If you’ve been building content sites long enough, WordPress probably feels like an old friend — reliable, ubiquitous, but increasingly showing its age. The PHP architecture that once made it king now feels like technical debt, and the endless plugin security vulnerabilities (according to Patchstack, 96% of WordPress security issues come from plugins) are a real pain point no one wants to deal with anymore. Enter EmDash — a full-stack TypeScript CMS built on Astro and Cloudflare, and it’s rapidly becoming the WordPress successor that developers have been waiting for.

EmDash is a TypeScript-first content management system that runs on Cloudflare Workers (or any Node.js server), using a sandboxed plugin architecture that fundamentally solves the security problem that has plagued WordPress for decades. Created in April 2026, it already has over 10,600 GitHub stars and an active community discussing its future — including a live debate about a decentralized plugin registry modeled after the AT Protocol (Issue #694). That kind of active technical discussion is exactly what makes a project worth watching.

The case for EmDash isn’t just “it’s built with modern tools.” It’s that the project is rethinking the CMS paradigm from first principles — starting with the observation that WordPress’s security model is fundamentally broken by design.

In WordPress, any plugin you install gets full access to your database, filesystem, and user data. One vulnerable plugin can compromise your entire site. EmDash’s answer is elegant: plugins run in isolated Worker sandboxes via Dynamic Worker Loaders, each with a declared capability manifest. A plugin that only needs to read content and send emails can do exactly that — and nothing else. This is a genuine architectural leap, not just a version bump.

Beyond security, there’s the content model. WordPress stores rich text as HTML with metadata embedded in DOM comments, which ties your content to its presentation layer. EmDash uses Portable Text, a structured JSON format that decouples content from rendering. Your content can display as a web page, a mobile app, an email newsletter, or an API response — without any HTML parsing or re-processing. For teams building multichannel content strategies, this is a significant advantage.

Then there’s the AI angle. EmDash ships with built-in agent skills for plugin and theme development, a CLI for programmatic site management, and crucially, a built-in MCP server (Model Context Protocol). This means AI coding assistants like Claude can directly interact with your site content, schema, and configuration — not just as a chatbot, but as a first-class citizen with defined tools. The project is actively debating how plugins can define their own MCP tools (Issue #988), which suggests the AI integration is only going to deepen.

The project ships with three production-ready starter templates: a classic blog (with full-text search, RSS, and dark/light mode), a conversion-focused marketing site (with pricing cards, FAQ, and contact forms), and a visual portfolio (with tag filtering and case study pages). All three come with full admin panel integration, media library, navigation menus, and taxonomies.

EmDash integrates into Astro via a simple Astro plugin that pulls in the complete CMS layer — admin panel, REST API, authentication, media library, and plugin system — as an opt-in. There’s no separate admin domain or iframe embedding: the CMS IS part of your Astro build.

Content types are defined in the database, not in code. Non-developers create and modify collections through the visual admin UI, and each collection automatically gets a properly typed SQL table. Developers can then generate TypeScript types directly from the live schema with npx emdash types. It’s a workflow that blurs the line between developer tooling and end-user interface in a genuinely useful way.

1. Developer blogs and documentation sites. If you want a blog that’s genuinely fast, integrates with your existing Astro project, and has a real admin UI without a separate CMS hosting tier, EmDash is purpose-built for this. No PHP, no separate WordPress installation — just deploy your Astro site with wrangler deploy.

2. Multi-tenant SaaS content platforms. The sandboxed plugin architecture makes EmDash well-suited for platforms where you want to allow customer-defined plugins without risking cross-tenant security. The capability manifest model means you can offer a plugin marketplace with fine-grained permission control.

3. AI-augmented content operations. Teams building AI-powered content pipelines will appreciate the built-in MCP server. Instead of building custom integrations for each AI tool, you expose your content operations as MCP tools that any compatible AI assistant can use directly. The ongoing work on plugin-defined MCP tools (Issue #988) suggests this use case is actively being expanded.

Here’s how to get a working EmDash site running locally — no Cloudflare account needed for the demo:

# Step 1: Create a new EmDash project
npm create emdash@latest my-site
cd my-site

# Step 2: Install dependencies (pnpm monorepo)
pnpm install
pnpm build

# Step 3: Seed the demo database (SQLite, no external services)
pnpm --filter emdash-demo seed

# Step 4: Start the dev server
pnpm --filter emdash-demo dev

# Step 5: Open the admin panel
# Visit http://localhost:4321/_emdash/admin
# Default demo credentials are shown in the terminal

To deploy to Cloudflare (full production setup with sandboxed plugins):

# Authenticate with Cloudflare
wrangler login

# Configure your bindings in wrangler.jsonc
# (D1 database, R2 bucket, KV namespace)
# Note: Dynamic Workers require a paid Cloudflare plan (5 USD per month)

# Deploy to Cloudflare Workers
wrangler deploy

Pro tip from the community: if you hit plugin-related errors in local dev, check the worker_loaders block in your wrangler.jsonc — sandboxed plugins require paid Cloudflare accounts, but you can safely disable them by commenting out that section for local development.

🤝 Sandboxed plugin security. WordPress plugins have unrestricted access to the entire system, which is why plugin vulnerabilities account for the vast majority of WordPress breaches. EmDash plugins declare a capability manifest at install time, and the Worker sandbox enforces those boundaries at runtime. A plugin that only needs read:content cannot touch your filesystem or user database — this isn’t just convention, it’s enforced isolation.

📈 Portable Text content model. Instead of storing content as HTML strings with embedded metadata, EmDash uses structured JSON (Portable Text). This means your content layer is presentation-agnostic: the same content renders as a web page, a native mobile view, an email, or an API response. It’s the difference between storing a document as a PDF and storing it as a structured document with separate layers for content, layout, and styling.

🤖 Built-in MCP server for AI integration. Rather than building custom API integrations for each AI assistant, EmDash exposes its content operations as Model Context Protocol tools. Any MCP-compatible AI can interact with your site content, manage posts, query collections, and execute plugin operations — with a well-defined interface that doesn’t require custom code. The project is actively discussing how plugins can define their own MCP tools (Issue #988), which would let third-party plugins integrate seamlessly with AI workflows.

⭐ 10,664 | 📅 Current stars (May 27, 2026) | 🔄 Created April 2026

Keystatic is another Astro-based CMS worth mentioning, but it takes a different approach: Keystatic is a local-first content layer that lives in your git repository, while EmDash is a full-stack system with a visual admin panel, user authentication, and a plugin ecosystem. If you want a headless CMS for a JAMstack site, Keystatic is excellent. If you want a WordPress replacement — complete with admin UI, auth, and extensible plugins — EmDash is the better fit.

Decap CMS (formerly Netlify CMS) is Git-based and simpler, but like Keystatic it lacks the full admin panel, multi-user auth, and plugin sandboxing that EmDash provides. Decap is great for documentation sites; EmDash is designed for production content platforms.

Issue #694 — RFC: Decentralized Plugin Registry (23 comments)

The community is actively debating how plugins should be distributed. Lead maintainer @ascorbic proposed using the AT Protocol (the same decentralized social protocol behind Bluesky) to build a federated plugin registry, so the plugin ecosystem isn’t dependent on a single central server. Community member @BenjaminPrice raised a key concern: the RFC currently presents sandboxed and native (unsandboxed) plugins side-by-side in the same registry, which could undermine the security value proposition if native plugins are easier to install. @schiste pointed out the irony of building a decentralized registry while potentially replicating WordPress.org’s centralization problems. The discussion shows the team is genuinely thinking through the long-term social architecture, not just the technical one. This is a healthy debate for a project at this stage.

Issue #988 — Add plugin-defined MCP tools (10 comments)

Contributor @masonjames proposed letting EmDash plugins define their own MCP tools, so third-party plugins can expose AI-accessible operations alongside the built-in CMS tools. Maintainer @ascorbic’s AI review flagged that there’s no validation of MCP tool name shapes or route existence in sandboxed plugins. Mason responded by adding manifest-side inputSchema support using JSON Schema for serializable input validation, while trusted plugins can still pass Zod schemas directly. The discussion shows EmDash’s AI integration is being designed carefully, not bolted on — input schemas are being thought through before plugins start shipping MCP tools en masse.

Issue #719 — Fix: render file field with media picker (25 comments)

This was a significant usability PR: instead of entering file URLs as plain text, the admin UI now shows a visual media picker with drag-and-drop uploads via signed URLs. The PR touched 19 files and 3,453 lines, which shows how seriously the team takes admin UX. Multiple maintainers reviewed it, and the automated checks (scope guard, overlap detection, Cloudflare deployment verification) all ran as expected — a sign of a well-maintained project with good CI/CD hygiene.

1. Dynamic Workers require a paid Cloudflare account. The sandboxed plugin system is EmDash’s killer feature, but it depends on Cloudflare’s Dynamic Workers, which are only available on paid plans (starting at 5 USD per month). If you’re evaluating EmDash for local development, you can disable plugins by commenting out the worker_loaders block in wrangler.jsonc, but you’ll lose the sandboxing feature until you deploy to a paid Cloudflare account.

2. WordPress import has known rough edges. The WordPress import wizard (Issue #607) is actively being worked on, but some edge cases aren’t fully handled yet: WordPress menus, custom block images, and certain plugin-specific content may not migrate cleanly. If you’re migrating a large WordPress site, plan for manual cleanup of media and custom post types. The team is aware and actively patching these.

3. EmDash is in beta preview. While the project is actively developed and has production-quality templates, the maintainers explicitly note it’s still in beta. Breaking changes are possible, and the plugin ecosystem is young. If you need stability guarantees, you may want to wait for 1.0 — but if you want to shape the direction of the next-generation CMS, now is the perfect time to contribute.

EmDash is a genuinely exciting project precisely because it’s attacking the CMS problem from first principles, not just transplanting old ideas into a new framework. The sandboxed plugin security model, Portable Text content layer, and built-in MCP server for AI integration are three genuinely differentiated features — not marketing buzzwords. At 10,600+ stars with an active community debating plugin architecture and AI integration, it’s attracting the right kind of technical attention. The paid Cloudflare requirement for sandboxed plugins is a real constraint, but the demo works locally without any external services, so evaluation is frictionless.

If you’ve been frustrated by WordPress security vulnerabilities, or you’re building a content platform and want first-class AI integration from day one, EmDash deserves a close look. The project is young and moving fast — the kind of early momentum that usually means the best is yet to come.

View EmDash on GitHub

📁 More GitHub Popular Open Source Projects: Developer Tools