That framing drew a sharp rebuttal from WordPress co-founder and Automattic chief executive Matt Mullenweg, who argued that EmDash is not truly in WordPress’s tradition because WordPress can run almost anywhere, while EmDash, in his view, works best inside Cloudflare’s own infrastructure. Mullenweg also rejected the idea that Cloudflare had solved WordPress’s plugin problem, saying the openness and deep reach of plugins are central to WordPress rather than a flaw to be engineered away.
Beneath that exchange lies a deeper industry argument about security, openness and control. Cloudflare says EmDash tackles a structural weakness in the WordPress model by isolating plugins in separate runtime environments, reducing the damage a compromised extension can do. That message is likely to resonate because WordPress’s plugin ecosystem has long been both its biggest strength and its biggest vulnerability. Patchstack’s 2025 security report said 7,966 new vulnerabilities were identified across the WordPress ecosystem in 2024, with 96 per cent found in plugins and only a tiny share in core software.
Yet WordPress remains dominant on a scale that makes any challenger look small at the outset. W3Techs data updated on 5 April 2026 shows WordPress is used by 59.8 per cent of websites with a known content management system, representing 42.5 per cent of all websites. That reach gives WordPress a community, plugin library and installed base that no new entrant can match quickly, even one backed by Cloudflare’s engineering reputation and distribution power. The size of that footprint is also why disputes inside the WordPress world now spill well beyond a niche developer audience and into broader business and publishing concerns.
Those concerns have been building since the confrontation between Automattic and hosting company WP Engine erupted into open litigation in late 2024. WP Engine accused Automattic and Mullenweg of defamation and business interference after access to WordPress.org resources was blocked. In December 2024, a federal judge ordered Automattic to restore WP Engine’s access to WordPress. org, a significant early setback for Automattic. The case did not end there. In September 2025, the court allowed several of WP Engine’s major claims, including defamation, trade libel and interference claims, to proceed, while dismissing antitrust, attempted extortion and some other claims, partly with leave to amend.
Automattic then escalated matters with counterclaims filed in October 2025, arguing that WP Engine had abused the WordPress trademark, misled customers and failed to give enough back to the open-source community. This year, the dispute intensified again after WP Engine filed an amended complaint containing new allegations uncovered during discovery, including claims that Automattic had contemplated pursuing royalty demands against multiple competitors. Automattic has dismissed those claims as recycled narrative, but the filings show that the conflict is not cooling.
For users, developers and publishers, the combined effect of the lawsuit and the EmDash debate is to expose a tension that has existed for years. WordPress built its influence on openness, portability and a huge community of contributors. Critics say that very openness has also produced governance ambiguity, uneven plugin quality and a security burden that falls heavily on site owners and hosting providers. Cloudflare is trying to turn those frustrations into an opening, offering a system that promises stricter guardrails without abandoning open-source licensing. Mullenweg, for his part, is defending a model that prizes freedom to run code anywhere and warns against exchanging one problem for another in the form of platform dependency.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
