This is very interesting. I've worked with WordPress on and off for 10 years, and I'm convinced that this project has got 2 things absolutely spot on. TypeScript and Worker plugins.
I've given the security, or lack of, WP a lot of thought recently. In WP malicious plugin has access to the database, enfironment variables, rendering text on screen (think XSS). Luckily, a thoughtfully designed plugin system can mitigate all of those issues.
I've been working on a headless CMS in my spare time that is eirily similar to EmDash in a few ways. It's in very early development, but I will share regardless. It's called HotsauceCMS - https://github.com/hotsauce-team/hotsauce
- I went with optional NodeJS or Deno Worker plugins, this means that first-party plugins can benefit from the speed of in-process, and other plugins can be run in Workers. For fine grained permission control, you can use Deno Workers.
- I went with absolute minimal dependencies, I am so fed up with Dependabot alerts and npm supply chain hacks. My CMS has only 4 dependencies, 0 transistive dependencies.
- It's Drizzle schema first, and headless. So you have full controll of the database structure, use cms hints in your schema for features like file upload.
- It's database-agnostic, so it works with any Drizzle-supported database (Postgres, MySQL, SQLite)
- Being headless, you can use any frontend, my preference is JSX w/o react, but anything goes.
Feedback is absolutely welcomed on HotsauceCMS, did I miss a trick, am I on the right track?
Anyway, congratulations on EmDash. I'll be following closely, excited to see how the next few months unfold.
I personally i am in the other camp and think they got the language change absolutley wrong. I already have php installed on my server why do i need to install TypeScript? The easiest website to run is in php. All other languages add a barrier.
I agree with your sentiment. Meet the customer where they are at, right?
Years ago, I would have said small bussinesses are on cPanel, FTP-ing files to the server. Asking them to run NodeJS is crazy. But here we are, the hosting landscape is vastly different, is it still so crazy to ask a small business owner to put there code on GH, connect GH to a hosting platform and push?
---
Anyway, I doubt you will see people dropping off WP and migrating sites to EmDash. What's more likely will be that it is considered as an alternatave for new projects.
- I've been done GraphQL server with a build step to share types between languages.
- I've used untyped JS client side code.
Both are prone to bugs, and not much fun.
TS for front and back end: sharing types means you'll have editor type hints, catch type errors at lint (or build), and you might even share validation logic between client and browser.
I used to work with Wordpress a lot, but last time was a couple years ago.
The appeal for the company i was working with was ease of installation on legacy servers (FTP). You would just upload the files, and it worked. No CLI tools, no dependency management, no build tools.
But yeah, security was a big issue. Constant hacks.
The constant hacks are side effect of Wordpress popularity. Every discovered security flaw is exploited by bots almost immediately. Unless you keep up with the updates you are very vulnerable.
It is not because wordpress is built on "legacy" stack. Other CMSes on that stack (and many are very popular) don't have this problem.
The popularity helps, but it’s also because WordPress’s security model is distilled insanity. PHP makes this insanity far easier than most languages, and WordPress embraces that, whereas the likes of Drupal rebuff it.
I think the security issue is that people trust random plugins without reviewing them.
I’ve been running WP with small and large companies and no big security issues. You either build your own plugins or go with the trusted few you need to augment your operation.
Same. I've been working with and managing thousands of WP sites for over a decade and the only issues I've had have been with sites acquired from 3rd parties with random themes and plugins (and old WP versions) that break if you update something. Those have gotten hacked and have caused many headaches.
Basically no issues with sites built in-house. As you say, only reputable 3rd party plugins (like for SEO, caching, multilang) most others made in-house.
This is the way. WordPress's is so popular because you can get it to do or be anything. I have done some terrible terrible things to WordPress. Need a simple blog? No problem! Want a LMS? Sure why not! e-commerce? Go for it! CRM? Absolutely! Etc etc.
But there are many many "WordPress" developers out there that only know how to glue plugins together, so you often end up with plugin soup.
In the hands of someone who actually knows how to code you don't have any issues.
> I am now scared to talk to anyone. Eventually the conversation turns to AI and they want to talk or show their vibecoded app.
> I am just tired boss. I am not going to look at your app.
Hey, I feel bad for you. I would say try and avoind HN if you don't want to see AI.
But, in this case, I want to respectfully disagree with you. I read the frontpage of HN almost daily, I never really jump into conversations, for this post about EmDash I am absolutely qualified to contribute.
There are precisely 2 open source projects in existence (proove me wrong) where the "Worker Plugin" architecture has been taken. Mine and EmDash. Looking at some of the code examples from EmDash was like looking at my own docs.
If you don't want to look at my app, then fine. But please don't gatekeep, I'm qualified to talk here.
I've given the security, or lack of, WP a lot of thought recently. In WP malicious plugin has access to the database, enfironment variables, rendering text on screen (think XSS). Luckily, a thoughtfully designed plugin system can mitigate all of those issues.
I've been working on a headless CMS in my spare time that is eirily similar to EmDash in a few ways. It's in very early development, but I will share regardless. It's called HotsauceCMS - https://github.com/hotsauce-team/hotsauce
- I went with optional NodeJS or Deno Worker plugins, this means that first-party plugins can benefit from the speed of in-process, and other plugins can be run in Workers. For fine grained permission control, you can use Deno Workers.
- I went with absolute minimal dependencies, I am so fed up with Dependabot alerts and npm supply chain hacks. My CMS has only 4 dependencies, 0 transistive dependencies.
- It's Drizzle schema first, and headless. So you have full controll of the database structure, use cms hints in your schema for features like file upload.
- It's database-agnostic, so it works with any Drizzle-supported database (Postgres, MySQL, SQLite)
- Being headless, you can use any frontend, my preference is JSX w/o react, but anything goes.
Feedback is absolutely welcomed on HotsauceCMS, did I miss a trick, am I on the right track?
Anyway, congratulations on EmDash. I'll be following closely, excited to see how the next few months unfold.