Analysis Free · no signup

CMS Version Detector

Detect the CMS and its version: WordPress, Joomla, Drupal, Shopify, Wix, Squarespace, and more.

Enter a URL and the detector fingerprints the site against a library of known CMS signatures: the generator meta tag, HTML and CSS patterns, server headers, cookie names, and telltale file paths like /wp-content/ or /sites/default/. It reports the detected CMS (WordPress, Joomla, Drupal, Shopify, Magento, Ghost, and more), a version estimate where the site exposes one, and a confidence score so you know how strong the evidence is. It's the fastest way to see what a site runs — and whether it's dangerously out of date.

Updated Krawly Editorial TeamIn-house engineers, writers & reviewers

Explore More Free Tools

Discover 150+ free tools for web scraping, SEO analysis, OSINT, and more. 30 free uses every day — no signup required.

150+ Free Tools No Signup Required JSON / CSV / Excel 30 Uses / Day
Quick answer

Enter a URL and the detector fingerprints the site against a library of known CMS signatures: the generator meta tag, HTML and CSS patterns, server headers, cookie names, and telltale file paths like /wp-content/ or /sites/default/. It reports the detected CMS (WordPress, Joomla, Drupal, Shopify, Magento, Ghost, and more), a version estimate where the site exposes one, and a confidence score so you know how strong the evidence is. It's the fastest way to see what a site runs — and whether it's dangerously out of date.

What is CMS Version Detector?

The CMS Version Detector identifies which Content Management System powers a website and, where possible, its exact version. It fetches the page and weighs several signals — the generator meta tag, distinctive HTML and asset-path patterns, HTTP headers and cookies, and the presence of known CMS files at predictable paths — to name the platform and estimate a confidence level. Because an outdated CMS version is one of the most common ways sites get compromised, it's a go-to tool for security assessment, technology audits, and competitive research.

How to use CMS Version Detector

  1. 1

    Enter the website URL

    Paste the homepage or any content page. The homepage usually carries the clearest CMS signals, but if it's heavily cached or customized, an inner page like a blog post or product page can expose more identifying paths and headers.

  2. 2

    Let it fingerprint the platform

    The tool fetches the page and matches multiple signals at once — the generator meta tag, asset paths, cookie and header names, and known file locations — rather than relying on any single clue that could be spoofed or stripped.

  3. 3

    Read the CMS and confidence

    You get the detected platform plus a confidence indicator. High confidence means several independent signals agreed; lower confidence means the detection rests on a single weaker heuristic and deserves a manual double-check.

  4. 4

    Check the version — then patch

    If a version is exposed, compare it against the CMS's current release. An old version is the single most actionable security finding here, since automated bots scan the web specifically for outdated CMS installs with known exploits.

Try it when you need to…

  • Try it when you suspect a site is running a years-old CMS install and want to confirm the platform and version before a security review
  • Try it when auditing a site you're about to inherit or acquire and need to know exactly what technology you're taking on
  • Try it when checking your own properties to make sure none are publicly advertising an outdated, exploitable version string

Use cases

  • Security assessment — flag a site running an old, unpatched CMS version with known public vulnerabilities
  • Technology audit — document the exact platform behind a site you're inheriting, buying, or migrating
  • Competitive research — learn whether a rival runs WordPress, Shopify, Webflow, or a custom stack
  • Patch monitoring — check whether your own sites are advertising an outdated version that invites automated attacks
  • Vendor due diligence — verify a supplier's public site is on a currently-supported CMS before trusting their security posture

Key features

Detects 15+ CMS platforms including WordPress, Joomla, Drupal, Shopify, Wix, Squarespace, Ghost, Magento, and Webflow
Version detection where the CMS leaks it in meta tags, asset paths, feeds, or readme files
Confidence scoring so a strong generator-tag match outranks a weak heuristic guess
Multi-signal analysis combining meta tags, HTML patterns, headers, and known file paths
Runs entirely server-side — no extension or install required

Tips & best practices

The generator meta tag (e.g. <meta name="generator" content="WordPress 6.2">) is the most direct version signal, which is exactly why hardened sites remove it. A blank version field often means the admin deliberately stripped the tag — a sign of good hygiene, not a detection failure.

Version numbers also leak through asset cache-busting strings (?ver=6.2.1), RSS/Atom feed generators, readme.txt or CHANGELOG files at root, and default admin login pages. Security-conscious sites block or scrub all of these, so a confidently-detected CMS with no version usually indicates the site is intentionally obscuring it.

Headless and decoupled setups break naive detection: a site built with WordPress or Drupal as a backend but served through a Next.js or Gatsby front end shows the front-end framework's fingerprints, not the CMS's, so the true content platform can be completely hidden from an external scan.

A detected version is a starting point for security work, never proof of vulnerability. Many hosts apply backported security patches without bumping the visible version string, so a site showing an 'old' version may actually be fully patched — and conversely a stripped version tells you nothing reassuring. Confirm before acting.

Frequently asked questions

It recognizes 15+ platforms including WordPress, Joomla, Drupal, Shopify, Wix, Squarespace, Ghost, Magento, and Webflow, among others. Coverage focuses on the most widely deployed content and e-commerce systems, since those are the ones most relevant to security and competitive research.

It looks for version data the CMS exposes publicly: the generator meta tag, cache-busting ?ver= strings on assets, RSS/Atom feed generator fields, readme or changelog files at known paths, and default page markers. When a site strips or blocks all of these, the platform can still be identified but the version field comes back empty.

It reflects how much independent evidence supports the detection. A high score means several signals — say, a generator tag plus matching asset paths plus a known cookie — all pointed to the same CMS. A low score means the guess rests on one weaker heuristic, so you should verify it manually before relying on it.

Because version disclosure is a security risk, well-managed sites deliberately remove the generator tag, strip ?ver= query strings, and block access to readme files. That's the recommended hardening practice, so an identified CMS with a missing version is often a sign the site is well-maintained rather than a shortcoming of the tool.

Not necessarily. Many hosting providers and managed platforms backport security fixes without changing the public version string, so a site showing an older number may already be patched. Treat the version as a lead worth investigating, not a confirmed vulnerability — verify against the actual behavior before drawing conclusions.

Sometimes, but it's harder. A decoupled setup that uses a CMS purely as a backend and serves pages through a separate front-end framework (Next.js, Gatsby, Nuxt) exposes the front-end's fingerprints rather than the CMS's, so the underlying content platform may be invisible externally. Detection works best on traditional, monolithic CMS deployments.