Scored March 16, 2026 · Framework v1.1
Concrete CMS models content through page attributes (text, textarea, boolean, image/file, address, date, number, URL, email, rating, select, topics, etc.) and the Express system for custom relational data objects. ~12–15 built-in attribute types cover most use cases but there is no repeater/matrix field equivalent for page attributes. No schema-as-code option. Custom attribute types require PHP development.
Express supports associations (one-to-many and many-to-many) between Express objects, with traversal available through the PHP API. Page-to-page relationships exist via the Page Selector attribute and page alias system. Relationships are functional but not graph-native; there is no bidirectional query API or reverse-lookup shorthand comparable to Craft or Hygraph.
Block-based page composition is Concrete CMS's core paradigm — content areas hold multiple block types that can be reordered. Express blocks allow embedding structured data objects inside pages. However, there is no matrix/nested-block field for deeply composing structured components within a single entry; nesting is limited to the page-level block stack.
Each attribute type includes standard validation rules: required, text min/max length, file type and size restrictions for image/file attributes, date range constraints. Unique constraint support for Express attributes was added in 9.1.0. Custom validation is achievable via PHP event hooks pre-save. No cross-field validation GUI or rule-engine builder.
Page versioning is a core Concrete CMS feature: every edit creates a new version, full version history is viewable, rollback is one click. The 9.1.0 release added HTML diff comparison between arbitrary page versions. Scheduled publishing is natively supported. No content branching or diff UI for non-page content (Express objects, files).
In-page visual editing is Concrete CMS's founding differentiator. Editors click any content area on the live page, add blocks, and drag-and-drop to rearrange — no form-based panel required. Non-technical users can reorganize page layouts entirely within the front-end. This is genuine in-page visual editing comparable to best-in-class, making it one of the strongest scorers on this criterion among traditional CMSes.
Concrete CMS 8+ uses CKEditor as the standard rich text editor, providing solid formatting, embedded images/files, and paste handling. Output is HTML blob stored in the database. No portable AST format; custom node types require CKEditor plugin development. Adequate for web-first publishing but not channel-agnostic.
Concrete CMS includes a file manager with folder organization, search, metadata fields (custom attributes on files), and basic in-browser image editing. No documented native image transform system with focal point or WebP/AVIF output. CDN integration is available via external configuration (CloudFront, Azure Blob Storage) but not built in. Below average for modern media handling.
No evidence of real-time co-editing in Concrete CMS. The version/approval workflow model is sequential — editors create a draft that routes through approvers. Last-write-wins behavior applies when multiple users edit concurrently without locking. No presence indicators or conflict resolution documented.
Workflow is a native Concrete CMS feature. Editors can attach multi-stage approval workflows to any page or page type via permissions. Role-based stage transitions, notification emails, and audit trail via version history are supported. Scheduled publishing integrates with workflows. More capable than a basic draft/published toggle and does not require a plugin.
A built-in REST API with OAuth2 and OpenID Connect authentication is available since Concrete 9.2+. Documented endpoints cover pages, files, Express objects, and more. No GraphQL API — the 2022 proposal noted GraphQL work had 'not yet been started' and there is no evidence it has shipped as of 2025/2026. REST API is functional for headless use but not built with headless-first filtering/sorting depth.
Concrete CMS is primarily self-hosted open source with no built-in CDN. CDN integration requires external configuration (CloudFront, Azure CDN) following community tutorials. The official enterprise hosting from the Concrete CMS team includes managed infrastructure but is not a globally distributed CDN with sub-second cache purge. Score reflects the majority self-hosted deployment pattern.
Concrete CMS has an internal PHP application events system (on_page_version_approve, etc.) but no native HTTP webhook delivery layer. Outbound webhooks are not a documented built-in feature; the marketplace may have add-ons. No HMAC payload signing, retry logic, delivery logs, or per-event filtering documented in core.
Concrete CMS is a traditional coupled CMS with a REST API added as a secondary capability. Rich text output is raw HTML, not a channel-agnostic AST. There are no official SDKs for JavaScript, Swift, Kotlin, or other non-PHP runtimes. The platform can serve as a headless backend via REST but was designed for web-first Twig templating and does not match the multi-channel output quality of purpose-built headless platforms.
Concrete CMS has a native user group and user attribute system that can drive block-level content visibility rules — basic rule-based segmentation for logged-in users. There is no CDP integration or real-time behavioral segmentation engine. This is functional for gated/role-based content but falls well short of modern marketing segmentation.
Concrete CMS supports showing or hiding page blocks based on user group membership, providing basic rule-driven personalization. No content variant system or in-editor audience preview exists. External decision engines are not natively bridged, placing this firmly in the basic tier.
No native A/B testing exists in Concrete CMS core or as an official first-party marketplace add-on. Any experimentation would require fully external tooling (e.g., Google Optimize replaced services, LaunchDarkly). Score reflects complete absence of built-in experimentation.
Concrete CMS has no built-in algorithmic recommendation engine. Content discovery relies entirely on manual editorial curation (related pages blocks, manual linking). No ML-based or collaborative filtering capability found in core or marketplace.
Concrete CMS ships with a full-text search engine backed by MySQL FULLTEXT indexing, covering page name, description, and text content fields. Faceting, typo tolerance, and advanced relevance tuning are absent. Adequate for small-to-mid sites but lacking enterprise search features.
No official Algolia or Elasticsearch marketplace add-on was found for Concrete CMS. Some community Packagist packages targeting concrete5/Algolia exist but lack official support or documented patterns. Custom webhook-based integration is possible but requires custom development.
No native vector search, embedding generation, or LLM-powered search capability exists in Concrete CMS. Semantic search would require fully custom external integration. Score reflects complete absence of AI search features.
The Community Store is a widely adopted, actively maintained free add-on that provides a full e-commerce stack (product catalog, cart, checkout, shipping modules, payment integrations) within Concrete CMS. While technically a marketplace add-on rather than core, it is the de facto standard and receives active development with 2025–2026 updates. Not scoring as high as true core commerce because it is add-on dependent.
Two Shopify integration add-ons exist on the Concrete CMS marketplace (eCommerce with Shopify, Hutman Shopify Integration), providing product embed and checkout bridging. These are marketplace add-ons without deep bidirectional sync or live product federation. No commercetools, BigCommerce, or SFCC connectors found.
Community Store provides product-specific field patterns (name, description, attributes, images, SKUs) within Concrete CMS's content model. Editorial product content management is functional but not as sophisticated as purpose-built PIM tools. Generic content types are repurposed with product structure via the add-on.
Concrete CMS offers built-in page-view statistics, form results tracking, download statistics, and Matomo integration as highlighted on its features/analytics page. An Extended Google Analytics dashboard add-on surfaces GA data within the CMS UI. This goes beyond operational metrics into content performance but lacks deep engagement analytics.
Google Analytics tracking code injection is supported natively via Dashboard → System & Settings → Tracking Codes. Matomo is a featured first-party integration. Extended GA add-on provides OAuth2-based dashboard views of GA data. Documented patterns exist for major analytics platforms, though Segment/Amplitude are not explicitly supported.
Concrete CMS supports basic content tagging and categorization but has no AI-powered content intelligence, SEO scoring, topic clustering, or content gap analysis built in. Some SEO add-ons exist on the marketplace but fall short of content intelligence tooling.
Concrete CMS has a well-established native multi-site (multi-locale) architecture where a single installation hosts multiple language/locale site trees under one account. Sites can share components and block types. Dashboard-level management is centralized. Governance tools are basic but the multi-site capability itself is robust and is a known platform strength.
Concrete CMS uses document-level localization via separate page trees per locale with built-in copy-locale functionality and locale associations. RTL language support is native. Field-level localization is not available — content changes require page-level duplication. Solid for mid-market multilingual sites but not field-level.
Concrete CMS has a Translations Manager add-on and community translation infrastructure at translate.concretecms.org for interface/UI strings. No official integrations with enterprise TMS platforms (Phrase, Smartling, Lokalise, Crowdin) were found in the marketplace. Translation of page content is primarily manual. Score reflects custom webhook-only path.
Concrete CMS supports user group permissions and multi-site trees that can approximate brand separation, but there are no dedicated cross-brand governance tools, shared component libraries with policy enforcement, or global style/approval workflow controls. Multi-site management is present but governance is basic.
Concrete CMS has community and marketplace add-ons that integrate GPT-4 Turbo for meta title/description generation and draft content assistance. The January 2026 roundup notes new AI marketplace add-ons. However, these are immature add-ons without brand voice controls, field-type awareness, or enterprise-grade AI generation. The platform's own AI blog posts position it as guidance for using external AI tools rather than showcasing native AI features.
Emerging community AI add-ons are appearing in the Concrete CMS marketplace (2025–2026) for metadata generation and tagging assistance. A community proposal for 'skills files' for LLM assistance was noted in early 2026. This is nascent — no comprehensive auto-tagging, quality checking, or smart scheduling workflows exist yet.
No formal AI governance layer exists in Concrete CMS — no audit trails for AI-generated content, no hallucination detection, no brand safety controls, and no prompt governance tooling. The platform's positioning treats AI as an external assistant, with no governance infrastructure built around AI outputs.
Concrete CMS ships a built-in REST API since 9.2+ with OAuth2 and OpenID Connect authentication; a community API Proposal package (9.1.1+) adds more endpoints documented via Swagger UI. No GraphQL API exists — the 2022 proposal explicitly stated 'GraphQL work has not yet been started' and no evidence of delivery by 2026 was found. Filtering and sorting depth is limited compared to headless-first platforms.
Concrete CMS is a self-hosted PHP platform with no built-in CDN or documented API rate limits. CDN integration requires external configuration via CloudFront or Azure CDN tutorials. No published throughput benchmarks or pagination ceiling documentation for the REST API. The official enterprise hosting does not publish CDN-backed API delivery specs.
No official SDKs are published for JavaScript, TypeScript, Python, Ruby, Java, .NET, or mobile. The platform is PHP-native and the PHP application framework is the primary developer surface. Community packages exist on Packagist and the Concrete Marketplace for PHP, but no multi-language official SDK ecosystem has been established.
The Concrete CMS Marketplace lists thousands of add-ons and themes spanning SEO, forms, e-commerce, analytics, translation, and authentication. 2025 updates include Macareux SAML Authentication (SSO), email campaign tools, and gallery/layout add-ons. Breadth is solid for a tier-2 traditional CMS, though the marketplace skews PHP-commercial and many integrations are narrow single-purpose add-ons rather than platform-grade integrations.
Concrete CMS provides a mature PHP extensibility model: custom block types (UI and rendering), custom packages (multi-feature bundles), custom attribute types, custom single pages, custom themes, and a PHP event/hook system throughout the core (on_page_version_approve, etc.). Developers have full server-side access with framework-level hooks. No headless App Framework for cloud-hosted JavaScript extensions exists, but for a self-hosted PHP CMS the extensibility depth is strong.
OAuth2 and OpenID Connect are built into the Concrete CMS REST API core for API token management. SAML 2.0 SSO is available via a marketplace add-on (Macareux SAML Authentication added 2025) rather than in core, creating procurement friction. MFA support exists via PHP-based extensions. SSO requiring a third-party add-on rather than being core functionality scores below the 78+ threshold for mid-tier inclusion.
Concrete CMS has a sophisticated RBAC system: group-based user management, granular page/page-type-level permissions, time-based access control (restrict editing to business hours, grant temporary access), permission exclusions for rule exceptions, and custom single-page permissions. This exceeds predefined-roles-only. No field-level permissions are documented, and content-instance access control (see only your own entries) is not a core GUI feature.
No public documentation of SOC 2 Type 2, ISO 27001, or HIPAA BAA was found for PortlandLabs or the official Concrete CMS hosting product. As an open-source self-hosted platform, compliance posture depends entirely on the customer's infrastructure provider. GDPR-relevant features (data consent, privacy) are available but no formal DPA or certification by the vendor was found.
Concrete CMS operates a responsible disclosure program via HackerOne, with a public CVE tracker and disclosures at concretecms.org/security. Most disclosed CVEs are low-to-medium severity stored XSS vulnerabilities requiring rogue administrator access. January 2025 saw a batch of CVEs upgraded to 'Medium' via CVSS 4.0 recalibration. No evidence of major data breaches, critical RCE, or supply-chain compromise was found. Disclosure quality is good relative to the open-source CMS peer group.
Concrete CMS is available as self-hosted open source (PHP/MySQL on any LAMP/LEMP stack) and via official enterprise hosting from PortlandLabs with GitLab deployment, managed PHP/MySQL, and direct core-team support. The dual model provides flexibility for regulated industries (self-hosted) and managed convenience. No VPC or private cloud option is documented for the managed offering.
The Standard Hosting SLA page states that PortlandLabs 'makes no guarantees on uptime availability' under the standard agreement. Custom SLAs are noted for larger packages but no published uptime percentage was found. Self-hosted installations carry no vendor SLA by definition. No public status page was found for the official Concrete CMS hosted offering. This places Concrete CMS firmly in the no-formal-SLA tier.
Concrete CMS uses a standard PHP/MySQL architecture with no built-in horizontal scaling, auto-scaling, or CDN delivery. Scalability is entirely dependent on the operator's infrastructure choices (load balancers, Redis caching, CDN). No documented enterprise-scale references or published API throughput benchmarks were found. Adequate for mid-market self-hosted deployments but not enterprise-proven at scale.
The official enterprise hosting includes automated backups and managed infrastructure, but no published RTO/RPO documentation, retention policies, or multi-region failover specification was found. For self-hosted deployments, backup and DR responsibility falls entirely to the operator. Content export via database dump is possible but no built-in export tooling comparable to headless platforms was documented.
Concrete CMS is a PHP application that runs fully on a local LAMP/LEMP/MAMP stack, DDEV, Docker Compose, or any PHP 8.x environment. The Virtuozzo platform documents a one-click Concrete CMS deployment. The GitHub repository is Composer-managed, enabling standard PHP local setup. The `concrete/bin/concrete5` CLI handles cache clearing, migrations, and other tasks. No official DDEV quickstart comparable to Craft's, but local development is well-supported.
The official enterprise hosting uses GitLab deployment pipelines. Concrete CMS does not have a schema-as-code system comparable to Craft's Project Config — content model configuration is stored in the database, not version-controlled YAML. Environment management (dev/staging/prod) exists in the hosted offering but no branch-per-PR content environment support was documented. Standard PHP deployment patterns (Deployer, Capistrano) apply for self-hosted.
Official developer documentation at documentation.concretecms.org covers the 9.x REST API, block/package/attribute development, permissions, and the PHP API namespace reference. User guides cover the full editorial experience. Documentation is functional but reflects a PHP-era development style with fewer framework-specific integration guides or interactive playgrounds compared to modern headless CMS documentation. No video learning platform or dedicated tutorial ecosystem was found.
Concrete CMS is a PHP-native platform with no official TypeScript SDK, no type generation from the content model, and no published npm packages. The REST API returns JSON that consumers can type manually, but there is no official @concretecms npm package, no codegen tooling, and no IDE type integration documented. PHP is the primary and nearly exclusive development language for the platform.
Concrete CMS ships roughly monthly patch releases: September, October, November, December 2025, and March 2026 are all confirmed. The 9.5.0 RC cycle (RC1 with Twig support, RC2 with PHP 8.5 readiness) is active. Cadence is consistent but incremental rather than high-velocity feature shipping.
GitHub releases provide per-version notes and the concretecms.org archive lists tagged versions. Monthly blog round-ups supplement the technical changelog. However, breaking change callouts and migration guides are not prominently structured — documentation lags behind the code by the project's own admission.
A public roadmap exists at concretecms.org/roadmap, and the community forum has a dedicated proposals-to-roadmap thread. Monthly town halls communicate near-term direction. The roadmap is public but lacks a voting/prioritization mechanism (no Canny or GitHub Discussions upvotes), making it moderately transparent.
The project uses semver-compatible versioning on the 9.x line and has formally dropped security patches for v8, indicating a structured LTS approach. No automated codemods or formal deprecation-window policy was found in documentation. Transition handling is present but not enterprise-grade.
The main GitHub repository has modest star counts (sub-1K based on search results showing the split repo at 19 stars). LinkedIn shows only 7 active job postings. Wikipedia cites 258+ contributors as of 2023. The platform has an active but small community — larger than a hobby project but well below mainstream open-source CMS platforms.
Monthly town halls, active community forums, and named GitHub contributors (mlocati, hissy, gutig, ahukkanen and others) signal real engagement. The community round-ups highlight individual contributor work publicly. Engagement is genuine but constrained by community size; response times and issue resolution are not enterprise-fast.
Concrete CMS has a formal certified services partner program with a certification test and partner directory. AWS partnership exists. However, the certified partner list is small (regional agencies, no Tier-1 SIs such as Accenture or Deloitte), limiting enterprise delivery capacity. The program is legitimate but thin.
Third-party content exists — agency blog posts, community forum tutorials, and some YouTube content — but there are no notable Udemy or Pluralsight courses found, and conference talk presence is minimal. The content ecosystem supports getting started but does not validate broad market adoption.
Only 7 active LinkedIn job postings in the US for Concrete CMS. Upwork lists freelancers, and the platform maintains a jobs forum, but demand is thin. No certification program tied to major learning platforms, and the platform is absent from Stack Overflow Developer Survey recognition. Talent supply is restricted to a small niche pool.
PortlandLabs won the SourceForge Fall 2025 and Winter 2026 Leader Awards in Web Content Management, indicating an active user base submitting reviews. Monthly releases signal ongoing development. However, no major enterprise logo announcements or notable case study publications were found, and the platform appears stable rather than growing.
PortlandLabs is a small, privately held company with no disclosed funding rounds. The platform has operated continuously since 2008 and shows no signs of distress (no layoffs found, ongoing releases, active AWS partnership). Stability is credible for a self-sustaining bootstrapped open-source company, but the lack of growth capital caps long-term velocity.
Concrete CMS targets SMBs and government/military websites with a focus on inline editing and permissions. The platform has a clear niche but lacks analyst recognition (absent from Gartner MQ and Forrester Wave) and is not well-differentiated against Drupal or WordPress in broader market perception. Government focus is a defensible vertical but limits total addressable market.
G2 rating is 4.5/5 stars — strong quality signal — but with only 66 reviews, volume is well below the 200+ threshold for top-tier scoring. Positive themes: editor ease, extensibility, developer flexibility. Negative themes: documentation gaps, occasional UX complexity. The high rating with thin review volume maps to the 45–60 range per formula, trending toward the top given the rating quality.
Concrete CMS publishes managed hosting tiers openly: Starter at $4.99/mo and Business at $19/mo (both billed annually). Enterprise/custom SLA pricing is sales-gated. The core software is free and open source (MIT), so the most common deployment path has zero licensing cost. Deducted for annual-billing-only managed plans and sales-gated Enterprise.
Self-hosted (the primary deployment path) has zero license cost — completely flat and predictable. Managed hosting uses simple flat-fee tiers with clear page-view and editor-seat limits. No API metering or bandwidth overages in managed tiers. The only friction is the lack of a monthly billing option on managed plans.
All core CMS features are fully available in the free open-source self-hosted version — no functional capability is locked behind a paid tier. Managed hosting tiers gate on operational features (page views, storage, editor seats) rather than CMS functionality. The marketplace has some paid add-ons for extended features, with user reports of arbitrary pricing on a limited add-on selection.
Managed hosting is annual-only with no clearly published monthly option. However, the self-hosted path has no contract or lock-in whatsoever. No evidence of startup discounts, nonprofit pricing, or education programs was found on the pricing page. The annual-only managed billing is a mild friction point for teams evaluating commitment.
The full CMS software is free forever under the MIT license and can be self-hosted on any PHP host. This is a genuine, permanent, commercially permissive free path rather than a trial. However, users still need to provision and pay for their own PHP hosting, so it is not a zero-cost managed free tier. No managed free tier exists.
Concrete CMS runs on standard PHP and can be installed on shared hosting in minutes using standard tooling. The inline page-editing model means content editors can be productive quickly. User reviews note end-users can be trained 'in minutes instead of hours or days.' Setup is slightly more involved than a pure SaaS product but comparable to Craft CMS or Joomla.
Community reviews consistently describe fast deployments for typical marketing sites, with one review noting 'development time and cost is nearly cut in half.' The inline visual editing model reduces back-and-forth with content teams. Complex enterprise builds require more custom theme and add-on work but no evidence of consistently longer-than-expected timelines.
Concrete CMS is PHP-based using mainstream web skills, keeping the specialist premium lower than proprietary Java or .NET DXPs. However, its talent pool is significantly smaller than WordPress, meaning hiring a developer with specific Concrete CMS experience commands a moderate premium. PHP generalists can ramp up reasonably quickly.
Self-hosted deployments run on commodity PHP/MySQL hosting from ~$5–15/month, making it one of the cheapest operational options in this dataset. Official managed hosting starts at $4.99/month (Starter) or $19/month (Business), which is very affordable. Enterprise managed deployments add cost for staging, CDN, and custom infrastructure but still benefit from low base infra overhead.
Self-hosted deployments require routine PHP server maintenance, CMS core updates, and plugin patching — typical of any traditional CMS. Official managed hosting handles upgrades automatically, reducing ops burden significantly for that path. Most production deployments will be self-hosted, meaning moderate ops overhead is the realistic norm.
As MIT-licensed open source software with a standard MySQL/PostgreSQL database, Concrete CMS has low exit cost. Content and data are stored in standard relational DB tables and file system assets — both exportable with standard tooling. Moving from managed hosting to self-hosted or a different provider is straightforward since the platform is portable. Proprietary add-ons from the marketplace could add minor migration complexity.
Concrete CMS introduces a substantial proprietary vocabulary: Pages, Areas, Blocks, Stacks, Themes, Express (a bespoke no-code relational data system), Attributes, Single Pages, Asset Groups, and Packages. The Page/Area/Block hierarchy and the Express data model have no equivalents in mainstream PHP or JavaScript frameworks. Complexity is comparable to Drupal in breadth but without Drupal's industry recognition.
Official docs exist at documentation.concretecms.org with a developer guide, user guide, and API reference, plus a YouTube series and a certification program at training.concretecms.com. However, there is no interactive sandbox, no structured learning path, no headless quick-start guide, and the REST API docs are thin. A 'How to Learn Concrete CMS' document existing as an explicit page signals the onboarding journey is not self-evident.
Concrete CMS uses a custom PHP MVC framework — not Symfony, not Laravel — with server-rendered PHP templates. There are no official npm packages, no React/Vue/Next.js SDK, and no first-class headless frontend integration path. Developers from modern JS ecosystems or mainstream PHP frameworks find almost nothing that transfers directly. The REST API was added in v8.5 but remains nascent.
No official Next.js, Nuxt, Astro, or React starter template exists. No CLI scaffolding tool. The only package boilerplate is a community-maintained third-party repo (MacareuxDigital/v9_package_boilerplate on GitHub). Marketplace themes are paid commercial products, not development starting points. This is a meaningful gap relative to modern headless platforms and even Joomla.
Installation via Composer + interactive CLI or zip upload is straightforward for PHP developers, with standard PHP/MySQL requirements. However there is no config-as-code, no official Docker dev environment, and no environment variable management pattern. REST API must be explicitly enabled via Dashboard UI. Production hardening requires a separate 'Configuration Best Practices' doc, which adds manual steps not needed on modern SaaS platforms.
Content modeling uses Attributes (typed metadata) and Express (a proprietary relational object builder). There is no migration tooling for schema evolution, no TypeScript type generation, and no schema-as-code workflow. Express relationships are managed entirely within Concrete's proprietary system and do not map naturally to REST API output without additional wiring. Structural changes (reorganizing Express associations, changing attribute types) carry risk on live content.
In-context WYSIWYG editing is a core Concrete CMS strength — editors click directly on page elements in Edit Mode with full draft/version management and built-in workflow approvals. For the coupled architecture, preview fidelity is excellent. The significant penalty: for headless/decoupled setups there is no draft preview API, no webhook-based preview trigger, and no Next.js draft mode integration, making this capability entirely server-side only.
Building custom Blocks requires learning Concrete's proprietary controller/view/form structure. Extending the REST API requires platform-specific service provider and routing patterns. The certification program exists but is Concrete-specific and not a portable credential. The developer talent pool is small (GitHub ~2.6k stars), making staffing harder than for Drupal, WordPress, or modern headless platforms. Standard React or Laravel knowledge does not transfer.
A solo PHP developer can build and deploy a traditional Concrete CMS site; a 2-person team (developer + content strategist) is viable for moderate complexity. Self-hosted deployments require ops/sysadmin capability unless using managed hosting. For headless usage the team expands to include a separate frontend developer since the REST API is immature and the skill sets do not overlap. Leaner than DXP platforms, but heavier than SaaS headless CMS for decoupled use cases.
The in-context editing model allows content editors to work directly on live pages without developer involvement for routine content updates. 30+ built-in block types cover common content needs, and the built-in approval workflow reduces governance overhead. Penalties: adding new content types (custom blocks, Express objects) requires PHP development; configuring permissions and ACLs requires developer involvement; the admin dashboard can overwhelm non-technical users. Ongoing ops friction is lower than Drupal but higher than WordPress or modern SaaS CMS.
Concrete CMS upgrades are self-hosted and require database migrations applied on first page visit after file replacement; no downgrade path exists — only backup restore. The v8→v9 migration is documented as 'a large one' with potential browser timeout issues requiring CLI fallback. Biannual minor releases and monthly patches mean reasonably frequent upgrade events.
Concrete maintains an active security program via HackerOne with a 5-day acknowledgment SLA and monthly patch releases. However, patches are only guaranteed in the next release cycle — no immediate out-of-band patches — and the platform had multiple CVEs in early 2026 (XSS, CSRF fixed in 9.4.8). Self-hosted teams must manually apply each release to benefit from fixes.
As an open-source platform, Concrete CMS imposes no vendor-controlled forced migrations; teams upgrade on their own schedule. The ESM (Expanded Security Maintenance) model provides at least 3 years of critical security updates on the last minor of each major version, giving reasonable runway. The v8→v9 shift was significant but voluntary.
Concrete CMS runs on a standard LAMP stack (PHP 8.x, MySQL/MariaDB, Apache or Nginx) with no mandatory external services — a relatively contained dependency graph. PHP version tracking is required as the platform advances (PHP 8.4/8.5 compatibility work noted for 9.5). No complex microservices or managed search/CDN dependencies.
Concrete CMS provides no native APM, usage dashboards, or built-in status observability. Self-hosted teams must set up all web server, PHP-FPM, database, and application-layer monitoring independently. The WebOps tutorial references cron jobs and CLI operations but no monitoring tooling.
Concrete CMS offers a traditional page/block editing model with no documented automated content hygiene tooling — no orphan detection, broken link alerts, or content expiry workflows built in. Content governance relies on manual editorial discipline. The Marketplace has some add-ons but no native automation.
Performance is entirely customer-managed for self-hosted deployments: cache configuration, database query tuning, CDN selection, and PHP memory settings all require explicit setup. Slow admin page rendering on older hardware is noted in reviews. The hosted/cloud offering reduces some burden but is not the default mode.
Formal paid support is available primarily through the managed hosting offering; the open-source community edition relies on forums and community channels. G2 profile noted as inactive for over a year and developer documentation described as lacking, making it harder to self-serve. Reasonable for a tier-2 open-source CMS but not enterprise-grade support.
Concrete CMS has an active and described-as-passionate community, with forums and community channels providing reasonable coverage for common issues. It is smaller than WordPress and Joomla, with documentation gaps that frustrate developers on edge cases. Core team participation exists but the community is niche.
Monthly patch releases with an active HackerOne security program and 5-day acknowledgment SLA demonstrate reasonable velocity for a community-driven platform. Multiple CVEs were identified and patched within the monthly cycle. General bug resolution follows community contribution cadence, which is slower than a fully staffed vendor.
Concrete CMS has a native drag-and-drop block editor (concretecms.com/features/drag-and-drop-website-builder) where marketers can add layout columns and drop content blocks without writing code. Page types for ad landing pages can be excluded from navigation. Scores 66 rather than higher because the block-area model is less WYSIWYG than modern page builders like Elementor and requires some setup for custom layouts.
Concrete CMS has scheduled publishing and integrations with Mailchimp, Constant Contact, and Mautic via add-ons, but no native campaign management, content calendar, or multi-channel campaign coordination. Marketers must rely entirely on external tools for campaign lifecycle. Score reflects the typical range for traditional CMS platforms without dedicated campaign tooling.
Concrete CMS includes built-in SEO controls: meta title/description/keywords per page, a Bulk SEO Updater for site-wide meta management, custom URL slugs, automatic XML sitemap generation, and redirect management. The official SEO feature page (concretecms.com/features/seo-software) details these capabilities. Missing Schema.org structured data automation keeps it below 75.
A native form builder (drag-and-drop, no code) is included for lead capture. Integration with external marketing automation (Mailchimp, Mautic) is available but no built-in conversion tracking, UTM parameter management, or CTA analytics. Score reflects solid form handling with minimal native conversion tooling.
The Community Store add-on enables basic product content: images, variants (size/color) with distinct pricing, stock tracking, and product grids. However, it is a community-maintained add-on, not a core feature, and is not purpose-built for rich editorial product content at scale. Some reviews note it as outdated relative to dedicated commerce platforms.
Community Store includes basic discount codes and automatic discounts but has no cross-sell/upsell content management, category search merchandising, or promotional content scheduling tools. This is typical for CMS-based community add-ons; not a commerce-first platform.
A Shopify Integration add-on is listed on the Concrete CMS Marketplace (market.concretecms.com), allowing Shopify products and checkout to be embedded in Concrete CMS pages. This represents a basic product picker/embed integration rather than deep API federation or real-time content+product co-authoring. No documented integration with commercetools, SFCC, or BigCommerce.
Concrete CMS has a well-documented granular permissions system: permissions can be set at page, page type, or area level, inherited by child pages, and scoped to user groups, individual users, or custom roles. SSO integration is supported and used in production (BASF enterprise intranet case study). Intranet is an explicit use-case vertical for the platform. Score stops short of 75 because field-level sensitivity is not a native feature.
Concrete CMS supports version history, approval workflows, and content moderation which covers basic knowledge article lifecycle. There is no native knowledge taxonomy, content expiry/review scheduling, or internal search tuning beyond site search defaults. Functional for moderate intranet needs but lacks dedicated knowledge management tooling.
Concrete CMS actively markets HR portal and internal communications solutions (concretecms.com/applications/human-resources-portal), with configurable news feeds, team pages, and SSO-backed access. This is a step above most generic CMS platforms for intranet use. However, it lacks native employee directory integration, social features (likes/comments), or a mobile app, keeping it in the low-50s range rather than 60+.
Concrete CMS supports multi-site architecture from a single installation with separate content trees, separate user bases, and configurable permission isolation per site. The IMCOM case study (hundreds of garrison websites on one install with compliance controls) validates silo-based isolation at scale. This is not a true multi-tenant SaaS architecture with independent environments, but provides meaningful separation.
Multi-site installs in Concrete CMS share a single codebase, theme, and block library, allowing centrally maintained templates and blocks to be reused across all sites while permitting local overrides. Branding consistency is a stated feature of the multi-site product. Not a federated content API model but provides shared component infrastructure through the install architecture.
The IMCOM deployment demonstrates centralized compliance and security controls across hundreds of sites, with thousands of individual content managers operating within enforced governance. Concrete CMS provides centralized user management, permission templates, and workflow enforcement across the multi-site network. Cross-brand approval workflows are limited to within-site workflows rather than a true cross-brand governance console.
Concrete CMS is open source (free community edition), so adding sites does not incur per-brand licensing fees — only infrastructure and managed hosting costs scale. The multi-site architecture runs many sites on one install, reducing server overhead versus separate deployments. Commercial support packages exist but are not required per-site. This gives strong scale economics for organizations running many brand or regional sites.
The privacy policy references the invalidated EU-US Privacy Shield framework (struck down 2020) with no mention of SCCs or the EU-US Data Privacy Framework. No DPA is listed on the legal pages, no sub-processor list is published, and EU data residency options are not documented. The policy scope explicitly excludes websites built on or hosted by Concrete CMS, directing GDPR questions elsewhere.
PortlandLabs hosting undergoes external HIPAA/HITECH audit validation and the compliance page confirms hosting satisfies HIPAA controls. However, no explicit BAA is published or advertised as available, and there is no healthcare-specific documentation in the open-source project. For managed hosting customers, HIPAA alignment exists but BAA availability is not confirmed publicly.
PortlandLabs hosting meets FedRAMP Moderate (DoD Impact Level 2) with continuous monitoring — a significant differentiator at this tier. HIPAA/HITECH and PCI-DSS are validated through external audits. The privacy policy explicitly states CCPA does not apply to Concrete CMS's own business. UK GDPR, LGPD, PIPEDA, and other regional frameworks are not addressed.
SOC 2 Type 2 is confirmed for both hosting services and open-source development activities, covering Security and Availability Trust Service Criteria. The report is available upon request. Supply chain SOC 2 reports (AWS, Atlassian, Google Cloud, New Relic) are also reviewed. This is managed hosting scope; the open-source software itself does not carry a SOC 2 attestation.
PortlandLabs holds ISO 27001 certification, described as proving 'a robust security and risk management program.' Certificates are available upon request. No ISO 27018 (cloud PII processing) is mentioned. The certification scope appears to cover the hosting and development operations, not the open-source software package independently.
Beyond SOC 2 and ISO 27001, PortlandLabs holds FedRAMP Moderate (DoD IL2) and has PCI-DSS and HIPAA/HITECH external audit validation. The platform participates in HackerOne for vulnerability disclosure with monthly security patches and CVE tracking. AWS CIS benchmark alignment and FIPS 140-2 MFA for infrastructure access add depth. This is an unusually strong certification portfolio for a Tier 2 CMS.
Hosting infrastructure is AWS US-based. The FedRAMP environment is inherently US-only. No EU or APAC data residency options are documented. No contractual data residency guarantees are mentioned outside the FedRAMP-specific context. Self-hosted deployments can choose any region but without vendor contractual guarantees. This is a significant gap for EU-based customers.
A 'Personal Information Deletion' page is listed in the legal index, indicating some process exists for data deletion requests. For the open-source platform, full database export is inherently available. However, no documented self-service data export portal for hosted customers was found, post-termination retention periods are not published, and the page itself returned 404. The hosting privacy policy page also returned 404.
Concrete CMS lists 'audit trails' as a platform feature alongside login history and content approval workflows. The framework documentation references 'auditive logging' for operations like page deletion and email sends. However, no SIEM integration, configurable log retention periods, or log export APIs are documented. The feature is basic — present but not enterprise-grade.
No formal WCAG 2.1 AA conformance documentation for the Concrete CMS authoring interface was found. The platform makes no documented ATAG 2.0 commitment. There is no accessibility conformance page for the CMS editor. The platform is used by US government agencies, which implies some Section 508 attention, but no formal statement or conformance report is published.
No VPAT or ACR (Accessibility Conformance Report) was found on concretecms.com or in the documentation. No Section 508 formal conformance statement is published. Given the platform's use by the U.S. Army and federal agencies, a VPAT likely exists internally or upon request, but it is not publicly accessible for procurement purposes.
