Cloudflare Aims for Full Post‑Quantum Security by 2029, Launches New CMS to End Plugin

Cloudflare said its post‑quantum roadmap has been accelerated after Google disclosed a breakthrough quantum algorithm that threatens elliptic‑curve cryptography, prompting the company to set a 2029 deadline for full post‑quantum security, including authentication (Cloudflare blog).

The firm noted that more than 65 % of human traffic to its network already uses post‑quantum‑encrypted connections, a milestone reached after enabling PQ encryption for all websites and APIs in 2022 (Cloudflare blog). Yet it stresses that authentication must also be upgraded before the “Q‑Day” deadline, citing Google’s announcement and a concurrent Oratomic study that estimates RSA‑2048 and P‑256 could be broken with as few as 10,000 neutral‑atom qubits (Cloudflare blog).

In parallel, Cloudflare unveiled EmDash, an open‑source CMS built in TypeScript on the Astro framework, designed to eliminate the plugin‑security flaw that plagues WordPress (Veerhost). EmDash runs on serverless infrastructure, includes built‑in payment support and AI‑native features, and is released under an MIT license (Veerhost).

The company positions EmDash as a “spiritual successor” to WordPress, which still powers over 40 % of websites—about 455 million sites as of 2026—by offering a sandboxed architecture that isolates extensions from core code (Veerhost). According to Veerhost, the CMS was assembled in just two months using AI coding agents, underscoring Cloudflare’s push toward rapid, secure development.

Cloudflare’s dual announcements signal a strategic shift: hardening the Internet’s cryptographic foundations while delivering a next‑generation content platform that sidesteps the entrenched plugin ecosystem (both sources). The moves come as the industry braces for quantum‑computing advances that could render current security standards obsolete.