{web reveal}
8 min read Web Reveal Team

How to Detect What CMS a Website Is Using (2026 Guide)

Whether you're a developer scoping a competitor's stack, a designer researching a platform before pitching, or a marketer wanting to understand a partner's infrastructure, knowing how to detect what CMS powers a website is a genuinely useful skill. This guide covers the fastest and most reliable methods in 2026.

What Is a CMS and Why Does It Matter?

A Content Management System (CMS) is the software platform used to build and manage a website's content. Popular CMS platforms include WordPress, Shopify, Drupal, Joomla, Wix, Squarespace, and Webflow. Each leaves a distinct set of technical fingerprints in the HTML, HTTP headers, URL structure, and loaded assets of a site.

Knowing which CMS a site runs is valuable for a number of reasons:

  • Competitive research: Understand what platforms your competitors or industry peers are running.
  • Sales and outreach: Target prospects who use specific platforms (e.g., offering Shopify app development to e-commerce stores).
  • Development scoping: Estimate migration complexity before taking on a rebuild project.
  • Security research: Identify outdated or known-vulnerable CMS versions.
  • Agency pitching: Tailor your pitch based on the platform a prospective client uses.

Fastest Method: Use a Technology Scanner

The quickest and most reliable way to detect any website's CMS is to use a dedicated technology scanner. These tools automate the detection process, checking dozens of signals simultaneously—HTML patterns, HTTP headers, loaded scripts, DNS records, and more.

Web Reveal is a free web-based scanner that identifies the CMS (and the full technology stack) of any website in seconds. Simply enter a URL, run the scan, and you'll see the platform, frameworks, analytics tools, CDN, and hosting provider in one view.

You can also use the Web Reveal Chrome extension to detect CMS platforms passively as you browse—useful if you want to check sites during normal research without switching tabs.

Tip: For checking multiple sites at once, use Web Reveal's bulk scanner to analyse several URLs in a single session without needing a subscription.

Manual Signals to Look For

If you prefer to check manually—or want to understand why a tool returns a particular result—here are the main signals to inspect:

1. Page source (View Source)

Right-click on any page and choose "View Page Source" (or press Ctrl+U / Cmd+U). Look for:

  • Generator meta tags: <meta name="generator" content="WordPress 6.x">
  • CMS-specific asset paths (e.g., /wp-content/, /sites/default/files/)
  • Script or stylesheet URLs that reference a platform's files
  • HTML comments left by the CMS template or plugins

2. URL structure

Many CMS platforms create distinctive URL patterns:

  • WordPress: /wp-login.php, /?p=123, /wp-json/
  • Drupal: /node/, /user/login
  • Joomla: /index.php?option=com_, /administrator/

3. HTTP response headers

Open your browser's developer tools (F12), go to the Network tab, reload the page, and inspect the response headers of the main document. Look for:

  • X-Powered-By headers (sometimes discloses the server or CMS)
  • Set-Cookie headers with platform-specific names (e.g., wordpress_logged_in)
  • Custom headers added by the CMS or hosting layer

4. Loaded external scripts

Many CMS platforms load scripts from predictable domains or paths. For example, Shopify stores typically load scripts from cdn.shopify.com, while Wix sites load from static.wixstatic.com.

Detecting WordPress

WordPress powers a large share of the web and is one of the easiest CMS platforms to detect. Common signals include:

  • /wp-content/ paths in stylesheets, scripts, or images
  • /wp-includes/ in script tags
  • The /wp-login.php admin login URL being accessible
  • A <meta name="generator" content="WordPress"> tag in the page source (some themes remove this)
  • The /wp-json/ REST API endpoint returning a JSON response
  • Cookie names containing wordpress_ or wp-settings-

Even when a site tries to hide its WordPress installation by renaming or obscuring paths, live scanners like Web Reveal can often identify it through additional fingerprinting techniques including DNS records and response pattern analysis.

Detecting Shopify

Shopify is among the most distinctive platforms to identify because it uses predictable infrastructure:

  • Scripts and assets loaded from cdn.shopify.com
  • The Shopify.shop JavaScript variable present on the page
  • A myshopify.com subdomain in the canonical URL or redirects (unless a custom domain is used)
  • /_api/checkouts/ or similar Shopify-specific API paths in source or network requests
  • The Set-Cookie: _shopify_y analytics cookie

Because Shopify is a hosted platform with a fixed infrastructure, these signals are almost always present and make detection highly reliable.

Detecting Drupal, Wix, Webflow, and Others

Drupal

  • /sites/default/files/ and /sites/all/ asset paths
  • The X-Generator: Drupal HTTP header (when not removed)
  • /node/ URL patterns and /user/login
  • Drupal-specific JavaScript objects such as Drupal.settings

Wix

  • Assets served from static.wixstatic.com or wixsite.com
  • The X-Wix-Meta-Site-Id HTTP header
  • Wix-specific meta tags and script tags

Webflow

  • Assets from assets.website-files.com or uploads-ssl.webflow.com
  • The generator meta tag: content="Webflow"
  • Webflow-specific CSS classes and data attributes

Squarespace

  • Static assets from static.squarespace.com
  • The X-ServedBy header referencing Squarespace infrastructure
  • JSON-LD blocks with Squarespace-specific data

What If the CMS Is Hidden?

Some website owners and security-conscious developers intentionally obscure their CMS to reduce the attack surface or protect competitive information. Common techniques include:

  • Removing the generator meta tag
  • Renaming or proxying default CMS paths (e.g., changing /wp-admin/)
  • Stripping CMS-specific headers via a reverse proxy or WAF
  • Serving assets through a CDN that removes identifying headers

Even with these measures in place, many platforms still leave subtle traces. Tools like Web Reveal use multiple detection layers—including DNS fingerprinting, HTTP response timing analysis, and deep asset inspection—to identify platforms that have attempted to hide their identity. That said, a sufficiently hardened site may return no conclusive result, and that too is a useful piece of information.

Bottom line: For the fastest and most complete CMS detection, use Web Reveal's free scanner. For manual verification or learning the underlying signals, the source inspection techniques above will serve you well.

Frequently Asked Questions

How can I tell if a website uses WordPress?

Look for /wp-content/ and /wp-includes/ in the page source, a /wp-login.php login URL, or a WordPress generator meta tag. Alternatively, run a scan with Web Reveal to get instant results without manual inspection.

Can I detect a CMS without installing any software?

Yes. Web Reveal's free web scanner requires no installation. Enter a URL and it will identify the CMS and full technology stack in seconds, right in your browser.

Is it possible to detect a CMS if the site tries to hide it?

Often, yes. Even sites that remove standard CMS identifiers typically leave subtler traces in DNS records, response headers, asset CDN URLs, or JavaScript variables. Web Reveal's multi-layer analysis catches many of these hidden signals, though highly obfuscated sites may return partial results.

What is the most accurate free CMS detector?

Web Reveal performs live, real-time detection and checks multiple signal layers including page source, HTTP headers, DNS records, and asset paths. This makes it one of the most accurate free CMS detection tools available in 2026.

Try Web Reveal for Free

Detect the CMS and full technology stack of any website in seconds. No sign-up required.

Open Web Scanner Get Chrome Extension
Back to Blog