Matt MullenwegModify

2026-04-03 09:32:27

So, two other Matts at Cloudflare announced EmDash — the spiritual successor to WordPress that solves plugin security.

(Is it nominative determinism or a simulation glitch that everyone trying to terraform the web has some variation of “Matthew” in their name? I was in a call set up by Matthew Prince, talking to Matt Taylor and Matt Kane, with my right hand there, Matías.)

First, I’m going to tell you why this isn’t spiritually tied to WordPress at all, then why they haven’t solved plugin security, and finally offer some suggestions.

The Spirit of WordPress

WordPress exists to democratize publishing. That means we put it everywhere. You can run WordPress on a Raspberry Pi, on your phone, on your desktop, on a random web host in Indonesia charging 99 cents a month, and you can run it scaled up on AWS or across multiple datacenters.

The same code. When you download WordPress Playground you’re running the same code that’s being attacked a thousand times a second at WhiteHouse.gov. That’s what we mean when we say democratization.

It’s all built on open source and web standards. You can run it anywhere; there’s no lock-in.

That’s why we do what we do. It’s really hard. You can come after our users, but please don’t claim to be our spiritual successor without understanding our spirit.

The Spirit of EmDash

I think EmDash was created to sell more Cloudflare services. And that’s okay! It can kinda run on Netlify or Vercel, but good stuff works best on Cloudflare. This is where I’m going to stop and say, I really like Cloudflare! I think they’re one of the top engineering organizations on the planet; they run incredible infrastructure, and their public stock is one of the few I own. And I love that this is open source! That’s more important than anything. I will never belittle a fellow open source CMS; I only hate the proprietary ones.

If you want to adopt a CMS that will work seamlessly with Cloudflare and make it hard for you to ever switch vendors, EmDash is an incredible choice.

Claimed Plugin Security

In another example of them not understanding the spirit of WordPress, the fact that plugins can change every aspect of your WordPress experience is a feature, not a bug! And their sandboxing breaks down as soon as you look at what most WordPress plugins do.

I know we get a bad rep because there are 62k plugins with wildly variable engineering quality, and more every day, and when one installed on 0.01% of our user base has a vulnerability, a bunch of websites write breathless articles that get clicks saying “122,000 WordPress Sites Vulnerable!”

That, by the way, I think we’ll be able to fix in the next 18 months with AI. The plugin security only works on Cloudflare.

Critical Feedback

As I said, we had a call with Cloudflare on March 23rd, where they asked for feedback on this thing they built but didn’t tell us the name, said it would probably launch in their developer week towards the end of April, and some top colleagues and I offered to help. I wish I could say the things I’m saying in this blog post on that call, and if they had just shared the announcement post I could have, but in the spirit of open source here’s what I would have said:

1. If they had said the name I would have asked if they had any other options because I have an amazing colleague named Emdash who is doing some of the most exciting stuff with WordPress and AI. (BTW I think our Em will have more impact on the web than this in five years.)
2. I actually think the product is very solid, there’s some excellent engineering, migration tools, it’s very fast, and the Astro integration is nice.
3. I’d be surprised if this doesn’t get tens of thousands of sites on it.
4. The UI is in the uncanny valley of being sorta-WordPress sorta-not. I know it wasn’t a weekend vibecode project, but it has some of that smell. Stuff breaks at the edges.
5. I think using TinyMCE is a regression, and they should adopt Gutenberg, which we licensed and created to be used by other CMSes.
6. The Skills are amazing, a brilliant strategy, and we need to do the same as soon as possible. I’ve been working on something similar and got some good ideas from their implementation.
7. I’m not going to say which parts, but they copied a lot of things we’re planning to kill. Build from first principles. Make it better. Skate to where the puck is going.

There’s a new CMS every other day. And that’s great! I love building CMSes and I totally get why other people do, too.

In Conclusion

Some day, there may be a spiritual successor to WordPress that is even more open. When that happens, I hope we learn from it and grow together. Until then, please keep the WordPress name out of your mouth.

2026-04-02 08:14:51

I’m really excited to introduce a project I worked on with various AI agents the other night, which I think represents a new way we might build things in the future.

First, the problem: My WordPress site has 5,600+ posts going back decades, and I had some categories that were old and I didn’t really use anymore, and I wasn’t happy with the structure. Every time I made a new post, it irked me a little, and I had this long-standing itch to go back and clean up all my categories, but I knew it was going to be a slog.

Let me present Taxonomist, a new open-source tool you can run with one copy-and-paste command line that solves this problem. Here’s the idea:

1. You run this code in your terminal, and it spins up a Claude Code instance that asks you for your URL.
2. Then it takes that and figures out what type of site you have, which APIs are available, and starts downloading all your posts locally for analysis.
3. Sub-agents analyze every post against your current categories and thinks about suggesting new ones.
4. It previews all the changes.
5. Tries a variety of ways to authenticate against your site and make all the changes.
6. Logs everything locally, so anything is reversible later.

THIS IS VERY ALPHA. PROBABLY BUGGY. BE CAREFUL WITH IT. PATCHES WELCOME. MAYBE MAKE A BACKUP OF YOUR SITE BEFORE YOU CHANGE IT.

It kind of just worked. I ran it live against ma.tt and it cleaned up a ton of stuff pretty much exactly how I wanted. But there’s a lot of weird stuff happening here, so I don’t know quite what this is yet.

1. It’s very non-deterministic! There is some pre-written code, and probably could be more, but a lot of the code is generated on the fly by your agent. This creates interesting bugs where people testing with less powerful models had some odd behavior.
2. I kind of want a directory of these useful AI agents on WordPress.org, but also, there’s something a little strange about trusting a remote shell script to run on your machine.
3. I tested this with Claude, but there’s no reason Codex couldn’t use the repo in the exact same way, and I’d love to improve the quick start script to start by detecting all the agents you have, asking which you’d like to use, and also which directory you’d like to work in. I think we could kill the cd taxonomist-main && claude "start" part of it.
4. Because much of the code and commands are generated on the fly from prompts, it’s very resilient! I’ve seen people try it, and it ran into errors with libraries or whatever, but it just figured out how to work around them.
5. I’d love it if, at the end of every session, there was a moment for self-reflection where the agent would take the repository and suggest upstream issues and PRs based on anything that went wrong. Then this could recursively self-improve very quickly.
6. There are some obvious improvements to this, for example, doing this for tags. Sometimes it creates too many categories when you might only want 3-5 for your theme.
7. One fun thing is a bunch of the work of this just uses public WordPress APIs, so you can run it against any site! I like using distributed.blog as a demo. It’ll still do all the fun downloading and analysis and everything, you just won’t be able to make changes.
8. I now have a local cache of all my WordPress posts I can do other interesting things with, and that’s cool.
9. The logging and reverting probably still has some bugs in it.
10. You can riff with it along the way, so for example, it suggested I get rid of my Audrey category because it didn’t have enough posts, and I asked it to look at all the companies on Audrey.co website and categorize any posts that talk about them as Audrey, which created like 50 more.
11. I want to check the GitHub repo for any updates before it starts, and maybe periodically, because it’s iterating and improving really fast.
12. It’s not the default but the entire thing is way more pleasant if you run it with skip-permissions. So testing I usually run the one-liner, exit, resume with skip.
13. You can see some of my prompt history in the Github but I apologize it’s not comprehensive, I also used Gemini and Codex with this and got lots of value from them.

So, not sure what this is, but please check it out, play with it, submit improvements or ideas, and think about what’s next. Might host a Zoom or something to brainstorm.

The final thing I say is that this was a very different process of writing software for me. Instead of staying at the computer the entire time, I found myself going away for a bit, napping and dreaming about the code, coming back with new ideas and riffing on them. Maybe I’ll return to my Uberman polyphasic sleep days? Nap-driven development?

BTW I have lots of thoughts and feedback for Emdash but I thought this was more interesting, will try to get that out later tonight. One preview: TinyMCE is a regression; they should use Gutenberg! We designed it for other CMSes and would be fun to have some common ground to jam on.

2026-03-30 08:44:41

Since he spoke to Dean Baquet in 2017, JAŸ-Z hasn’t done an interview. Hov’s back! He sat down with GQ, and it’s a lovely listen and read.

We played enough defense, 2026 is all about offense.

Your morality defines who you are, not what you’ve attained.

2026-03-29 06:12:33

First, I want to say how great the jazz scene is in New York. I caught a little Latin at my go-to Guantanamera last night, but the band seemed to be phoning it in a bit, so I walked over to Dizzy’s and heard an amazing big band performance by the Diva all-women Jass Orchestra, they had Clint Holmes leading vocals and I got Frank Sinatra / Count Basie vibes, so great to see such a tight big band.

In WordPress, last week it was fun to see the company some call parasitic WP Engine acquire WPackagist. So a popular way to use WordPress with Composer, previously maintained by an awesome co-op agency in London, was now in the clutches of a company using its capital advantage to try to openwash its alleged bad behavior, probably in a process that wasn’t ideal for the sellers.

Four days later, an awesome independent organization roots.io released WP Composer (renamed to WP Packages, in OpenClaw fashion) with 17x faster cold resolves than WPackagist. Check out their comparison page.

It’s beautiful to see how resilient and nimble the antibodies in the WordPress community are. Major hat tip to Ben Word.

In another type of antibody, Sid Sijbrandi, whom I previously talked about going into founder mode on his cancer, gave an incredible presentation at the Open AI Forum about how he ran a bunch of N-of-1 experiments and therapies to cure his terminal osteosarcoma. He’s also open-sourced 25TB of his data for cancer research. Incredible!

If you want to see the future of health care, give Sid’s presentation a watch.

2026-03-29 04:57:39

Nobody is arguing that Stockfish is conscious, but Stockfish would kick Claude’s ass at chess.

Kevin Lincoln in AI Perfected Chess. Humans Made It Unpredictable Again.

2026-03-26 07:48:04

I’m in NYC for the Stephan Wolfram dev/ai/nyc conversation tomorrow at the Automattic Noho space. While walking back from the Apple Store in Soho where I had picked up a new Studio Display XDR to try out, ran into one of my favorite YouTube accounts to follow right now, Ari at Home! I ran into him around 32 minutes into this Twitch stream. Here’s how he set up his rig.

A video I’ve shared with friends recently is when Harry Mack ran into Ari, which was fun for me because they’re two of my favorite accounts to follow. Sorry I didn’t freestyle! I had to get back to do some work, which is why I got the monitor.

In other cool X/Twitter news, they launched an awesome feature today that lets you restrict replies not just to people you follow, but to people they follow as well. Nikita gave a hat tip to the conversation I had with Peter Levels / @levelsio.