I've given the security, or lack of, WP a lot of thought recently. In WP malicious plugin has access to the database, enfironment variables, rendering text on screen (think XSS). Luckily, a thoughtfully designed plugin system can mitigate all of those issues.
I've been working on a headless CMS in my spare time that is eirily similar to EmDash in a few ways. It's in very early development, but I will share regardless. It's called HotsauceCMS - https://github.com/hotsauce-team/hotsauce
- I went with optional NodeJS or Deno Worker plugins, this means that first-party plugins can benefit from the speed of in-process, and other plugins can be run in Workers. For fine grained permission control, you can use Deno Workers.
- I went with absolute minimal dependencies, I am so fed up with Dependabot alerts and npm supply chain hacks. My CMS has only 4 dependencies, 0 transistive dependencies.
- It's Drizzle schema first, and headless. So you have full controll of the database structure, use cms hints in your schema for features like file upload.
- It's database-agnostic, so it works with any Drizzle-supported database (Postgres, MySQL, SQLite)
- Being headless, you can use any frontend, my preference is JSX w/o react, but anything goes.
Feedback is absolutely welcomed on HotsauceCMS, did I miss a trick, am I on the right track?
Anyway, congratulations on EmDash. I'll be following closely, excited to see how the next few months unfold.
To me this sounds of the polar opposite of the direction CMS's need to go, instead simplify and go back to the "websites" roots where a website are static files wherever, it's fast, easy to cache and just so much easier to deal with than server-side rendered websites.
But of course, then they wouldn't be able to sell their own "workers" product, so suddenly I think I might understand why they built it the way they built it, at the very least to dogfood their own stuff.
I'm not sure it actually solves the "fundamental security problem" in actuality though, but I guess that remains to be seen.
"I need a website for my bakery". "What's supposed to be on it?" "Our address, opening times, a few pictures". I build them a static website.
"Now I need a contact form". Ok, that doesn't really fit into a static website, but I can hack something together. "Now I need to show inventory, and allow customers to pre-order". A static website won't cut it anymore.
When you develop for clients, especially those that you don't know very well, it's a bad idea to back yourself into a corner that's not very extensible. So from that perspective, I really get why they give plugins such a central spot.
I got my start in webdev slinging WordPress sites like a lot of self taught devs and I definitely see the pain points now that I’ve moved on to more “engineering” focused development paradigms but the value proposition of WP has always been clear and present.
Given how WP leadership is all over the place at the moment, I can see how Cloudflare sees this as an opportunity to come in and peel away some market share when they can convince these current WP devs to adopt a little AI help and write applications for their platform instead.
Let’s see if it pays off!
The problem with WordPress (and it looks like this solution largely just replicated the problem) is that it's way too cumbersome and bloated.
It really is unlike any modern UI for really any SaaS or software in general.
It's filled with meaningless admin notices, the sidebar is 5 miles long and about 98% of what the user sees is meaningless to them.
Creating a very lightweight, minimal UI for the client to edit exactly what they need or like you said, just static files really is the best solution in most cases. The "page builders" always just turn into a nightmare the clients end up handing over for a dev to "fix" anyways.
Not sure why so many people feel the need to continue on the decades of bloat and cruft WordPress has accumulated, even if it's "modernized."
You either write them by hand, or use a tool that generates it locally, upload everything and you're done. Perfect security. Great performances.
It's in this sense that static generators go back to the source, the simply produce dumb HTML files that you upload/publish to a web server that doesn't need to run any code. Just serve files.
WP treats plugins as content, literally in the same top level `wp-content` directory as uploaded images. This makes CI/CD among other things, a nightmare. But EmDash plugins are just TS modules, which has got to make things easier even if plugin configuration does end up in the db somewhere.
A while ago I ran claude code in a custom loop (calling it autoclaude; this was last summer) to create a CMS with Gutenberg’s editor but a lean Python backend (github.com/hessammehr/nuCMS). This was in the Sonnet 3.7 days and even that model got quite far.
There's no reason to use an interpreted, bloated, weird language anymore. The only reason interpreted languages were a thing was so you could edit a file and re-run it immediately without a compile step. Compiling is now cheap, and you don't have to build expertise in a new language anymore. Ask AI to write your app in Go, it'll happily comply. Run it and it's faster with less memory use and disk space. The code is simpler and smaller making reviewing easier. Distribution is as easy as "copy the file".
I'll grant you, interpreted languages skip the "portability" compiling/distributing step, and let you avoid the stupid MacOS code signing. But Go is stupid easy to cross-compile, and (afaik?) the user can un-quarantine a self-signed app pretty easily.
b) typescript fixed a lot about javascript and is somewhat decent
c) multiple fast and performant runtime engines
d) deployment story is php levels of easy
that's it.
Perhaps I'm speaking out of depth because I haven't done a lot of Golang, but I've always thought of it as a systems language first, which means by necessity you have you to handle lower level problems yourself. I'm sure there's plenty of libraries that paper over this - but the philosophy of the languages themselves is different. Javascript was designed to solve CRUD like interfaces/problems quite well.
Maybe this is just an outdated argument though that isn't really relevant with modern golang/rust though.
E: Oh, I think it's an April fools joke, I'm embarrassed.
E2: Apparently not a joke.
On the initial commit:
> Some content is hidden
> Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
This for "a spiritual successor to WordPress".
The real test for any WordPress replacement: can a non-technical business owner hire someone on Fiverr to customize it in an afternoon? WordPress passes that test. Nothing else does. That's not a technology problem, it's a labor market problem.
It should. I miss the days when tech was interesting and fun.
Even Steve Jobs, for all his later-day revisionist hard-assed reputation, enjoyed the occasional Easter egg, inside joke, or April Fool's joke.
But you're right, I was an extremely angry person back then. Many years of therapy and deliberate ongoing work and I'm a radically different man. Thank goodness I got to the other side.
"Better coded" is very much a subjective assessment.
That site warns that WordPress plugins can be abandoned, but that's clearly not a WordPress specific issue. Sure some site could use SSG, but that's a different design.
I certainly don't want to claim WordPress security is good, but I'm not sure that site is measuring anything meaningful.
yes you want a global db handle sure ya lets delete all tables woohoo
You've sort of nailed it, but this isn't a bad thing. An alternative for these customers does not exist.
There's another vertical which is organizations that have armies of writers churning out content. Any kind of publisher or advertiser, basically. There is no better CMS for this. Large organizations like NYT, etc chose to write their own.
> You've sort of nailed it, but this isn't a bad thing. An alternative for these customers does not exist.
Yes! I'm locked into WordPress, which I hate, because it's the only platform that will allow a non-developer to maintain it if I get hit by a bus.
A decade ago I had to learn and run WordPress for a job. I held my nose up the stink was so bad. But quickly I learned how to manage it and have modern sensible practices around it and I've probably gotten more real value out of it than any other CMS or web framework I've touched. That includes Rails.
Thankfully I don't have to do that anymore, but you can sanely and safely run WordPress today and there's zero shame in it.
Wordpress is solidly in that middle ground where you can do a large amount of customization if someone'll pay for it, and then they can do the day-to-day care and feeding of it.
Everything else has either been much worse in all possible ways (Joomla!) or has been a collection of developer wish-lists unusable by anyone (Drupal).
You hit the nail on the head.
Cloudflare's new business model is to find popular OSS projects, create a vibe coded alternative that only runs on Cloudflare's infrastructure.
Fascinating. Cloudflare is envisioning a future where agents are given debit cards by their owners, so they can autonomously send microtransactions to website owners to scrape content or possibly purchase goods on the owner's behalf. I don't know how I feel about that but there's no doubt it's a fascinating concept.
Brb, setting up a honeypot that always responds with HTTP 402 Payment Required demanding 10cents per visit... That's the next "selling 1 million pixels on my website for $1 each", I guess
Ha ha, that's really funny timing given the recent launch of Cleanroom As A Service, promising that you can licensewash other peoples' code quickly and easily: https://malus.sh/
I'm not saying they did that, but it's ironic timing.
A "good" standard, free CMS with theming and plugin support without the issues of Wordpress is _welcome_. (And the issues are many: Licensing, trust, drama, security, and cost).
I'm guessing that a lot of cynicism here is coming from this crowd not being the target market of Wordpress in the first place? What were you recommending to non-technical friends and family who wanted a good, open source, affordable CMS to back their website? Wordpress has all the right _ideas_, but the wrong implementation.
The hard part is displacing Wordpress market share; building a community of bloggers, marketeers, agencies, web designers, and so on; creating a huge ecosystem of paid and free plugins, allowing plugin devs to commit to your marketplace and lock customers in.
Wordpress is awful. The only thing it's got going is its moat, but that's not an engineering problem, but a people problem instead.
Other than that, it seems it might be a half decent headless CMS, if the bit of WordPress you want is its interface, and not the number of plugins and devs and not being tied to Cloudflare's infrastructure.
Just not accurate. WordPress doesn't prevent this.. It's up to hosting providers to work on their infra so it can run in a serverless fashion.
For example: https://www.agiler.io
That's serverless wordpress that scales to zero.. no changes to WordPress, plugins or anything else.. just platform infra.
¹https://developers.cloudflare.com/directory/?product-group=D...
> no WordPress code was used to create EmDash
Hm. Do you think those agents were trained on WP code?
Most WordPress sites could just be static, but WordPress has a nice editor interface, so they're not - unless you use a SSG plugin. Building that into the core workflow (which I believe Astro supports) and giving users a nice hosted editor that produces a static site would be welcome innovation.
Editing content in Strapi, once customized with CKEditor and such, is Wordpressy enough for the human Editors familiar with WP.
So far I'm loving the stack.
I guess this is our answer to the question of why Cloudflare acquired it in the first place.
You just put the comments into something like firebase/supabase etc or use one of many off the shelf solutions. Free tier is fine.
You could just do it with CGI scripts, without the external dependencies, but that isn't really static either.
I run my local theatre website by writing the posts in markdown, and then have some github actions which use Hugo to turn it in to a static site and then uploads the content to an S3 bucket. The site itself has dynamic content like within-website ticket buying from eventbrite and a contact form that sends email using an external service. It also calls in things like google analytics.
Does this still count as static? Personally I think so, Even though there are 'dynamic' elements.
IMO static refers more about how the content is served rather than saying that the content can’t be ‘dynamic’ as lots of Wordpress sites have static/non interactive content but still regenerate the html on each page load.
Performance says they’re definitely still static sites!
Anything built on PHP will be widely used, like Laravel
npm deps adds plenty of attack surface on its own. Netlify is fine until you need custom binaries or persistent storage, then it gets weird fast. PHP has plenty of warts, but the ops path stays flatter than Node for the boring case most sites need.
Talented teams will build the atoms for most apps - blogs, CMSes, ticket systems, forums - and it'll be easy for end users to configure.
Rust is easy to code gen and deploy now. No barrier to understanding lifetimes. It's the language everyone should be using Claude Code to emit.
Everyone is now a Rust engineer with 10 years of experience. (I'm not joking, just in case that needs clarification.)
If you haven't tried writing a simple web service in Axum or Actix plus SQLx, you need to give it a try. You'll be amazed at how simple it is, and you'll be even more amazed at how performant and easy it is to work with.
You do not need to know Rust or have any prior Rust experience. You'll pick it up along the way. It's easy and you'll learn it fast.
Rust is a low-defect rate language to serialize to. The syntax begs you to handle errors, nulls, exceptional conditions within the language itself. This is naturally a good fit for most business problems. It doesn't hurt that the language is fast as hell and super portable either.
If the job is now encoding business logic - this is the optimal serialization that I'm aware of. I write Go, Java, Python, TypeScript, PHP, Swift - I can't think of any better language for greenfield projects that don't have existing language/library requirements.
Draging a bunch of PHP files onto an FTP client is harder than modern dev practices.
If you've got a modern frontend of any kind, you're already beyond this.
Is the second coming of Wordpress what we really need?
Is this an April fools?
I struggle to understand why anyone would want to generate code in TypeScript - unless what you're building truly can't be done in Go, Rust, or Kotlin; anything but JS.
I’m not sure how much of an improvement it really is to rewrite something from PHP to TypeScript while claiming security benefits.
Is this April fools? With real products launching on this date you can't really be too sure.
They announced 1.1.1.1 on April 1st way back in 2018 too.
It's not illegal to make product comparisons. That's just competition.
> Tell that to the guy who got upset with WP Engine.
Why? That situation had nothing to do with comparisons.
Conversely, this product is called something else, and while their blog post references Wordpress repeatedly it's in a way as to make it very clear that this is not that.
He'd have more of a leg to stand on if WordPress wasn't itself a fork of an open source project.
Matt should have built something open core or fair source licensed - free for customers, but stops competitors from stealing your lunch. He has no legal ground to argue his case now.
It's a much bigger deal with hyperscalers poaching and stealing, like AWS and GCP ripping off and stealing most of the revenue from Redis and Elasticsearch. That's dishonest and evil in my mind.
Totally orthogonal to this issue of marketing comparisons.
Actually, rebuilding WordPress without the ecosystem is kind of the point. For example, would Divi or the major page builders rebuild their entire products to support this? I doubt it
"Plugin security is the root of this problem. Marketplace businesses provide trust when parties otherwise cannot easily trust each other. In the case of the WordPress marketplace, the plugin security risk is so large and probable that many of your customers can only reasonably trust your plugin via the marketplace. But in order to be part of the marketplace your code must be licensed in a way that forces you to give it away for free everywhere other than that marketplace. You are locked in."
There was much drama with wordpress some time ago and the plugin marketplace.
And all that padding gets you quite the narrow content area. Not to mention it looks like a very basic TinyMCE. Seems like more of a POC than an actual "spiritual successor".
A system for using Federated and Independent Repositories in WordPress
It looks like a good open source project, but just call it a new CMS. I think calling it a "spiritual successor to WordPress" is just to gain some marketing points.
Its a CMS, designed from scratch, for a serverless world. It has a stricter, well defined API that plugins are forced to use instead of directly calling/overriding core functionality like in WP. But that benefit comes with a CMS that's built on top of, and seems to prefer, a ton of CF proprietary capabilities (D1 Databases, R2 for image/media storage, their workers for running things).
The web need less consolidation on CF, not more.
Maybe not scratch scratch: "And under the hood, EmDash is powered by Astro…"
> It's built on top of, and seems to perfer you use CF proprietary capabilities (D1 Databases, R2 for image/media storage, their workers for running things.
D1 is SQLite, R2 is S3, and there are other ways to securely run plugins. If it was designed to only be possible to deploy on Cloudflare, they didn't do a very good job.
Most WordPress users use at least one plugin: it is the appeal of the product.
Also, there are successful alternatives to Wordpress too, so the most likely outcome is that it becomes yet another alternative.
If Cloudflare really have radically changed their software development philosophy lately, this would actually be an interesting project, being based on Astro and coming with some APIs for programmatic management.
Them being so happy about the „cost of software development“ and not going very deep into ecosystem, community or project management doesn’t convince me that this is going to be a worthwhile project, even if, unlike their previous vibe coding demos, this one actually works.
As the post implies, I did use a lot of agent time on this, but this isn't a vibe-coded weekend project. I've been working full time on this since mid-January.
That's the significant part of Wordpress after all, not the mediocre code.
- good caching - GUI in spanish - a cli like wp-cli
good cache control is essential for news sites with 100k + posts
this is not clear to me, and is not discussed in the article
you can like or dislike the name. but criticizing the quality of work based on your affinity for the name is foolishness
..so like a fork in the way it's done, a new way of doing things.
But you need to remove the dev/ai hat in order to go back to writing rules and the real use.
Compatible how?
You even open the article by linking the toy project where you used agents to "recreate Next in a week" and released with critical vulnerabilities.
1- EmDash plugins are written in TypeScript, not PHP
2- EmDash plugins have a specific permissions model, where they need to explicitly request access to certain things.
3- WordPress plugins just invoke things. EmDash plugins have a defined API you use to talk to different capabilitites
4- Those capabilities are totally different, and at a different abstraction, than what WordPress provides.
Beyond the look of the admin interface and publishing flow, I don't see how this is a "Spirtual Successor" to WordPress at all. Its a CMS, designed from scratch, for a serverless world, using CF proprietary capabilities (D1 Databases, R2 for image/media storage, their workers for running things).
The question isn't whether this took longer than a weekend or whether you personally have open source experience, it's whether Emdash is actually being built as an open ecosystem or as a Cloudflare-bound platform. Bringing up your background reads like using prior credibility to justify the project's quality, instead of demonstrating it.
If it only runs properly on Cloudflare's infrastructure, then invoking "understanding open source and community" feels misleading. Those values usually imply portability and independent ecosystem growth, not tight platform coupling.
Also, "not vibeslop" here isn't about effort, it's about whether there's a clear, defensible reason this exists beyond being an AI-accelerated WordPress-like system tied to one vendor.
"Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith."
Reliable agent-coded development only seems to work for small codebases. (And it’s amazing in Ruby for some reasons.)
I don't write code manually anymore, but Im still getting the exact code output that I want.
I'd consider it vibe-coding if you never read the code/plan.
For example, you could package this up in a bash alias `vibecode "my prompt"` instead of `claude -p "my prompt"` and it surely is still vibe-coding so long as you remain arms length from the plan/code itself.
Even for tests, I always thought the real valuable part of it was that it forced you to think about all the different cases, and that just having bunch of green checkboxes if anything was luring developers into a false sense of security
Before AI, you were often encumbered with the superficial aspects of a plan or implementation. So much that we often would start implementing first and then kinda feel it out as we go, saving advanced considerations and edge-cases for the future since we're not even sure what the impl will be.
That's useful for getting a visceral read on how a solution might feel in its fetal stage. But it takes a lot of time/energy/commitment to look into the future to think about edge cases, tests, potential requirement churn, alternative options, etc. and planning today around that.
With AI, agents are really good at running preformed ideas to their conclusion and then fortify it with edge-cases, tests, and trade-offs. Now your expertise is better spent deciding among trade-offs and deciding on what the surface area looks like.
Something that also just came to mind is that before AI, you would get married to a solution/abstraction because it would be too expensive to rewrite code/tests. But now, refactoring and updating tests is trivial. You aren't committed to a bad solution anymore. Or, your tests are kinda lame and brittle because they're vibe-coded (as opposed to not existing at all)? Ok, AI will change them for you.
I also think we accidentally put our foot on the scale in these comparisons. The pre-AI developer we'll imagine as a unicorn who always spends time getting into the weeds to suss out the ideal solution of every ticket with infinite time and energy and enthusiasm. The post-AI developer we'll imagine as someone who is incompetent. And we'll pit them against each other to say "See? There's a regression".
That said, iteration is much more difficult on established codebases, especially with production workflows where you need to be more than extra careful your migration is backwards compatible, doesn't mess up feature x,y,z,d across 5 different projects relying on some field or logical property.
We've all just seen the Claude Code source code. 4k class files. Weird try/catches. Weird trade-offs. Basic bugs people have been begging to fix left untouched.
Yes, there's a revolution happening. Yes, it makes you more productive.
But stop huffing the kool-aid and be realistic. If you think you're still deciding about the trade-offs, I can tell you with sincerity that you should go try and refactor some of the code you're producing and see what trade-offs the AI is ACTUALLY making.
Until you actually work with the code again, it's ridiculously easy to miss the trade-offs the AI is making while it's churning out it's code.
I know this because we've got some AI heavy users on our team who often just throwing the AI code straight into the repo with properly checking it. And worse, on a code review, it looks right, but then when something goes wrong, you go "why did they make that decision?". And then you notice there's a very AI looking comment next to the code. And it clicks.
They didn't make that decision, they didn't choose between the trade-offs, the AI did.
I've seen weird timezone decisions, sorting, insane error catching theatre, changing parts of the code it shouldn't have even looked at, let alone changed. In the FE sphere it's got no clue how to use UseEffect or UseMemoization, it litters every div with tons of unnecessary CSS, it can't split up code for shit, in the backend world it's insanely bad at following prior art on things like what's the primary key field, what's the usual sorting priority, how it's supposed to use existing user contexts, etc.
And the amount of times it uses archaic code, from versions of the language 5-10 years ago is really frustrating. At least with Typescript + C#. With C# if you see anything that doesn't use the simpler namespacing or doesn't use primary constructors it's a dead give-away that it was written with AI.
We've now build a machine capable of something that can't even be called "technical debt" anymore - perhaps "technical usury" or something, and we're all supposed to love it.
Most coders know that support and maintenance of code will far outlast and out weigh the effort required to build it.
To some agents are tools. To others they are employees.
All I hear are empty promises of better software, and in the same breath the declaration that quality is overrated and time-to-ship is why vibecoding will eventually win. It's either one, or the other.
Lot of ppl are only in the beginning stages so they think its different because they came up with some fancy looking formal process to generate vibe.
the state of the art of software engineering is to use AI. it's just reality
But no matter how much code, including tests that AI can generate there was only one human thinking about those prompts, for a few months.
Any defects in that single human's thought process for overall architecture, security architecture, test architecture and coverage were not reviewed by any other human who might think differently and catch things that were missed. Ideally they were all at least reviewed by AI, but how differently operate from itself? It isn't particularly good at detecting its own errors without a human telling it to, which means the human needs to detect it in the first place.
Perhaps my most important point here is simply everyone here on HN is aware of all of these things, and as excited as some of us are about AI coded endeavors, the top response here will likely be the top response for many years - how do I know it isn't garbage? AI might be able to generate code fast, but informed users will definitely develop trust in it on a more human time scale.
I think the core idea of addressing a core architecture security defect in Wordpress has a legs. I'd make the case that the security architecture demonstrated here is table stakes for new software projects in 2026 when it clearly wasn't really conceivable in 2003. Though I'd also argue that many of the top Wordpress plugins should be shipped as "batteries included" in any successor, spiritual or otherwise - it would remain important to be extensible beyond those, securely.
A spiritual successor to Wordpress designed to run modern cloud infrastructure is a neat thing no doubt.
But after handling a bunch of horrible Wordpress and PHP stuff in my life lately, I'm tacking a bit of begging onto my hopefully useful response. Someone, anyone, AI coded or not, please work on a COMPLETE successor to Wordpress. And PHP really - though I do think taking care of Wordpress would entirely deal with the PHP problem.
What do I mean? All the modern table stakes stuff: * API first * fast bits in Rust (or Zig whatever IDK) * WASM * modern security architecture * batteries included - it is extremely dumb to have to add a plugin for calendars/dates/events and have about 100+ options for those. * designed to be deployed into modern clouds.. but also self-hostable on a single server, or colocated by small (cheap!) providers - ie: addressing ALL of the user base of Wordpress * one-click migration from Wordpress. Wordpress does this "with itself" to allow admins to move from one provider to another. Without this feature, might as well not bother
There is a business opportunity here I believe, though I'm not proposing a business model per se. A lot of people, myself included pay for Wordpress hosting while also hating it and being ready to leap at an alternative - even if it cost more.
Well that's because actual vibe coding is a completely separate thing from "LLM assisted coding, know what you’re doing but use LLMs to do tedious stuff".
I'm not entirely sure what you mean by "started calling it", but vibe coding doesn't need a new name, it needs people to be clear about what they mean.
yeah.
> But for the past two months our agents have been working on an even more ambitious project: rebuilding the WordPress open source project from the ground up.
They have honed their AI OSS troll marketing chop and every step goes far and far. I'll take it more seriously once they start open sourcing vibe coded projects they actually use in their production.
capabilities: ["read:content", "email:send"],
The problem is there's no beating the slop allegation. There's no "proof of work" that can be demonstrated in this comment section that satisfies, which you can see if you just keep following the entire chain. I'd rather read slop comments than this.
The main engineer of this project is in the comments and all he's being engaged with on is the definition of vibes.
Is AI merely being used as a tool to aid the engineer? Because that's what I do. I use it as essentially a super-autocomplete. It typically only writes a couple lines at a time for me. On rare occasions, I can write a function signature and let it fill out the body. That's coding with AI.
Anything more than that though? You're stepping into coding by AI, which utterly fails at anything beyond an MVP. Once you go over 2,000 lines of code or so, it falls apart. It can't reason about anything with even a small amount of complexity, and every "bug fix" either fails to fix the bug or it introduces two more.
The blog post was chock full of factual errors, claimed to be based off project X but wasn't at all and even had the cheek to include that it was arguably the most secure way to deploy such a server, with their implementation apparently already being used by their team to serve real traffic. Meanwhile the repo was full of TODOs for all the security aspects of the protocol.
Of course after the backlash a lot of this was covered up so look at the archives if you are curious.
They have really done a disservice to themselves because their blog posts used to be excellent, but now I have to question whether it's another blogpost full of fakery like that one (and there was another since iirc). Given this blog post talks about reimplementing a popular project, it starts to give off the signs of being another one of these. Unfortunate if that's not the case
(To be clear, I'm no fan of WordPress either, and its security hassles are a real issue. But some sloppified MegaCorp vibecoded fever dream will never be a suitable replacement, of that I guarantee.)
You want anything beyond ghost? Find a way to port the vast market of 100,000+ cheap and free themes and components that are available to enable tech-illiterate, low-budget users to basically build an entire business platform on a $5/mo shared hosting plan.
A vibe coded CMS that's 3 months in the making is not capable of taking that place in the market, no matter how much VC funding you put behind it.
People aren't on WordPress because of WordPress.
They're on WordPress because of WooCommerce, a million themes, BuddyPress, integrations for every stupid internal business API on the planet (many of which are terrible and were written by an idiot with a crayon).
The APIs will have no testing because they are bad. In many cases the WordPress implementation of the API written in the codeblock, ran on page-load to the pain of the person responsible for SEO, is the API contract.
And yes those plugins are also terrible, but they solve business problems, even if they are tech problems.
You can't just launch a better wp-core and expect it to replace any of that.
EmDash needs to actually run the existing insecure WP plugins to takeover.
Half the websites on wordpress moved to shopify, squarespace, etc. a very long time ago. The remaining half were blogs, personal pages, wikis, etc. that moved to community/social platforms created in the past decade(s). In a few cases out of all this someone finally learned how to write/host a webpage themselves (imagine that)! It's even easier with AI now.
I'm totally serious when I ask "why". Who actually uses a CMS or anything like that anymore? It's madness!
I run parallel coding agents on my own projects daily. The code they produce is fine. What worries me is the "just ship it" energy where nobody on the team deeply understands what got built. That's not an AI problem, it's been a problem with outsourced codebases forever. AI just makes it faster to accumulate code nobody fully groks.
Cloudflare probably has the engineering depth to maintain this regardless of how it was built. A lot of other teams don't.
(looks for cameras) Wait a minute, am I being Punk'D? Oh my god! Ashton, you really got me! Ha Ha! Ashton!