Best of CloudflareApril 2026

  1. 1
    Video
    Avatar of fireshipFireship·5w

    A rich hacker just penetrated 31 WordPress plugins...

    A supply chain attack compromised 31 WordPress plugins after an attacker purchased them via Flippa, inserted a dormant backdoor, and later activated malicious payloads that modified core WordPress files including wp-config.php. The command-and-control domain was resolved through an Ethereum smart contract, making it resilient to takedowns. The attack bypassed normal security suspicion by arriving as a routine plugin update. The post also covers Cloudflare's new Mdash project, a WordPress-compatible alternative built on Astro that sandboxes plugins using dynamic workers and capability-based bindings to prevent the kind of full-privilege access that makes WordPress plugins dangerous.

  2. 2
    Video
    Avatar of awesome-codingAwesome·3w

    Forget AI doom... Quantum computing will break the internet first

    Quantum computing poses a more immediate and concrete threat to internet security than AI doomsday scenarios. Shor's algorithm, published in 1994, can theoretically break RSA and elliptic curve cryptography — the foundation of modern TLS, SSH, and code signing. Recent breakthroughs from Google and Oratomic have dramatically reduced the estimated qubit count needed to break P256 elliptic curve encryption from millions to roughly 10,000, pushing 'Q-day' much closer than the previously assumed 2035–2040 window. Cloudflare has accelerated its post-quantum roadmap, targeting full post-quantum security by 2029. The most dangerous threat isn't just 'harvest now, decrypt later' attacks on encrypted traffic — it's the ability to forge authentication signatures on long-lived root certificates and code signing keys, enabling impersonation and persistent access. Migrating to post-quantum signatures also requires actively disabling legacy algorithms to prevent downgrade attacks and rotating all previously exposed credentials.

  3. 3
    Article
    Avatar of cms_squadCMS·6w

    Em Dash: a programmable CMS experiment, not a WordPress replacement (yet)

    Em Dash is an early-stage, developer-oriented CMS that takes an API-first, tool-driven approach to content management, integrating with AI agents via MCP-like interfaces and using Astro on the frontend. Unlike traditional CMS platforms, it treats content as something operated on programmatically rather than edited through a UI. It features an isolated worker-based security model (requiring paid Cloudflare Workers for full benefit) and includes a WordPress content importer. In practice, local MCP integration had issues but API-based usage with Claude worked. The verdict: no plugin ecosystem, no non-dev editor experience, and significant infra requirements make it a developer experiment rather than a WordPress replacement — but it hints at where programmable, AI-driven content systems may be heading.

  4. 4
    Article
    Avatar of cloudflareCloudflare·4w

    Making Rust Workers reliable: panic and abort recovery in wasm‑bindgen

    Cloudflare details how Rust Workers now handle panic and abort recovery in WebAssembly via upstream contributions to wasm-bindgen. Historically, panics were fatal and could poison an entire Worker instance, causing cascading failures. The team implemented panic=unwind support using the WebAssembly Exception Handling proposal, allowing panics to surface as JavaScript PanicError exceptions while keeping the Wasm instance valid. For aborts (e.g., OOM), they added abort classification using Exception.Tag to distinguish recoverable from non-recoverable errors, plus a set_on_abort hook and reentrancy guards. A --reset-state-function mechanism enables automatic reinitialization for Wasm library use cases. The team also backported modern WebAssembly Exception Handling to Node.js 24 and 22 to unblock ecosystem adoption. These changes are available in workers-rs 0.8.0 via the --panic-unwind flag, with plans to make it the default.

  5. 5
    Article
    Avatar of cloudflareCloudflare·5w

    Register domains wherever you build: Cloudflare Registrar API now in beta

    Cloudflare has launched a beta Registrar API that lets developers and AI agents programmatically search for domains, check real-time availability, and register them at cost — all without leaving their editor, terminal, or agentic workflow. The API exposes three core endpoints: search (cached results), check (authoritative registry query), and register (completes synchronously in seconds or returns a 202 for polling). WHOIS privacy is enabled by default at no extra charge, and the API integrates with the Cloudflare MCP, making it immediately accessible from tools like Cursor and Claude Code. At-cost pricing applies regardless of whether registration happens via dashboard, API, or agent. Future plans include lifecycle management features such as transfers, renewals, and contact updates, plus a broader registrar-as-a-service offering.

  6. 6
    Article
    Avatar of cloudflareCloudflare·4w

    Introducing Flagship: feature flags built for the age of AI

    Cloudflare is launching Flagship, a native feature flag service built on its global network using Workers, Durable Objects, and KV. It eliminates the latency of third-party flag providers by evaluating flags at the edge — sub-millisecond, with no outbound HTTP requests. Flagship is built on OpenFeature, the CNCF open standard, so evaluation code is portable across providers. It supports boolean, string, number, and JSON flag types, multi-rule targeting with AND/OR logic, percentage-based rollouts with consistent hashing, a full audit trail, and a dashboard for non-engineers. The service is framed around AI-generated code entering production autonomously, where feature flags serve as the safety mechanism for agentic deployments. Flagship is currently in private beta.

  7. 7
    Article
    Avatar of cloudflareCloudflare·4w

    The AI engineering stack we built internally — on the platform we ship

    Cloudflare shares how they built their internal AI engineering stack using their own products over 11 months. The stack includes Cloudflare Access for zero-trust auth, AI Gateway for centralized LLM routing (20M+ requests/month, 241B tokens), Workers AI for on-platform inference, MCP Server Portals aggregating 13 servers with 182+ tools, an AI Code Reviewer integrated into CI/CD, and an Engineering Codex for standards enforcement. A proxy Worker pattern centralizes all LLM traffic, enabling per-user attribution, anonymous tracking, and zero API keys on developer machines. AGENTS.md files generated across 3,900 repos give coding agents structured repo context. The result: 93% R&D adoption, merge request volume nearly doubling quarter-over-quarter, and a security agent processing 7B tokens/day on Workers AI at 77% lower cost than proprietary models.

See all Cloudflare archives