings in the database, then pulls those strings back and evals them as PHP on requests.
"Better coded" is very much a subjective assessment.
- There might be pie on your face but they stole my line, https://github.com/HatmanStack/kill-wordpress
- I think you need to account for the base rate. There's a lot of WordPress plugin vulnerability disclosures because there's a lot of WordPress plugins and there are enough deployments of the plugins to make searching for those vulnerabilities is worthwhile.
That site warns that WordPress plugins can be abandoned, but that's clearly not a WordPress specific issue. Sure some site could use SSG, but that's a different design.
I certainly don't want to claim WordPress security is good, but I'm not sure that site is measuring anything meaningful.
- Just measured your visit, zing.
- Its impressive work from CF that lots of people in this thread are unsure whether its a joke or not, like a delicately balanced april fools for the hn crowd
- wordpress is valuable because it allows very bad developers / marketing people to write very bad code and get away with it, driving extremely low cost solutions for clients who are cost concious.
yes you want a global db handle sure ya lets delete all tables woohoo
- > wordpress is valuable because it allows very bad developers / marketing people to write very bad code and get away with it, driving extremely low cost solutions for clients who are cost concious.
You've sort of nailed it, but this isn't a bad thing. An alternative for these customers does not exist.
There's another vertical which is organizations that have armies of writers churning out content. Any kind of publisher or advertiser, basically. There is no better CMS for this. Large organizations like NYT, etc chose to write their own.
- >> wordpress is valuable because it allows very bad developers / marketing people to write very bad code and get away with it, driving extremely low cost solutions for clients who are cost concious.
> You've sort of nailed it, but this isn't a bad thing. An alternative for these customers does not exist.
Yes! I'm locked into WordPress, which I hate, because it's the only platform that will allow a non-developer to maintain it if I get hit by a bus.
- I started building sites for clients in the late '90's, and quickly made "client can edit their phone number on all pages" a key requirement. Wordpress with a WYSIWYG page builder solves that — it's not the only solution, but it works pretty close to right out of the box.
- Which also allows you to not be on call 24/7.
A decade ago I had to learn and run WordPress for a job. I held my nose up the stink was so bad. But quickly I learned how to manage it and have modern sensible practices around it and I've probably gotten more real value out of it than any other CMS or web framework I've touched. That includes Rails.
Thankfully I don't have to do that anymore, but you can sanely and safely run WordPress today and there's zero shame in it.
- There are options that can be run by anyone, but they're often very constrained in what they can do and show.
Wordpress is solidly in that middle ground where you can do a large amount of customization if someone'll pay for it, and then they can do the day-to-day care and feeding of it.
Everything else has either been much worse in all possible ways (Joomla!) or has been a collection of developer wish-lists unusable by anyone (Drupal).
- yep. we like it because with shopify or other platforms, you run into limitations. with Wordpress I can literally just whip it into whatever shape i want.
- As a (unfortunately) wordpress dev this seems to solve my single biggest painpoint with WP. Which isn't plugin security, but the overall plugin architecture.
WP treats plugins as content, literally in the same top level `wp-content` directory as uploaded images. This makes CI/CD among other things, a nightmare. But EmDash plugins are just TS modules, which has got to make things easier even if plugin configuration does end up in the db somewhere.
- A WordPress spiritual successor backed by Cloudflare sounds great in theory, but the headline feature, plugin isolation via Dynamic Workers, only works on Cloudflare's runtime. On any other host it's just a TypeScript CMS without the security model that justifies its existence. Open source but architecturally locked in.
- I missed this. So they didn’t really solve much at all. I guess at least it’s compatible with other runtimes. But yeah, who would’ve guessed that Cloudflare software would (besides being vibeslop) prefer Cloudflare infra. This, of course, makes the software quite hard to adopt.
- > Open source but architecturally locked in.
You hit the nail on the head.
Cloudflare's new business model is to find popular OSS projects, create a vibe coded alternative that only runs on Cloudflare's infrastructure.
- I think pretty much every corporation that can have had this thought, has had it. Really "any popular software" where they can provide similar functionality. And I think this is going to happen more often before it becomes less common.
- Sadly, it looks more and more like it. It’s sad, because they were doing wonderful stuff.
- Agreed. They are destroying their professional reputation.
- > Our name for this new CMS is EmDash. We think of it as the spiritual successor to WordPress. It’s written entirely in TypeScript. It is serverless, but you can run it on your own hardware or any platform you choose. Plugins are securely sandboxed and can run in their own isolate, via Dynamic Workers, solving the fundamental security problem with the WordPress plugin architecture. And under the hood, EmDash is powered by Astro, the fastest web framework for content-driven websites.
To me this sounds of the polar opposite of the direction CMS's need to go, instead simplify and go back to the "websites" roots where a website are static files wherever, it's fast, easy to cache and just so much easier to deal with than server-side rendered websites.
But of course, then they wouldn't be able to sell their own "workers" product, so suddenly I think I might understand why they built it the way they built it, at the very least to dogfood their own stuff.
I'm not sure it actually solves the "fundamental security problem" in actuality though, but I guess that remains to be seen.
- I think this is true, however, when it comes to non-coding clients I've worked with they really do like the ability to make minor edits to a site with a UI rather than having to continually ping a developer.
The problem with WordPress (and it looks like this solution largely just replicated the problem) is that it's way too cumbersome and bloated.
It really is unlike any modern UI for really any SaaS or software in general.
It's filled with meaningless admin notices, the sidebar is 5 miles long and about 98% of what the user sees is meaningless to them.
Creating a very lightweight, minimal UI for the client to edit exactly what they need or like you said, just static files really is the best solution in most cases. The "page builders" always just turn into a nightmare the clients end up handing over for a dev to "fix" anyways.
Not sure why so many people feel the need to continue on the decades of bloat and cruft WordPress has accumulated, even if it's "modernized."
- Sure, but if I want to host my static files on a website where they are easily cached... cloudflare also offers this product?
- I am confused - what are the good “websites” roots? Server-side rendered or not?
- Websites used to be static html files.
You either write them by hand, or use a tool that generates it locally, upload everything and you're done. Perfect security. Great performances.
It's in this sense that static generators go back to the source, the simply produce dumb HTML files that you upload/publish to a web server that doesn't need to run any code. Just serve files.
- The question is then they'd be building some brand new thing not compatible with wordpress. Supposedly the proposition is to steal people away from wordpress. Not just get people building something from scratch looking for a new framework. I'm guessing the recent lawsuits also provide some momentum.
- It's not compatible with WordPress, though. It slurps a WordPress export, which is quite literally static data. They expect you to code up anything dynamic using their agent skill.
- It looks like they rolled it so you can plug in local components of your choice, though? The security model does assume you have MAC containerized environments available at your fingertips though, so having something like DHH's once is probably a soft minimal dependency if you want to do-it-yourself.
- But "back to CMS roots" is absolutely not what the WordPress ecosystem is about. It's about the absolute galaxy of plugins that provide you with an entire digital experience "in a box". You can just install whatever plugins for ecommerce, CRM, forms management, payments, event calendars. They will all plugin to both the template system and the MySQL database. There are a lot of well-known and reputable plugins with huge installed bases (woocommerce, gravity forms, yoast seo) but there's a ton of shady ones that can infect your install. Cloudflare is directly addressing the shortcomings of the existing plugin architecture indicating they intend for EmDash to fill a similar niche as an All-in-One digital experience and not just a simple CMS.
- Reading this paragraph I was genuinely convinced it was an April 1st thing.
- Reminds me of Vercel and NextJS, where a popular framework design is constrained by, or optimally runs, on their infra, but then comes with pains or unusualness if self-hosted (eg. middleware). Vendor lock-in plays are a big red flag
- Serious question: Why is everyone still using JavaScript to AI-code projects? You can vibe-code apps with real languages now.
There's no reason to use an interpreted, bloated, weird language anymore. The only reason interpreted languages were a thing was so you could edit a file and re-run it immediately without a compile step. Compiling is now cheap, and you don't have to build expertise in a new language anymore. Ask AI to write your app in Go, it'll happily comply. Run it and it's faster with less memory use and disk space. The code is simpler and smaller making reviewing easier. Distribution is as easy as "copy the file".
I'll grant you, interpreted languages skip the "portability" compiling/distributing step, and let you avoid the stupid MacOS code signing. But Go is stupid easy to cross-compile, and (afaik?) the user can un-quarantine a self-signed app pretty easily.
- a) llms are good at writing typescript
b) typescript fixed a lot about javascript and is somewhat decent
c) multiple fast and performant runtime engines
d) deployment story is php levels of easy
that's it.
- > While EmDash aims to be compatible with WordPress functionality, no WordPress code was used to create EmDash. That allows us to license the open source project under the more permissive MIT license.
Ha ha, that's really funny timing given the recent launch of Cleanroom As A Service, promising that you can licensewash other peoples' code quickly and easily: https://malus.sh/
I'm not saying they did that, but it's ironic timing.
- Malus is (well crafted) satire.
- It looks like I'm in the minority after reading this comments, but I'm quite happy to see this announcement.
A "good" standard, free CMS with theming and plugin support without the issues of Wordpress is _welcome_. (And the issues are many: Licensing, trust, drama, security, and cost).
I'm guessing that a lot of cynicism here is coming from this crowd not being the target market of Wordpress in the first place? What were you recommending to non-technical friends and family who wanted a good, open source, affordable CMS to back their website? Wordpress has all the right _ideas_, but the wrong implementation.
- I think the cynicism is related to cloudflares recent previous releases that were considered to be slop that significantly overpromised on its capabilities/completeness. Trust can take a long time to rebuild.
- > x402 is an open, neutral standard for Internet-native payments. It lets anyone on the Internet easily charge, and any client pay on-demand, on a pay-per-use basis. A client, such as an agent, sends a HTTP request and receives a HTTP 402 Payment Required status code. In response, the client pays for access on-demand, and the server can let the client through to the requested content.
Fascinating. Cloudflare is envisioning a future where agents are given debit cards by their owners, so they can autonomously send microtransactions to website owners to scrape content or possibly purchase goods on the owner's behalf. I don't know how I feel about that but there's no doubt it's a fascinating concept.
Brb, setting up a honeypot that always responds with HTTP 402 Payment Required demanding 10cents per visit... That's the next "selling 1 million pixels on my website for $1 each", I guess
- If you can find a way to trick agents into always accepting your payment required then you could set up a tarpit generating trash content or an infinite string of redirects or "read this other page for more info", charging extra for each one.
- It's like the exploit from Office Space is finally legal.
- Spiritually hollow; at this point, it reads more like marketing material than anything of genuine substance.
- > But for the past two months our agents have been working on an even more ambitious project: rebuilding the WordPress open source project from the ground up.
> no WordPress code was used to create EmDash
Hm. Do you think those agents were trained on WP code?
- > Solving scale-to-zero for WordPress hosting platforms > WordPress is not serverless
Just not accurate. WordPress doesn't prevent this.. It's up to hosting providers to work on their infra so it can run in a serverless fashion.
For example: https://www.agiler.io
That's serverless wordpress that scales to zero.. no changes to WordPress, plugins or anything else.. just platform infra.
- Last time I checked Wordpress was completely fine living in a couple of PHP files on a webspace. That’s like the pinnacle of „serverless“, is it not?
- mysql/mariadb and the shared filesystem requirements are a bit different than what lambda/etc provides. So not really, but it's all solvable clearly.
- Serious question: Who actually builds stuff on Cloudflare workers? I mean large software projects / services, and not just side projects where the ability to scale-to-zero is perhaps more important than the scale-to-infinity direction. I feel like Cloudflare keeps pushing workers with its full force yet I fail to see the appeal.
- I'm building a commercial SaaS product on Workers. Although I've barely scratched the surface of what Cloudflare offers¹, so far it's been great. The value proposition is effectively the same as serverless in general: You worry about the product, they worry about deployment. Note that Cloudflare Workers is just one (albeit important) star in their constellation of capabilities.
¹https://developers.cloudflare.com/directory/?product-group=D...
- Cloudflare Workers solves their "scaling the price to infinity" problem.
- Me. I used to deploy everything via Docker swarm but recently migrated everything to workers because wrangler is awesome, it makes blue/green very simple, and it's a lot less of a headache for me to maintain in general. It's a great/flexible product. I also use R1/R2 pretty extensively.
- It's always seemed like a solution looking for a problem.
- Its kind of annoying that CF would use an LLM to build something and try to pass it off as something built from "the ground up". Its just copying the library that was already build and passing it off as their own.
- But isn't this a well-curated April Fools?
- the plugin security problem in WordPress was never really a code quality problem - it was a trust model problem. any developer could publish a plugin and any site owner could install it with one click, with no vetting layer in between. TypeScript and serverless doesn't change that dynamic unless the trust model changes too. curious how EmDash handles third-party plugin permissions at the API boundary.
- It runs each sandboxed plugin inside its own dynamic worker, with a separate bridge worker to enforce permissions. The worker only has access to its permitted APIs.
- the bridge worker as permission enforcement is a solid pattern - the plugin can't escalate by calling APIs directly, everything goes through the bridge. the edge case I'd be curious about is plugin-to-plugin interaction. if two plugins share state through a permitted API, does the bridge enforce granular enough boundaries there, or does the trust model flatten at that layer?
- I don't like that they see the main selling point that the license, is not GPL, and that plugins don't have to license it that way either. I understand that not all developers are comfortable with the GPL license, but it allows to the code continue to be open source and that most plugins are open source also
- A big issue with WordPress is the GPL. There hasn't been much clarity about it and the interpretations I've heard from Automattic in regard to which code is and is not covered by the GPL come from Automattic, not from the GPL. https://redsweater.com/blog/825/getting-pretty-lonely
- I dunno, with the constant firehose of debate and disdain for AI this is a joke I'm too burned out about to feel like laughing at.
- It's a shame they don't seem to try to address the divide between CMS's and static sites.
Most WordPress sites could just be static, but WordPress has a nice editor interface, so they're not - unless you use a SSG plugin. Building that into the core workflow (which I believe Astro supports) and giving users a nice hosted editor that produces a static site would be welcome innovation.
- I've been migrating a few Wordpress sites from Wordpress to Astro + Strapi recently, working in 'hybrid mode' so the entire site is static except for post previews in Strapi (only that one route is SSR).
Editing content in Strapi, once customized with CKEditor and such, is Wordpressy enough for the human Editors familiar with WP.
So far I'm loving the stack.
- EmDash with some aggressive caching and SWR is effectively this, and we're getting closer to that every day. When the cost of maintaining the data part of the CMS is effectively free, you're basically working with a static site anyway.
- I haven’t used Wordpress for a few years. But with WP Super Cache (1) we also always did pretty much that: On saving a post/page the static HTML would be written to a cache directory and be the default content served to visitors.
- The issue with static sites is they can't do comments.
- Astro would call that an island: https://docs.astro.build/en/concepts/islands/
I guess this is our answer to the question of why Cloudflare acquired it in the first place.
- So many WordPress sites don't have comments.
- I bet 99.9% of live Wordpress sites no longer have comments enabled.
- They can - it’s just more complex.
You just put the comments into something like firebase/supabase etc or use one of many off the shelf solutions. Free tier is fine.
- Is it still a static site then?
You could just do it with CGI scripts, without the external dependencies, but that isn't really static either.
- Depends what you would call that architecture then I guess!
I run my local theatre website by writing the posts in markdown, and then have some github actions which use Hugo to turn it in to a static site and then uploads the content to an S3 bucket. The site itself has dynamic content like within-website ticket buying from eventbrite and a contact form that sends email using an external service. It also calls in things like google analytics.
Does this still count as static? Personally I think so, Even though there are 'dynamic' elements.
I think a lot of 'static' sites are actually like this - calling in dynamic elements as required, rather than just banning them outright.
- I run static sites for my clients, with embedded forms.
Performance says they’re definitely still static sites!
- "Just" sure is doing a lot of heavy lifting in this sentence.
- Curious about the architectural choice: Why not build it as a pure headless CMS separate from Astro, and then ship an Astro adapter alongside it?
- It's great that they are recreating much of the fundamental software stack using LLMs. But if you're going to 'vibeslop,' at least do it in a language other than JavaScript.
I struggle to understand why anyone would want to generate code in TypeScript - unless what you're building truly can't be done in Go, Rust, or Kotlin; anything but JS.
I’m not sure how much of an improvement it really is to rewrite something from PHP to TypeScript while claiming security benefits.
- The power of WordPress is not the ease of use, but PHP.
Anything built on PHP will be widely used, like Laravel
- That used to be a major selling point because hosts enabled PHP for a directory devs would FTP things into, but those days are thankfully long gone. I don't think it's any more difficult to host a JS, TS, or anything else, app than it is to host a PHP app today. In fact, PHP is probably more difficult than something like Netlify.
- That’s also nice joke! You are all killing it today
- Well, you’re quite fucking wrong there.
- With PHP you can still drop a single file on shared hosting and be up in minutes, with no build step or CDN proxy in the mix.
npm deps adds plenty of attack surface on its own. Netlify is fine until you need custom binaries or persistent storage, then it gets weird fast. PHP has plenty of warts, but the ops path stays flatter than Node for the boring case most sites need.
- All PHP is going to be replaced with single binary Rust apps.
Talented teams will build the atoms for most apps - blogs, CMSes, ticket systems, forums - and it'll be easy for end users to configure.
Rust is easy to code gen and deploy now. No barrier to understanding lifetimes. It's the language everyone should be using Claude Code to emit.
Everyone is now a Rust engineer with 10 years of experience. (I'm not joking, just in case that needs clarification.)
If you haven't tried writing a simple web service in Axum or Actix plus SQLx, you need to give it a try. You'll be amazed at how simple it is, and you'll be even more amazed at how performant and easy it is to work with.
You do not need to know Rust or have any prior Rust experience. You'll pick it up along the way. It's easy and you'll learn it fast.
Rust is a low-defect rate language to serialize to. The syntax begs you to handle errors, nulls, exceptional conditions within the language itself. This is naturally a good fit for most business problems. It doesn't hurt that the language is fast as hell and super portable either.
If the job is now encoding business logic - this is the optimal serialization that I'm aware of. I write Go, Java, Python, TypeScript, PHP, Swift - I can't think of any better language for greenfield projects that don't have existing language/library requirements.
- I'm not sure you appreciate why PHP was successful. You might be completely right about all this, but the LAMP-stack "just upload this file to shared hosting" workflow is what made apps like WordPress win out, and the barrier remains significantly higher to do the equivalent with Rust.
- These april fools jokes keep getting lazier every year.
- It's kind of ironic that the name of this product is also the most obvious marker of LLM generated content
- That's the joke.
- Oh I am slow lol
Is this an April fools?
- Name is a joke, but the project is real
- Functional April Fools, the best kind. A couple years ago Eleiko, a weightlifting equipment company did one, the 'Heavy Mug', a 19 poundish steel coffee cup with a handle in the style of a knurled bar, and actually did a limited run of them.
- "That allows us to license the open source project under the more permissive MIT license."
- Yes definitely compare it multiple times to WordPress and nobody will think of calling their lawyers.
Is this April fools? With real products launching on this date you can't really be too sure.
- Not an April fools joke. [0]
- That makes it look more like an April fools joke. All the commits are from today.
- Cloudflare specifically launches things on April 1st a lot of times. https://x.com/Cloudflare/status/1907055975057506793
They announced 1.1.1.1 on April 1st way back in 2018 too.
- That's not unusual though, large companies releasing something open source very often squash the history at launch.
- The best jokes are serious.
- > Yes definitely compare it multiple times to WordPress and nobody will think of calling their lawyers.
It's not illegal to make product comparisons. That's just competition.
- Tell that to the guy who got upset with WP Engine. EmDash is clearly "inspired" by WordPress including in its UI, so there's definitely something to it.
- >> It's not illegal to make product comparisons. That's just competition.
> Tell that to the guy who got upset with WP Engine.
Why? That situation had nothing to do with comparisons.
- I'd really love to see Matt go after CloudFlare over the trademark. WPE might grind him into the dust, but CF will obliterate every constituent atom.
- The phrase "spiritual successor to WordPress" is not likely to be judged a trademark violation, though. It doesn't create confusion in the marketplace as to whether Emdash is WordPress.
- The problem with WP Engine was that the name is confusing to users who aren't familiar with it. Presumably the WordPress Engine is the core of Wordpress? Or it's the thing powering Wordpress? It's easy to see ways in which an end user could be confused which was which.
Conversely, this product is called something else, and while their blog post references Wordpress repeatedly it's in a way as to make it very clear that this is not that.
- [delayed]
- Matt got upset because they forked his open source project and built a hundred million dollar revenue business on top of it without contributing anything back to WordPress.
He'd have more of a leg to stand on if WordPress wasn't itself a fork of an open source project.
Matt should have built something open core or fair source licensed - free for customers, but stops competitors from stealing your lunch. He has no legal ground to argue his case now.
It's a much bigger deal with hyperscalers poaching and stealing, like AWS and GCP ripping off and stealing most of the revenue from Redis and Elasticsearch. That's dishonest and evil in my mind.
Totally orthogonal to this issue of marketing comparisons.
- Will you look at it. Another Wordpress “killer”. Wordpress has that market share because it can be easily installed in a wide variety of servers and because of its plugin ecosystem of dozens of thousands of plugins and huge flexibility/customizability. Wordpress is one of the most flexible pieces of software out there and none of the competition seem to get why Wordpress is so popular.
- Why would I want to publish my writing online when it can just be copied by an AI?
- “EmDash” sounds like it will also generate the writing.
- Reading the comments below, have we all fallen for a 1st April Fools' joke?
Actually, rebuilding WordPress without the ecosystem is kind of the point. For example, would Divi or the major page builders rebuild their entire products to support this? I doubt it
- Lately Cloudflare is trying to create alternatives to big ones, like first Vercel & now Wordpress.
- This part is interesting:
"Plugin security is the root of this problem. Marketplace businesses provide trust when parties otherwise cannot easily trust each other. In the case of the WordPress marketplace, the plugin security risk is so large and probable that many of your customers can only reasonably trust your plugin via the marketplace. But in order to be part of the marketplace your code must be licensed in a way that forces you to give it away for free everywhere other than that marketplace. You are locked in."
There was much drama with wordpress some time ago and the plugin marketplace.
- If you need a reliable source for WordPress plugins, check out https://github.com/fairpm/fair-plugin?tab=readme-ov-file#fai...
A system for using Federated and Independent Repositories in WordPress
- The UI doesn't seem geared to power users. E.g. Why is the featured image taking up so much space above the content editing area when it's sized appropriately for the sidebar? Imagine you need to update the text of several posts... Well, now you gotta scroll down half the page to the content area of each one.
And all that padding gets you quite the narrow content area. Not to mention it looks like a very basic TinyMCE. Seems like more of a POC than an actual "spiritual successor".
- I think wordpress, woo commerce and elementor are in a Mexican standoff. Wordpress cant fork or change in a major way because the other two are so popular no one would use the new variant. woo commercere and elementor can't just walk away and make their own wordpress-less platform because they rely on each other and the other constellation of plugins that run on wordpress.
- WooCommerce is owned by the same company as Wordpress. Elementor is just one page builder of many in the vast ecosystem you mention, but much of that ecosystem can be ported. As replacing the core CMS goes, Emdash might be able to conquer, but time will tell as to whether it's able to rule.
- I mean it's cool your created a new CMS and all, but beyond the look of the admin interface and publishing flow, I don't see how this is a "Spirtual Successor" to WordPress at all.
Its a CMS, designed from scratch, for a serverless world. It has a stricter, well defined API that plugins are forced to use instead of directly calling/overriding core functionality like in WP. But that benefit comes with a CMS that's built on top of, and seems to prefer, a ton of CF proprietary capabilities (D1 Databases, R2 for image/media storage, their workers for running things).
The web need less consolidation on CF, not more.
- > Its a CMS, designed from scratch…
Maybe not scratch scratch: "And under the hood, EmDash is powered by Astro…"
> It's built on top of, and seems to perfer you use CF proprietary capabilities (D1 Databases, R2 for image/media storage, their workers for running things.
D1 is SQLite, R2 is S3, and there are other ways to securely run plugins. If it was designed to only be possible to deploy on Cloudflare, they didn't do a very good job.
- I don't like where any of this is going
- I'm all for creating new frameworks that are faster and more secure. But I don't see how this one relates to Wordpress (not in PHP, serverless, not "plug and play", dependent on Astro, "AI Native"…).
It looks like a good open source project, but just call it a new CMS. I think calling it a "spiritual successor to WordPress" is just to gain some marketing points.
- This is great, but if the plugin ecosystem isn't compatible will it take off?
Most WordPress users use at least one plugin: it is the appeal of the product.
- I've been wanting a CMS on top of Cloudflare workers for a while, so I hope this pays off!
- Payload can be deployed to Cloudflare Workers: https://github.com/payloadcms/payload/tree/main/templates/wi...
- Pages is a thin layer over Workers, and a standard deployment target for most if not all that I've seen.
- Who wants to vibe code an open source Cloudflare?
- I am not sure if this is an April fool joke anymore in the age of AI.
- Wordpress is PHP, which has developer base insanely larger then typescript. Also, a lot cheaper. Compete with that.
- Your first statement is wildly and verifiably untrue (see: https://survey.stackoverflow.co/2025/technology#most-popular...) and your second statement doesn't make sense. I've got like 8 sites on Pages/Workers with R1 + vectorize databases scattered around and I'm not paying a dime for any of that. What cost are you talking about?
- Coding agents make this much less important.
- Thanks, but I'll stick to WordPress.
- You want a spiritual successor? We have Ghost.
You want anything beyond ghost? Find a way to port the vast market of 100,000+ cheap and free themes and components that are available to enable tech-illiterate, low-budget users to basically build an entire business platform on a $5/mo shared hosting plan.
A vibe coded CMS that's 3 months in the making is not capable of taking that place in the market, no matter how much VC funding you put behind it.
- Plugin security is one thing. Plugin budget is another thing... much larger of a problem in some cases.
- I really hope Cloudflare is ready and willing to stand by this thing for the next 20 years, and drive it as a first class product with a huge open source team. Because short of that you can just add this to the mile-long list of "successors to WordPress" we've been through over the decades. Maybe they're in it for the long haul. We'll see. But it takes time, and mountains of integrations and acceptance into the wider web authoring ecosystem for anything like this to gain real adoption.
- One thing that makes it different this time is that coding agents will probably make it easy to port the most important plugins to the new system.
Also, there are successful alternatives to Wordpress too, so the most likely outcome is that it becomes yet another alternative.
- Good one, at last, April fools joke with some effort.
- I for one am glad that WordPress has some competition. This sounds like a killer rewrite.
- From the people who brought you "we used AI to undercut a project we use rather than pay them fairly for the work we relied on" comes an exciting new lawsuit by Mullenweg for using Wordpress in their product description.
- The problem is that it doesn't solve the network-effect problem.
People aren't on WordPress because of WordPress.
They're on WordPress because of WooCommerce, a million themes, BuddyPress, integrations for every stupid internal business API on the planet (many of which are terrible and were written by an idiot with a crayon).
The APIs will have no testing because they are bad. In many cases the WordPress implementation of the API written in the codeblock, ran on page-load to the pain of the person responsible for SEO, is the API contract.
And yes those plugins are also terrible, but they solve business problems, even if they are tech problems.
You can't just launch a better wp-core and expect it to replace any of that.
EmDash needs to actually run the existing insecure WP plugins to takeover.
- You seem to have missed the point. This is intended to be more secure in a new world where exploits will be cheap to discover. The factors you mention won't keep people onboard if systems are compromised every day in too many ways for fragmented security teams to keep on top of.
- Spiritually bankrupt, that should just be considered marketing material.
- Payload
- Will be there a way to export all the posts to markdown so you never get locked in?
- Damm Anthropic had a chance to say april fools too for the claude code leak!!
- It’s written in typescript, not PHP. How does this improve security if no one uses it because they’ve invested so much in the WP plugin ecosystem?
- After all the AI slop from Cloudflare in recent months and the embarrassment that came with it, they dare to launch this vibe coded project with THAT name on April 1st? I'm really not sure what to think anymore. Reality became too absurd.
- Ha! Nice April Fools joke. Nothing will succeed WordPress. Not even AGI. Specially not something with the name EmDash. Good one Cloudflare.
- Lol, build the same level of community first, then we’ll talk
- "Failed to initialize playground"
- Try again once or twice.
- if this can implode the crooked "web hosting industry" that surrounds the lamp / wordpress ecosystem the better.
- Impressive and created by agents. Another example for skeptics wondering where the AI apps are.
- I think this is too soon to call. No one questions whether AI can build things. We question whether they can build stable things that work as expected and stay online in the long run.
- The stability question is real but I think it's framed wrong. The issue isn't whether an agent can write correct code in a single session -- they can, and pretty reliably now. It's whether there's a human with enough understanding of the codebase to debug it when something breaks at 2am.
I run parallel coding agents on my own projects daily. The code they produce is fine. What worries me is the "just ship it" energy where nobody on the team deeply understands what got built. That's not an AI problem, it's been a problem with outsourced codebases forever. AI just makes it faster to accumulate code nobody fully groks.
Cloudflare probably has the engineering depth to maintain this regardless of how it was built. A lot of other teams don't.
- I too have seen a lot of comments asking where the products are. If you're now moving the goal posts to "stay online in the long run" you're gonna have to wait until there's been a long run to stay online in. Agents aren't that old yet.
- This will largely be based on the maintainers’ priorities. Coding agents can audit and clean up code too, provided that you set the right goals.
- did you test it? How do you know it works?
- EmDash on Apr 1 come on guys
- deployed it on vercel for lolz - it works!
- Is this just literally turning plugins into microservices? Lol
- Held up getting into the details of this ambitious project because of the name! Ridiculous choice considering the associations with AI, slop, and even the general crowded namespace surrounding that. C'mon.
(looks for cameras) Wait a minute, am I being Punk'D? Oh my god! Ashton, you really got me! Ha Ha! Ashton!
- [dead]
- [dead]
- [dead]
- [dead]
- [dead]
- [dead]
324 points by elithrar 3 hours ago | 218 comments