How to identify the CMS behind any website
Most CMSes auto-generate a `<meta name="generator">` tag, load assets from predictable paths, and set cookies with recognisable prefixes. Four checks are usually enough.
Background
Every mainstream CMS leaves fingerprints a casual observer can spot in under a minute. WordPress serves `/wp-content/` and `/wp-includes/` assets. Drupal uses `/sites/default/files/` and `/modules/`. Shopify loads from `cdn.shopify.com` and exposes `window.Shopify`. Magento serves `/pub/static/` paths and sets `X-Magento-Vary` cookies. Ghost has `<meta name="generator" content="Ghost ...">` by default. Webflow tags the html root with `data-wf-page`. The fingerprints survive theming and customization because they're structural to how each CMS renders pages. A four-check sweep — generator meta, asset URL paths, response headers, cookies — is enough for 90% of sites.
Why this matters
CMS identification is the foundation of most frontend audits of content-heavy sites. Knowing it's Shopify tells you the checkout architecture, the theming system, the plugin model, the payment stack. Knowing it's WordPress tells you to look for plugins. Knowing it's Webflow tells you there's no PHP/server-side component to audit at all.
Prerequisites
- Chrome DevTools.
Step-by-step
- 1
Read the generator meta tag
`Ctrl+U`, search for `<meta name="generator"`. WordPress sets it to `WordPress X.Y`. Drupal sets it to `Drupal N`. Ghost, Hugo, Jekyll, Sitecore, Typo3 and many others do too.
- 2
Look at asset URL paths
`/wp-content/` → WordPress. `/sites/default/files/` → Drupal. `/cdn.shopify.com/` → Shopify. `/assets/themes/` + `/pub/static/` → Magento. `/prod/js/webflow/` + `<html data-wf-page>` → Webflow. `/ghost/assets/` → Ghost.
- 3
Check response headers
`X-Drupal-Cache: HIT`, `X-Shopify-Stage: production`, `X-Pingback` (WordPress), `X-Powered-By: TYPO3 CMS`, `X-Magento-*`. Server-generated headers are hard to forge.
- 4
Cookies
`wp_*` cookies → WordPress. `_shopify_*` → Shopify. `Drupal.*` → Drupal. `frontend=` + `X-Magento-Vary` → Magento. `ghost-members-ssr` → Ghost.
- 5
Run Sourcemap Explorer for CMS + plugin-level detail
The extension identifies the CMS plus — for WordPress especially — every plugin and theme loading assets on the page. For e-commerce CMSes it detects the payment and checkout stack.
Real-world example
Troubleshooting
No generator tag, no obvious CMS asset paths.
Likely a custom-built site without a traditional CMS, or a heavily-customized headless setup. Check for API routes (`/api/`, `/wp-json/`, `/_api/`) that reveal the backend.
Multiple CMS signals on the same page.
Possible multi-CMS stitch-up. Most likely explanation: the marketing site is on one CMS, a subdirectory or subdomain is on another.
Caveats
What to do next
For WordPress sites, the next steps are the plugin and theme enumeration guides. For Shopify, you're probably interested in the active theme and apps. For headless setups, follow the framework-detection guide to identify the frontend.
FAQ
Can a site hide its CMS?
Partially — it can strip the generator meta and obfuscate some cookie names. Structural signals (URL paths, the specific CMS's admin routes) are much harder to hide without breaking the site.
Is this the same as technology detection?
CMS detection is a subset. A fully featured detector identifies framework, libraries, CMS, hosting, analytics, payments and more. CMS is often the most informative single axis for content-heavy sites.
Related
Skip the manual steps.
Sourcemap Explorer automates every workflow in this guide — free, local, no sign-up.