CMS Detection: a beginner's guide
Identify CMS, plugins, themes, and page builders
Content Management Systems: what powers most of the websites you visit
A content management system (CMS) is the software that lets non-developers create, edit, and publish content on a website without writing HTML by hand. Instead of editing files and uploading them via FTP, you log into a dashboard, type in a what-you-see-is-what-you-get editor, click "publish," and the new content goes live. The first widely-used CMS was Movable Type in 2001, followed by WordPress (2003), Drupal (2001), Joomla (2005), and dozens of others. Today, the CMS landscape includes traditional self-hosted platforms (WordPress, Drupal), hosted blog platforms (Ghost, Substack), site builders (Squarespace, Wix, Webflow), e-commerce platforms (Shopify, BigCommerce), and headless CMSes (Contentful, Sanity, Strapi).
You should care because the CMS choice tells you almost everything about how a website is maintained and operated. A WordPress site has hundreds of thousands of plugins, a giant freelance ecosystem, very low cost, and well-understood security patterns. A Webflow site is more design-led, more constrained, and points at a different kind of team. A custom Next.js site with no CMS at all means engineering is in charge of every content change. A Shopify store means the team is committed to Shopify's pricing and constraints. Knowing the CMS in advance gives you instant context for any conversation about the site.
The five things every CMS detection check looks at:
The `Generator` meta tag. Many CMSes still set `<meta name="generator" content="WordPress 6.x">` or similar. This is the cheapest possible signal.
Response headers. Some CMSes set `X-Powered-By` or other custom headers that reveal the platform.
Distinctive URL paths. `/wp-content/`, `/wp-includes/`, `/sites/all/themes/`, `/_next/`, `/cms/admin/` are all fingerprints.
HTML structure markers. Class names, body IDs, and script ordering often follow platform-specific conventions.
JavaScript variables and tracking objects. Squarespace, Wix, Webflow, and Shopify each set distinctive JS globals.
Three questions a CMS detection check answers:
Which CMS is this website running on, and what version?
For a sales pitch, does the choice fit my product or am I targeting the wrong audience?
For a security audit, is the site running a known-vulnerable version of its CMS?
The cost of guessing the CMS is misreading the team you are talking to. The fix is one detection pass and a list of common CMS fingerprints to match against. WordPress alone powers around 40% of all websites on the public internet, according to the W3Techs surveys — so even a simple "is this WordPress?" check covers a huge fraction of the web.
The CMS Detection endpoint, in plain language
In one sentence: Identify CMS (Content Management System), plugins, themes, and page builders
Performs comprehensive Content Management System (CMS) detection by analyzing HTML (HyperText Markup Language) source, HTTP (HyperText Transfer Protocol) headers, meta tags, and asset paths. Identifies 14+ CMS platforms including WordPress, Drupal, Joomla, Shopify, Squarespace, Wix, Ghost, Webflow, and Magento. For WordPress sites, also detects 20+ popular plugins (Yoast SEO (Search Engine Optimization), WooCommerce, Elementor, etc.), active theme (including default theme detection), and page builders. Includes ecommerce platform detection and security analysis with actionable recommendations.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Multi-signal CMS (Content Management System) detection using meta generator tags, HTTP (HyperText Transfer Protocol) response headers (X-Pingback, X-Drupal-Cache, X-Shopify-Stage), HTML (HyperText Markup Language) the structured form of an HTML page patterns, and asset path signatures (/wp-content/, /sites/default/). Calculates a numeric confidence score (0-1) based on the number and weight of matching signals. For WordPress, scans for plugin references in script/CSS URLs and HTML markup, extracts the active theme from /wp-content/themes/ paths, and detects page builders (Elementor, Divi, WPBakery, Beaver Builder, Gutenberg). Security analysis flags version disclosure, XML-RPC exposure, REST API (Application Programming Interface) enumeration risks, and PHP version leaks.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the CMS Detection tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
CMS (Content Management System) identification enables targeted security assessments (platform-specific vulnerabilities and misconfigurations), competitive intelligence (technology adoption across markets), and sales qualification (targeting users of specific platforms). Plugin and theme detection reveals the full technology profile, while security notes help identify low-hanging-fruit vulnerabilities like exposed CMS versions or enabled XML-RPC.
Picture this in real life. Imagine a penetration tester. Here's the situation they're walking into: Identify CMS (Content Management System), plugins, and their versions to focus testing on platform-specific vulnerabilities and misconfigurations. Security notes flag XML-RPC exposure, version disclosure, and REST API (Application Programming Interface) enumeration risks. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the CMS Detection tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the CMS Detection tool is built for you:
What is this website actually built with, layer by layer?
Who hosts it, who runs analytics on it, who delivers the assets?
Is the company on a stack that fits my product, my pitch, or my integration?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Sales teams qualifying leads, marketers researching competitors, partnership managers scoping integrations, and security teams looking for known-vulnerable software in the wild. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you're guessing at how a website is built — which kills sales calls, integration scoping, and competitive research. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/domain/cms`.
When would I actually use this?
If you're still on the fence about whether the CMS Detection tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a penetration tester, a product manager, and a sales team — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Security Assessment
Imagine you're a penetration tester. Identify CMS (Content Management System), plugins, and their versions to focus testing on platform-specific vulnerabilities and misconfigurations. Security notes flag XML-RPC exposure, version disclosure, and REST API (Application Programming Interface) enumeration risks.
Why it matters: Prioritize testing based on known CMS (Content Management System) vulnerability patterns and detected plugin versions.
Story 2: Competitive Intelligence
Imagine you're a product manager. Analyze CMS (Content Management System) adoption, page builder usage, and ecommerce platform choices across competitor sites or target markets.
Why it matters: Make data-driven technology decisions based on real market adoption data.
Story 3: Lead Generation
Imagine you're a sales team. Identify WordPress sites using specific plugins or themes for targeted outreach. Detect WooCommerce stores, Elementor users, or sites using outdated SEO (Search Engine Optimization) plugins.
Why it matters: Target prospects using specific CMS (Content Management System) platforms and plugin combinations.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the CMS Detection tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
During sales prospecting, to qualify a lead by what they are running.
During competitive research, to understand what a rival is built with.
When scoping an integration or partnership.
When you suspect a target is using a known-vulnerable version of something.
If you can see yourself in even one of those bullets, the CMS Detection tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the CMS Detection tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the CMS Detection tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/domain/cms?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to detect CMS (Content Management System) for | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
detected | boolean | Whether a CMS (Content Management System) was detected |
cms | object | Detected CMS (Content Management System) with name, slug, version, confidence (0-1), isOpenSource, website, and detectionMethods array |
theme | object | Detected theme with name, slug, version, isDefault flag, and confidence (WordPress sites) |
plugins | array | Detected plugins with name, slug, version, category, and confidence (WordPress sites) |
pageBuilder | object | Detected page builder (Elementor, Divi, WPBakery, Gutenberg, etc.) with name, slug, version, and confidence |
ecommerce | object | Detected ecommerce platform (WooCommerce, Shopify, Magento, BigCommerce, etc.) with name, slug, version, and confidence |
security | object | Security analysis with overall level (good/warning/critical) and notes array with severity, title, and description |
httpMeta | object | Raw detection metadata including generator meta tag and X-Powered-By header values |
timestamp | string | ISO 8601 timestamp of the analysis |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
API (Application Programming Interface) — A way for one program to ask another program for something — like a waiter taking your order to the kitchen.
HTTP (HyperText Transfer Protocol) — The language web browsers and websites use to talk to each other.
SEO (Search Engine Optimization) — Everything you do to help search engines like Google find, understand, and rank your website.
CMS (Content Management System) — Software that lets non-technical people publish web pages without writing code. WordPress, Webflow, and Ghost are popular examples.
HTML (HyperText Markup Language) — The basic language web pages are written in. The tags you see in the source code (<h1>, <p>, <a>) are HTML.
CSS (Cascading Style Sheets) — The language used to control how a web page looks — colors, fonts, spacing, layout. HTML says what content is on the page; CSS says how it looks.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.