Josselin HANEL.
FR EN DE
Eco Mode
Eco Mode on — An alternative version of the site, optimised for slow connections and on-the-go browsing.
← Back to blog

EmDash: Cloudflare validates my technical choices, but doesn't go far enough

eco-conception, securite, performance

WordPress powers 43% of the web. Blogs, shops, business sites: it's been the default choice for 20 years. On April 1, 2026, Cloudflare launched EmDash, a competing CMS built on Astro and their own infrastructure. The date caused confusion among developers. It was real.

What interests me about this announcement is what it says about technical choices — and their limits.

The problem WordPress created

WordPress runs on plugins: third-party extensions that add features. Contact forms, shops, analytics — there are tens of thousands of them. The problem: every plugin has full access to the site. A single compromised plugin is enough to expose everything. 96% of WordPress breaches come from plugins.

What EmDash offers

EmDash solves this problem halfway. Each plugin is isolated: it must declare upfront exactly what it needs access to, and can do nothing else. It's more secure than WordPress. It's also more efficient: the site consumes nothing when no one is visiting.

The combination — Astro on Cloudflare — is exactly what I use for showcase sites and e-commerce. For more complex applications with real-time requirements, I lean towards other technologies, but for this type of need it's the right choice.

Where I disagree

EmDash is still a plugin-based system. It secures extensions better, but still depends on them to function. That's a response to a structural problem I chose not to have.

Most of what a plugin does can be built directly, better, and without the risks that come with it. A contact form, a gallery, a booking system: these aren't complicated problems. They're problems that thousands of plugins solve generically, with all the bloat and vulnerabilities that entails.

The result: no attack surface from extensions, no dependency on third-party updates, no unnecessary features shipped by default.

What this confirms

EmDash shows that relying on Astro and Cloudflare is a solid direction for building fast, secure, and more resource-efficient websites. It’s encouraging to see this kind of approach becoming more widespread.

EmDash is still quite new for serious production use, and its plugin-based model inevitably comes with some compromises.

For projects where performance, security, and environmental impact matter, I focus on custom-built solutions. The goal is simple: create interfaces tailored to real needs, without unnecessary menus or complexity. This keeps things clear, controlled, and free from dependence on external platforms.

Sources: Cloudflare BlogInfoQHacker News

Related articles

BrowserGate: LinkedIn secretly scans your browser extensions

LinkedIn injects a 2.7MB script that detects 6,000 extensions installed in your browser and collects your hardware data. Without telling you.

React2Shell: 77,000 exposed servers, massive exploitation within hours

On December 3rd, Meta disclosed CVE-2025-55182: a critical 10/10 vulnerability in React Server Components. 77,000 vulnerable servers, 30 organizations compromised. What this reveals about modern web complexity.

Have a project in mind?

Feel free to contact me for a free quote with no obligation.

Let's talk

+33 7 81 33 97 68

josshanel@gmail.com