Craft CMS

Craft CMS 5.x ships with 23 built-in custom field types and a flexible section/entry-type architecture (channels, singles, structures). Entry types became globally reusable in Craft 5, allowing the same content type to serve multiple sections, Matrix fields, and CKEditor contexts. Custom field types are fully supported via the plugin API. No native schema-as-code option prevents a higher score.

Craft's Relations field supports many-to-many, polymorphic element references (entries, assets, categories, users), and bidirectional reverse traversal via `relatedTo` and reverse-relation queries. Not graph-native, but reverse lookup is built into the element query API. Score held below 80 because graph traversal is more verbose than GraphQL-native platforms.

Craft's Matrix field enables block-based composition with unlimited nesting; the new Content Block field (Craft 5.x) provides reusable structured components that can be shared across entry types. CKEditor integration adds block nodes within rich text. This is one of Craft's historically strongest differentiators. Not quite Portable Text equivalence (AST portability) keeps it below 85.

All 23 built-in field types include standard validation rules (required, min/max length, regex, file type/size, date ranges). Custom validation is achievable via Craft's event system (pre-save hooks) and module/plugin code. No cross-field or rule-engine UI out of the box, which keeps the score below 75.

Craft has a robust Drafts & Revisions system with full version history and one-click rollback. Scheduled publishing (scheduled drafts) is supported natively. The new Content Releases feature (announced Dot All 2025) lets teams group changes across entries and schedule them to go live together. No true content branching or diff UI between arbitrary revisions keeps it below 80.

Craft is a form-based CMS with a well-designed control panel but no native in-page visual editor. Live Preview allows editors to see a rendered preview alongside form fields, but layout changes require developer involvement. The Vizy plugin (third-party, $59/site) provides some visual block editing within a field, but it is not an in-page page-builder experience.

Craft's official CKEditor plugin (requires Craft 5.9+) brings CKEditor 5's full feature set: embedded entries/assets, block nodes, custom toolbar, paste handling. Output is structured HTML/JSON rather than a raw HTML blob, and the Matrix-conversion tooling allows migrating existing HTML content. CKEditor 5 supports collaborative editing as well. Slightly below 80 because output is not a fully portable AST like Portable Text.

Craft's built-in asset management supports volumes (local, S3, GCS, etc.), folder organization, tagging, metadata fields, and a full image editor with focal point. Image transforms support resize/crop/fit/letterbox modes, WebP and AVIF output. Focal point takes precedence over crop position, and S3 volumes can auto-detect subjects for focal point. Not a DAM replacement but strong for a built-in system.

Craft announced real-time collaborative editing at Dot All 2025, with Datastar-powered live co-editing allowing multiple editors on the same entry simultaneously with instant change propagation (tested with 70+ simultaneous editors). This is a meaningful step toward Google Docs-style collaboration. Scored conservatively at 72 because the feature is newly released and full production maturity/conflict resolution detail is still emerging.

Craft core provides only draft/published states plus revisions and role-based permissions. Multi-stage editorial approval workflows require the Workflow plugin by Verbb (open-source, free), which enables editor-to-publisher submission flows. Content Releases adds cross-entry change grouping and scheduling. Adequate for most use cases but dependent on a third-party plugin for true multi-stage workflows.

Craft ships with a built-in GraphQL API (since v3.3) with a GraphiQL IDE, token-scoped endpoints, filtering, sorting, and pagination. REST delivery is available via Element API plugin and native element controller endpoints. Not GraphQL-native (Craft is traditional-CMS-first) but headless use is well-supported and the GraphQL schema is auto-generated from content models.

Craft Cloud (the managed hosting product) includes CDN with edge-side includes, custom asset domains, CDN URL rewrites, and regional database clusters for latency reduction. Self-hosted Craft installations have no built-in CDN—operators must configure their own. Since Craft supports both hosting models, the score reflects an average: cloud users get solid CDN, self-hosted users get nothing out of the box.

The official craftcms/webhooks plugin enables GET/POST webhooks on Craft events, suitable for Zapier/Netlify/build hook integrations. Event coverage is reasonable (entry save, publish, delete) but the plugin lacks documented HMAC payload signing, per-event filtering granularity, and retry logic with delivery logs—features present in best-in-class webhook systems.

Craft can operate headlessly via GraphQL/REST, but it was designed as a traditional coupled CMS and headless is an add-on paradigm. Rich text output is CKEditor JSON/HTML (not a portable AST), and there are no official multi-platform SDKs for iOS, Android, or non-PHP runtimes. The platform is used headlessly in practice but lacks the SDK ecosystem and format-agnostic output of purpose-built headless platforms.

Craft CMS has no native audience segmentation engine. Personalization requires fully external tools like Croct, which publishes a Craft-specific integration guide but provides no CMS-side segment management. There is no CDP integration built into Craft. Score reflects a platform where segmentation is entirely handled outside the CMS.

Craft has no native content variant system per audience. Personalization requires an external decision engine (Croct, Ninetailed-style tools). Content can be structured for personalization, but serving different content to segments requires the external tool to make decisions and query the Craft API. Score per rubric for CMS platforms requiring fully external personalization.

The 'Optimum' plugin on the Craft Plugin Store provides server-side A/B testing within Craft, which is an improvement over client-side-only options. However, it is a third-party plugin with limited reporting and no native statistical significance engine — this is plugin-based, not platform-native. Score slightly above the 20–40 floor given a plugin exists.

No algorithmic content recommendation engine exists natively or as a widely adopted Craft plugin. Content recommendations are manual or require custom development. No evidence of ML-based or collaborative filtering support.

Craft ships with full-text search across element types (entries, assets, categories, users). It supports basic field-level search and parameterized filtering via ElementQuery. However, it lacks faceting, relevance tuning, typo tolerance, and autocomplete — and is noted to degrade on high-volume sites. Score reflects basic full-text search without advanced relevance features.

Multiple well-maintained Algolia plugins exist: Scout (automatic index sync, Craft 5 supported), Dexter (supports Algolia and Meilisearch, $50 intro price as of 2026), and the craftplugins/algolia plugin. The Scout plugin is the de facto standard with documented patterns and automatic index sync on element save. Strong extensibility ecosystem.

Craft Commerce is a first-party paid plugin from Pixel & Tonic (same team as Craft CMS) providing genuine native ecommerce: product catalog, cart, checkout, orders, inventory, pricing tiers, discounts, shipping, taxes, and multi-storefront support. It integrates deeply with Craft's content model. While it's a paid add-on rather than bundled, it's the official commerce layer. Score at the lower end of 70+ given the additional purchase requirement.

Craft CMS maintains an official Shopify plugin (github.com/craftcms/shopify) that syncs products via Shopify GraphQL Admin API webhooks, bringing product data into Craft as native elements for content enrichment. The integration allows using Craft as a content layer over Shopify. It's a robust product-sync integration but not a bidirectional deep commerce sync.

Craft Commerce supports rich product content management with variant-level custom fields, flexible content models, and Craft's custom field system applied to product types. The Craft content model (Matrix blocks, relational fields, custom field types) maps well to rich product editorial needs. With Craft Commerce, product descriptions, images, and variant attributes are first-class.

Craft has no native content performance analytics dashboard (no page views, engagement, content health, or author productivity reporting built in). The control panel shows operational data (element counts, recent entries) but nothing qualifying as content intelligence or engagement analytics. Analytics requires external integration.

The Instant Analytics GA4 plugin (nystudio107) provides server-side GA4 tracking with automatic Craft Commerce Enhanced Ecommerce integration — one of the more mature analytics plugins in the Craft ecosystem. Standard tag manager setups (GTM) work via templates. Segment integration would require custom configuration. Score reflects solid GA4 path but no official Segment/Amplitude marketplace integration.

Multi-site is a first-class, core Craft CMS capability. A single Craft installation natively manages unlimited sites with independent domains, templates, and settings, while allowing entries and assets to be shared or site-specific. Sites can share content models and components with locale-specific publishing. This is one of Craft's strongest differentiators.

Craft's multi-site architecture enables field-level localization: individual fields on entries can be set as translatable (per-site or per-language). Over 100 locale data sets are shipped. Locale-specific publishing is supported (publish an entry in EN without publishing its FR translation). This is field-level localization, meriting 75+ range, slightly discounted as locale fallback chains are less sophisticated than dedicated i18n systems.

Several translation connectors exist: LILT has an official Craft CMS connector, Acclaro has a Craft translation connector, and the Translations plugin supports professional translation service export/import workflows. DeepL integration is available via plugins. However, there are no official marketplace integrations with Phrase, Lokalise, or Smartling — coverage is patchwork rather than comprehensive.

Craft's multi-site can serve as a multi-brand management layer — separate brand sites under one installation with shared content types and users with site-specific permissions. However, there are no cross-brand approval workflows, global style policy enforcement, or centralized brand asset governance tools native to Craft. Multi-brand is achievable but requires custom configuration.

Craft assets support custom field layouts per volume (arbitrary metadata fields), a native focal point picker, image editor (crop/rotate/flip), and folder organization within volumes. However, there is no asset versioning, no usage tracking across content, and no rights/license management. This is a capable asset library with solid metadata extensibility but not a purpose-built DAM.

Craft ships native image transforms with WebP and AVIF output (requiring ImageMagick), four crop modes, quality settings, and focal point-aware cropping. CDN delivery is not built in — it requires the Imager X plugin (Cloudflare, Imgix, Bunny, ImageKit support) or a custom CDN URL configured on an S3 volume. Score reflects good native transforms with plugin-dependent CDN offload.

Craft has no native video hosting, transcoding, or adaptive streaming. The Transcoder plugin handles video thumbnail generation and transcoding via FFmpeg as a self-hosted solution. The Embedded Assets plugin imports YouTube/Vimeo metadata as JSON elements. Neither constitutes native video management. Score reflects full dependency on external or self-hosted tooling.

Craft has no native drag-and-drop page builder. Content authoring is form-based using Matrix/Content Blocks (structured nested field layouts introduced in Craft 5.8). A native split-screen Live Preview renders the front end against draft content in real time, and multiple named preview targets per section are supported. The Vizy plugin adds a hybrid WYSIWYG + block editor. Score per rubric for structured block editors with preview but no visual layout composition.

Craft 5 has robust native drafts (provisional per-user auto-save, named saved drafts, immutable revisions on publish) but no multi-step approval workflow natively. Multi-step approvals require the Verbb Workflow plugin, which adds an editor → reviewer(s) → publisher chain with email notifications and submission locking. Custom workflow states require custom module development. Native approvals are planned for Craft 6 (Q4 2026 alpha, announced at Dot All 2025).

Craft natively supports scheduled publishing via the Post Date field (future date = auto-publish) and an Expiry Date field for auto-unpublish/embargo — solid core scheduling without a plugin. There is no built-in calendar view; a content calendar requires the Solspace Calendar plugin. Release bundles (atomic multi-entry publishing) are not in Craft 5 and are planned as 'Content Releases' in Craft 6.

Craft 5 has no real-time collaboration: no simultaneous editing, no presence indicators, no inline commenting, and no @mentions. Per-user provisional drafts mean two editors working on the same entry each get their own draft with no merge UI or conflict notification. Inline commenting and element-level activity logs are announced for Craft 6 (Q4 2026 alpha) but unavailable today.

Craft has no native form builder, but Formie — officially acquired and maintained by Pixel & Tonic as craftcms/formie — provides a full-featured drag-and-drop form builder with multi-page forms, conditional logic (show/hide fields, conditional notifications/recipients), spam protection (reCAPTCHA, Turnstile, hCaptcha, keyword blocking), submission storage in the CP, and 20+ email marketing/CRM integrations. Its official stewardship elevates this above typical third-party plugins, though no progressive profiling is available.

No native email campaign capability exists in Craft. ESP integration is available via Formie (Mailchimp, Klaviyo, ActiveCampaign, Campaign Monitor, Constant Contact, Drip, and 10+ more — triggered on form submission) and a dedicated Klaviyo Connect plugin for Commerce checkout events. Integration depth is form-submission-driven subscriber sync, not CMS publish event triggered sends or in-CMS email preview.

No native marketing automation or behavioral trigger engine exists in Craft. The first-party Webhooks plugin can fire any element event to Zapier/Make for external automation, and Formie has Zapier/Make/n8n integrations. Formie also has CRM integrations (HubSpot, Salesforce, ActiveCampaign, Zoho, MS Dynamics 365) but these are form-to-CRM push integrations, not drip campaign orchestration or lead scoring.

No dedicated CDP connector plugins exist in the Craft Plugin Store. There is no Segment, mParticle, or Tealium integration available. CDP integration is entirely custom — developers route Webhooks plugin events to a CDP's HTTP API manually. No unified customer profile is surfaced in the Craft control panel.

The Craft Plugin Store has approximately 800 plugins across 16 categories as of early 2026, with a strong ecosystem of quality vendors (Verbb, Solspace, nystudio107) producing mature, well-maintained plugins. First-party official plugins include Craft Commerce, Formie, CKEditor, Feed Me, craftcms/webhooks, and craftcms/aws-s3. The marketplace is substantially more curated than WordPress but smaller than enterprise platforms, with fewer enterprise-tier integrations (no Salesforce Marketing Cloud, SAP, etc.).

Craft's first-party craftcms/webhooks plugin covers all element events via a sender class + event name model, with filtering (ignored/required/blocking modes), configurable retry (maxAttempts, retryDelay), debouncing via Twig key format, custom headers and templated payloads, and a 7-day request log viewable in the CP. No HMAC signed payload capability is documented, and no Kafka/EventBridge streaming alternative is available.

Craft has solid headless preview: a token-based system appends a preview token to configurable front-end URLs, enabling real-time draft previews on any headless front end (Next.js, Nuxt, etc.). Editors can share tokenized preview links (default 1-day expiry, configurable). Multiple named preview targets per section allow multi-channel preview. An official craftcms/starter-next reference implementation is provided. No native staging environment management; environments are infrastructure-level.

Craft Pro provides unlimited user groups with granular additive permissions: per-section (view/create/save/delete entries), per-volume (upload/replace/delete assets), per-utility, and per-site (multi-site access). Craft 5.9 added field-level editability conditions via field layout UI. Native TOTP-based MFA is included. SSO requires the third-party flipboxfactory/saml-sp plugin (SAML 2.0). No SCIM support exists natively or via plugin.

Craft ships a built-in GraphQL API (since 3.3) with a bundled GraphiQL IDE, token-scoped schemas, auto-generated from the content model, supporting filtering, sorting, and pagination with image transform directives. However, there is no first-class REST API — the Element API plugin provides custom JSON endpoints as a community add-on. GraphQL subscriptions and user mutations are unsupported. Strong for headless GraphQL use, but the REST gap and missing GraphQL features prevent a higher score.

Craft Cloud includes CDN for static and front-end assets with metered outbound bandwidth (250GB–500GB/month), regional DB clusters (EU/US), and a 60-second request timeout with 6MB max response. However, GraphQL query responses are not edge-cached by default, and self-hosted installations have no built-in CDN or rate limiting. No published throughput benchmarks or documented API call concurrency limits.

Pixel & Tonic publishes no official JavaScript, TypeScript, Python, Ruby, or mobile SDKs. The primary developer surface is the PHP plugin/module API. The community Query API plugin (@query-api/js) and standard graphql-codegen workflows provide JS/TS access but are not officially maintained. This is a significant gap vs. headless-native platforms with 4–6 official SDKs.

The Craft Plugin Store hosts approximately 800 plugins spanning all major categories: SEO (SEOmatic), forms (Formie, Freeform), e-commerce (Craft Commerce), workflow, translation, Algolia search (Scout), DAM, analytics integrations, and more. First-party plugins include CKEditor, Webhooks, and Shopify. The breadth is strong for a traditional CMS tier-2 platform but lacks the dedicated cloud marketplace infrastructure of SaaS-native platforms.

Craft has one of the most mature extensibility models in the traditional CMS space: full-MVC plugins with CP sections, modules for lightweight single-class extensions, custom field types via FieldInterface, custom element types, GraphQL schema extension from plugins, control panel Twig template overrides, custom dashboard widgets, utilities, and a comprehensive event/hook system throughout the framework. Self-hosted deployment enables server-side arbitrary code execution with full framework access.

Craft 5 ships native 2FA via TOTP apps (Google Authenticator, Bitwarden, 1Password) and WebAuthn passkeys, both enforceable per user group. API token management is built-in for GraphQL endpoint access. SSO (SAML 2.0, OIDC/OAuth 2.0) is plugin-only — the official oauthclient plugin and third-party saml-sp/saml-idp plugins fill this gap but add cost and deployment complexity. SSO is not in core, which creates friction for enterprise buyers.

Craft Pro offers unlimited user groups with granular section-level and entry-type-level create/publish/delete permissions, plus plugin-registered custom permissions. However, native field-level permissions do not exist — only field layout conditions (show/hide per user group) as a workaround. Content-instance access control (see only your own entries) requires custom module code. GitHub issue #4238 has tracked field-level permissions as a long-standing feature request.

Pixel & Tonic offers a GDPR Data Processing Agreement (DPA) on request at no charge and provides GDPR-related plugin tooling. No public documentation of SOC 2 Type 2, ISO 27001, or HIPAA certifications for Craft Cloud was found in official documentation, pricing pages, or trust center materials. Third-party hosting providers may hold infrastructure-level certifications, but these are not attributable to Craft itself. This is a major gap for regulated enterprise buyers.

Three critical/high-severity RCE vulnerabilities were disclosed in a six-month window (December 2024 – April 2025): CVE-2024-56145 (RCE via PHP register_argc_argv), CVE-2025-23209 (CVSS 8.1, code injection via security keys — added to CISA KEV catalog, actively exploited), and CVE-2025-32432 (CVSS 10.0, unauthenticated RCE via image transforms — ~300 instances compromised). No HackerOne bug bounty program was found; disclosure is via email only. This concentration of critical vulnerabilities, including a CISA KEV entry and a CVSS 10.0, is a significant negative signal.

Craft supports both self-hosted deployment (PHP on any LAMP/LEMP stack, Composer-managed) and managed SaaS hosting via Craft Cloud (official managed hosting from Pixel & Tonic with CDN, backups, and firewall). This dual model provides good flexibility — regulated industries can self-host, while teams wanting managed infrastructure use Craft Cloud. No private cloud or VPC deployment option is documented for Craft Cloud.

A public status page exists at status.craftcms.com and reported 100% CDN uptime in recent periods. However, no formal SLA with a documented uptime percentage guarantee was found in Craft Cloud documentation or pricing pages. For self-hosted deployments, there is inherently no vendor SLA. The absence of a contractual SLA is a significant gap for enterprise procurement processes.

Craft Cloud added EU and US regional database clusters in 2025 for latency improvements, and CDN handles edge caching of assets. Documented limits are permissive (no caps on entries, users, or content types; metered outbound only). However, multi-site installations multiply database query load proportionally, and no public enterprise-scale references or peak traffic benchmarks are documented. Craft is primarily mid-market positioned without evidence of Fortune 500 scale deployments in official marketing.

Craft Cloud performs automated nightly database backups with 30-day retention, and supports unlimited on-demand manual backups. Content export is available via the native DB backup and asset storage access. However, no formal RTO/RPO documentation was found, and no multi-region failover or point-in-time recovery capability is documented. Self-hosted installations rely on community backup plugins (enupal/backup). Adequate for mid-market but below enterprise DR expectations.

DDEV has official native Craft CMS support (project type since v1.21.2) with one-command setup via `ddev launch`, auto-configured `.env`, and a committed `.ddev/` directory for team reproducibility. The `craft` CLI handles migrations, cache clearing, and scaffolding. Multiple popular GitHub starters (onedarnleyroad/craftcms, kerns/craft-on-ddev) provide batteries-included DDEV+Vite+HMR setups. Docker-based local development is also documented in the Craft knowledge base.

Craft's Project Config system captures all schema changes (sections, fields, entry types, sites, plugins) as YAML committed to git, applied via `php craft up --interactive=0` on deployment. Craft Cloud automates this pipeline with pre-migration DB snapshots. GitHub Actions, Buddy, and Deployer integrations are documented. Craft Cloud provides production + staging environments, but branch-per-PR content environments are not available — environment count is limited by plan tier.

Craft maintains parallel documentation for v3, v4, and v5 at craftcms.com/docs, along with a comprehensive knowledge base for guides and how-tos. Coverage spans all field types, element queries, GraphQL schema, plugin/module development, and framework-specific integration guides. CraftQuest provides a dedicated paid video learning platform. Community resources (nystudio107 blog, putyourlightson.com, MadeByShape) supplement official docs extensively. Minor penalty for the large volume that can overwhelm newcomers.

No official TypeScript SDK or type generation tooling is published by Pixel & Tonic. The community Query API plugin (@query-api/js) advertises auto TypeScript generation from the Craft content model, and standard graphql-codegen workflows against Craft's introspected GraphQL schema are used by the community. No official @craftcms npm package exists. TypeScript is an ecosystem-driven pattern, not a platform-native offering, which positions Craft well below purpose-built headless platforms on this dimension.

Craft CMS shipped versions 5.6, 5.7, and 5.8 in 2025, with 5.9 imminent and Craft 6 Beta targeting Q3 2026. Craft Commerce tracked alongside with 5.3, 5.4, and 5.5. Release pace is roughly quarterly for minor versions with patch releases in between — solid for a mid-tier open-source CMS but not rapid-fire SaaS cadence.

Craft maintains a well-structured CHANGELOG.md on GitHub with per-version sections, distinguishes breaking changes, and links to migration notes. The 'What's New' section on craftcms.com and a monthly newsletter supplement the raw changelog with human-readable summaries. Not quite at the level of tools that auto-generate migration codemods, but clearly above average.

Craft publishes a public roadmap at craftcms.com/roadmap and communicates direction through annual Dot All conferences (Melbourne, Lisbon 2025) and detailed blog posts. The Laravel migration to Craft 6 was announced publicly with clear Beta/GA timelines. No community voting portal (e.g., Canny), but direction is transparent and well-documented.

The Craft 6 Laravel migration is a significant architectural shift, but Pixel & Tonic explicitly designated Craft 5 as an LTS release with 5 years of support after Craft 6 GA — a clear, generous deprecation window. Breaking changes are documented in the changelog with upgrade notes. Not fully automated (no codemods), but deprecation windows are among the better examples in the tier.

GitHub repository has 3,500 stars — below the 5K–20K range for a higher score. Discord has 8,206 members, which is respectable for a niche PHP CMS. Stack Exchange CraftCMS site exists with a reasonable question volume. Community is well-established but modest in absolute numbers compared to open-source peers like Drupal.

The Discord is described as extremely active with daily discussions and tips. GitHub Discussions are open and used. Pixel & Tonic team members participate actively in community channels. Dot All annual conference (two editions in 2025 alone) signals a deeply engaged practitioner community. Engagement quality is high for the community size.

Craft Partner Network offers three verification tiers (Craft Verified, Commerce Verified, Enterprise Verified) with a formal directory and lead referrals. Multiple agencies hold verified status globally. However, the network consists of boutique digital agencies — no major SIs (Accenture, Deloitte, Valtech) are present, limiting enterprise procurement confidence.

A healthy but not deep ecosystem of third-party tutorials, agency blog posts, and conference talks exists. Multiple UK and North American agencies publish Craft-specific content. Dot All conference talks are available. The 'Awesome Craft' GitHub curated list is maintained. Content volume is adequate for an experienced developer but no major Udemy courses or Pluralsight paths.

67 jobs on Glassdoor and 35+ on SimplyHired are tagged to Craft CMS developers; freelancers available on Upwork, Toptal, and Arc. Salary ranges of $65–$99/hr show market demand. Talent pool is real but niche — not easily found in general PHP developer pools without prior Craft exposure. No formal certification program to signal expertise.

Active partner expansion, two Dot All conference editions in 2025, and the Craft 6 Laravel announcement generating positive community buzz are positive signals. New agency case studies are published regularly. However, Craft does not publicize enterprise logo wins or customer count growth data, making momentum hard to quantify beyond community signals.

Pixel & Tonic is privately held and bootstrapped — no external funding rounds on Crunchbase. The company is small (estimated <20 employees: CEO Brandon Kelly, COO Leah Stephenson, CTO Brad Bell) but has sustained product development since 2013 without outside capital. No layoff signals; active Craft 6 development demonstrates ongoing investment. Risk is the concentration in a small, unfunded team.

Craft occupies a clear niche as a 'developer-first, bespoke experience' PHP CMS, and the Laravel migration sharpens its appeal to the Laravel developer ecosystem. It is not recognized in Gartner Magic Quadrant or Forrester Wave (too small). Competition from headless CMSes and Statamic is real. Positioning is coherent but narrow.

G2 shows approximately 48 reviews — below the 100-review threshold for a higher-confidence score. Content authoring capability scores 8.7/10 on G2, suggesting strong user satisfaction. Capterra reviews echo themes of flexibility, security, and clean UI. No significant negative sentiment patterns on forums around pricing or reliability. Low review volume keeps the ceiling down despite positive tone.

Craft CMS publicly lists Solo (free), Team, and Pro ($399/installation) on craftcms.com/pricing with clear renewal costs ($99/yr for updates). Enterprise tier is custom and sales-gated. This is the standard lower-tiers-public/enterprise-gated model. Not penalizing beyond the industry norm since the key commercial tiers are visible.

Craft uses a perpetual per-installation license model — pay $399 once, then optionally $99/yr for continued updates. No API-call metering, no bandwidth overages, no seat-based scaling surprises. Once purchased, teams can use that version indefinitely without further fees. Highly predictable for budget planning.

Solo (free) includes full content modeling, multi-site support, and GraphQL — core production capabilities available without payment. Pro ($399) unlocks unlimited user accounts and per-user permissions, which are needed for most professional team projects. Gating is reasonable: the paid step-up is for team collaboration features, not basic security or content functionality.

Perpetual licensing is buyer-friendly — purchase once and retain use of that version indefinitely without further payments. However, there is no monthly billing option; pricing is one-time plus annual update subscription. No public startup or nonprofit discount programs were identified. The absence of monthly plans and limited flexible purchasing paths constrains the score.

Solo edition is free forever — not a trial, not time-limited — and includes the full content modeling engine, GraphQL API, and multi-site. The meaningful limitation is a single admin account, which blocks team use but is genuinely workable for individuals and freelancers evaluating the platform. Commercial use is permitted. A strong free tier but the 1-admin cap is a real limit.

Craft has comprehensive official documentation including a getting-started tutorial for building a simple blog. An experienced PHP developer can have a working local installation and first content query within hours. However, the 'blank slate' approach and Twig-based templating system create genuine onboarding friction — community sources describe the initial experience as 'daunting.' Days-to-working-site is realistic for developers new to Craft.

For simple marketing sites, experienced Craft developers typically deliver in 2–4 weeks. The blank-slate CMS model means more initial setup than a theme-based CMS, but Craft's flexible field system accelerates content modeling once learned. No consistent community reports of dramatically overrun timelines. G2 reviews are generally positive on implementation. Scores adequately but not strongly on this dimension.

Craft CMS uses PHP and Twig — mainstream server-side skills — but requires platform-specific knowledge of Craft's custom field types, plugin system, and templating conventions. Craft specialists command $100+/hr. Talent pool is smaller than WordPress or general PHP development but meaningfully larger than proprietary DXP platforms. Premium is moderate — estimated 25–40% above a generalist PHP developer.

Craft CMS is predominantly self-hosted (PHP + MySQL/PostgreSQL), meaning buyers must provision and pay for their own servers, CDN, and database separately from the license. Craft Cloud (managed hosting) exists and reportedly includes Team/Pro licenses for Cloud-hosted projects, but pricing is not prominently published and adoption remains secondary. Most real-world deployments incur $20–200+/month in hosting costs on top of the license fee.

Self-hosted Craft deployments require PHP version management, security patching, database backups, and server-level monitoring — meaningful ongoing ops overhead, though less than Java-based DXPs. Managed hosting providers (Arcustech, Craft Cloud) reduce this significantly. For teams on managed hosting, ops burden is moderate-low. Scoring the likely deployment path for most buyers (managed VPS or shared hosting) as moderate overhead.

Craft stores data in standard MySQL or PostgreSQL — fully accessible and portable. As a self-hosted platform, buyers own their data outright. However, native first-party content export tooling is not built into core (a long-standing GitHub feature request). Community plugins (Feed Me, Migration Assistant) fill the gap but can be error-prone per user reports. Standard database portability keeps lock-in low, but the lack of clean built-in export tooling prevents a higher score.

Craft CMS has roughly 5–7 core concepts (Sections, Entry Types, Fields, Project Config, Matrix/Content Blocks, Assets) that map reasonably to standard CMS mental models. Craft 5's 'entrification' of Matrix adds one more abstraction to learn. Twig templating and PHP stack add some re-learning for JS-native developers. Not as clean as a pure API-first headless CMS but far simpler than enterprise DXP multi-subsystem architectures.

Craft provides a full getting-started tutorial (craftcms.com/docs/getting-started-tutorial), framework-specific starter guides, a Glossary added in 2025, and an active Discord community. CraftQuest offers a dedicated video learning platform. No in-app interactive onboarding tour, but structured paths and framework-specific guides (Next.js, Astro) launched in 2025 raise this above docs-only.

Headless use via GraphQL or REST APIs aligns with mainstream developer knowledge, and official Next.js and Astro starters launched in 2025 reinforce this path. Traditional (coupled) use requires PHP and Twig, which are less familiar to modern JS developers but transferable to other Twig-based CMSs. No proprietary query language for headless consumers. Not quite 'standard React first-class' for the full stack but the headless path is clean.

Official vendor-maintained starters exist for Next.js (craftcms/starter-next) and Astro, both added in 2025. Community starters for Tailwind/DDEV also available. Official starters include content model setup and GraphQL queries but are leaner than some SaaS competitors in terms of example content density and CI/CD configuration. Still a clear improvement over community-only starters.

Craft setup requires a PHP environment, MySQL/PostgreSQL database, composer install, multiple .env values (DB credentials, APP_ID, SECURITY_KEY, BASE_URL), and Project Config YAML. DDEV reduces local friction significantly but adds its own dependency. More than a few env vars with non-trivial infrastructure requirements. Moderate config surface — not as heavy as enterprise DXPs but more than headless SaaS platforms.

Craft stores schema definitions (Sections, Fields, Entry Types) in Project Config YAML files — version-controllable and deployable across environments. No hard field count limits like Contentful's 50-field cap. Migration tooling exists via database migrations and the Feed Me plugin for content imports. Field type changes can be tricky, and Craft 5's Matrix-to-entries migration was a significant breaking change for existing sites. MariaDB support was dropped as of recent versions, limiting database choices.

Headless live preview uses a token-based mechanism: configure preview targets in each Section, add a frontend preview API route, and handle the token + draft element lookup. Multiple tutorials exist (nystudio107, dev.to, trevor-davis.com) but implementation requires frontend code changes and attention to {sourceUid} vs {uid} gotchas. Not plug-and-play — moderate effort with good documentation. The starter-next repo includes preview wiring as a reference.

No proprietary certification program. Generalist PHP developers or JS developers using the headless path can be productive without Craft-specific training, though Project Config, Twig, and Craft's content modeling conventions require some platform learning. Craft specialists are less abundant than WordPress developers but the community (Discord, CraftQuest, forum) compensates. Headless consumers need only standard GraphQL/REST knowledge.

Craft is well-suited to solo developers or 2-person teams shipping production projects. No dedicated DevOps, solution architect, or enterprise implementation partner required for standard deployments. Craft Cloud simplifies hosting further. Scales up to larger teams without requiring a major restructuring of the engagement model. Well below enterprise DXP team size requirements.

Craft's control panel is widely praised for editor usability — content editors can create entries, manage assets, use live preview, and publish without developer involvement for routine content operations. Content Block fields (added in Craft 5.x) give editors flexible page-building capability. Adding new Entry Types or Fields requires a developer and Project Config deployment, which is standard for the category. Better operational independence than enterprise DXPs.

Craft CMS is self-hosted PHP, so major version upgrades (3→4, 4→5) involve breaking template changes, plugin compatibility checks, and manual database migrations — agencies consistently document multi-step preparation workflows. Minor updates within a major version run cleanly via `composer update` or the CP updater. The announced Craft 6 (Laravel rewrite, Q4 2026) with a Yii-to-Laravel adapter signals another disruptive forced architectural migration on the horizon. Not higher because major-version friction is real and well-documented.

Pixel & Tonic released patched versions for CVE-2025-32432 (CVSS 10.0 RCE) just three days after being notified — commendably fast disclosure-to-patch turnaround. However, Craft is self-hosted, so operators must manually apply patches via Composer; roughly 13,000 vulnerable instances remained exposed and ~300 were compromised as of April 2025, underscoring the real-world patching lag. Multiple high-severity CVEs in 2024–2025 (CVE-2025-23209 CVSS 8.1, CVE-2025-32432 CVSS 10.0) indicate an active vulnerability surface on the Yii framework underpinning.

Craft has historically provided 12+ month deprecation windows for major versions — Craft 4 general support ended April 2025 with security support extended to April 2026, giving teams a full year runway. The Craft 6 Laravel rewrite (GA Q4 2026) is a larger forced migration but the team is providing a Yii-to-Laravel adapter to ease the transition. Not higher because Craft 6 will require significant rework for plugins and custom code regardless of the adapter.

Craft CMS runs on a standard PHP/Composer stack with MySQL or PostgreSQL — a well-understood dependency set without exotic runtimes. Requires PHP (min 256M memory, max_execution_time 120s), a web server, and database; optional Redis for caching and a CDN layer. Composer manages plugins and framework dependencies, and transitive security issues can surface through the Yii 2 framework layer (as seen with CVE-2024-58136). Not lower because the dependency graph is relatively small compared to Java-based DXPs.

Craft's CP dashboard offers basic widgets (Updates, Drafts, Recent Entries, New Users) but provides no built-in APM, infrastructure health monitoring, or webhook delivery dashboards. Production monitoring requires third-party plugins (e.g., Semonto, craft-monitoring.com) or external tooling (Datadog, New Relic). Self-hosted deployments additionally require server-level OS and database monitoring to be configured entirely by the operator. Score reflects the significant custom monitoring burden typical of self-hosted PHP CMSes.

Craft includes basic content hygiene tools — draft tracking, entry status indicators, and a revision history — but lacks automated orphan asset detection, broken reference alerts, or content-expiry workflow automation out of the box. Content governance relies primarily on editorial discipline or custom plugin solutions. The 'Recent Entries' and 'Drafts' dashboard widgets provide minimal visibility. Not lower because the structured content model reduces ad-hoc hygiene issues compared to WordPress-style platforms.

Craft has built-in template caching and eager-loading for element queries, but CDN configuration, query tuning, and server-level caching (Redis/Memcached) are entirely operator-managed. There is no built-in CDN, no automated image optimization pipeline, and no performance dashboard. Servd.host provides a managed Craft hosting option with CDN included, but for standard self-hosted deployments performance requires active ongoing management. Score reflects the self-hosted reality.

Craft CMS offers official support plans with defined SLAs and email ticketing, and maintains a comprehensive knowledge base. G2 and SoftwareReviews users report responsive email support with 'defined timelines.' However, formal enterprise-grade support (dedicated CSM, phone, guaranteed SLAs) is not prominently documented for mid-tier plans — the community-first ethos means formal support is secondary. Reasonable for a Tier 2 platform, but below Tier 1 enterprise DXP support programs.

Craft CMS has one of the most consistently praised developer communities in the CMS space — Discord with 8,200+ members as of 2025, described as 'extremely active' with daily discussions, Pixel & Tonic team participation, and beginner-friendly channels with no-judgment policies. Multiple sources cite the community as a primary reason teams choose Craft. Timezone spread across a global community introduces minor response delays. Not higher because the community is smaller than Drupal or WordPress ecosystems.

Pixel & Tonic patched CVE-2025-32432 (CVSS 10.0) within three days of notification — a strong indicator of issue resolution velocity for critical bugs. The Craft GitHub repo is actively maintained and minor bug fixes ship in point releases. Self-hosted deployments add operator lag after patches are published. Community sentiment on GitHub and Discord reflects responsive issue handling for high-priority bugs, though lower-priority issues can linger. Broadly above average for a self-hosted CMS.

Craft CMS 5.6–5.8 added Content Block fields (replacing Matrix blocks) as a first-class authoring primitive, improving marketer flexibility within existing layouts. However, there is still no native drag-and-drop page builder — creating a new layout requires developer involvement. Live Preview supports pre-publish review, and third-party plugins (Vizy, Sprig) add page-builder capabilities but are not bundled. Scores at the floor of the 50–65 band: marketers can edit content within developer-built templates but cannot create new layouts independently.

Craft provides scheduled publishing, entry status lifecycle, and page expiry dates — enough to manage campaign on/off windows but no multi-channel campaign coordination, content calendaring, or native campaign analytics. The third-party Campaign plugin adds email campaign management but is not bundled. Score aligns with the 20–40 band for platforms where scheduled publishing is the primary campaign feature.

Craft core ships no native SEO field types or sitemap generation; all SEO capability is plugin-driven. The ecosystem is mature and deeply integrated: SEOmatic covers meta tags, JSON-LD structured data, XML sitemaps, robots.txt, canonical management, and social previews; Retour handles 301/302 redirect management; SEO Fields adds 404 tracking. No native SEO tooling emerged in 2025 updates. Scored 55 at the upper end of the plugin/manual tier given breadth and quality of ecosystem coverage.

No native form builder, lead capture, or conversion tracking in Craft core. Freeform and Formie (third-party) are capable form builders covering multi-step forms and conditional logic, but both require plugin installation. UTM parameter awareness and CTA management require custom development or external integrations (HubSpot, Marketo). No changes in 2025 updates address this gap. Score reflects the 20–35 band for platforms where all performance marketing requires external tooling.

No native personalization or audience segmentation in Craft CMS. ABTestCraft is a community plugin offering server-side A/B testing with chi-squared significance testing but is not officially supported. Croct provides an external personalization engine with documented Craft integration. Building personalized experiences requires a separate CDP or personalization engine plus substantial custom development. Matches the 15–35 band for CMS platforms with no native personalization capabilities.

No native A/B testing or experimentation. ABTestCraft plugin provides server-side A/B testing with statistical significance via chi-squared tests for Craft 5, but it is a third-party community plugin without official support. Tight integration via external platforms (Optimizely, VWO) requires custom JavaScript and developer setup. Score 25 in the 15–35 band: experimentation is possible but requires external tooling or unsupported community plugins, with no platform-native capability.

Craft 5's Content Block fields enable marketers to reorder and add pre-defined content blocks within existing templates without developer help. Element copy/paste (Craft 5.6+), cross-site field copying, inline search in relation fields, and Live Preview all reduce round-trip time within established templates. New page types still require developer involvement. Score 55 in the 40–60 band: adequate speed for content updates and block management within established templates, but new layout creation has developer dependency.

Craft 5 ships a built-in GraphQL API available even on the Solo tier, enabling headless delivery to web, mobile apps, and custom frontend channels. Pixel & Tonic published Nuxt.js, Next.js, and Astro starter templates in 2025 demonstrating multi-channel headless deployment patterns. There is no native email, social, push, or SMS channel delivery — these require external integrations and custom API integration. Score 48 in the 40–60 band: web-first with API-based delivery possible to other channels but no orchestrated multi-channel workflow.

No native analytics dashboards within Craft CMS. The Instant Analytics plugin provides GA4 server-side event tracking. Google Tag Manager can be integrated via developer template modification. All metrics — traffic, engagement, content performance — live in external tools (GA4, Adobe Analytics). Score 35 in the 35–55 band: standard tag integration is achievable but content performance data remains entirely in external analytics platforms.

Brand consistency in Craft is enforced at the developer level through template architecture, not native platform tooling. Entry types (now section-independent in Craft 5) enable shared content structures, and custom field validation can restrict author inputs. There are no locked style tokens, approved component palettes, or visual brand guardrails within the CMS. Consistency depends on developer discipline and template design choices, not enforced platform controls. Score 38 in the 35–55 band: component-based consistency without platform-level enforcement.

SEOmatic (the dominant SEO plugin) handles Open Graph and Twitter Card meta tag management for social share previews. Social sharing widgets and embeds are handled via template-level integration. There is no native social media scheduling, push-to-social workflows, or UGC embed system. Score 42 in the 30–50 band: OG/Twitter card management is excellent via plugin but social publishing workflow requires external tools.

Craft's native Assets system supports volumes, image transforms (eager/lazy), on-demand resizing via Craft Cloud CDN, focal point management, custom asset fields, and folder-based organization. Not a full enterprise DAM: no rights management, no usage tracking, limited metadata tagging at scale, and no native search-by-tag across large asset libraries. Adequate for mid-market marketing volumes with good transform capabilities. Score 48 in the 35–55 band: basic media library with solid transforms, without enterprise DAM features.

Craft CMS has robust native multi-site and multi-language support: per-site locales, locale-specific content, per-site publish scheduling and expiry, and URL structures. The Multi Translator plugin adds AI-assisted translation (DeepL, Google Translate, OpenAI) between sites. Regional GDPR/cookie consent and legal disclaimers require third-party plugins. No transcreation workflow tooling or market-specific campaign variant management beyond standard multi-site capability. Score 52 in the 35–55 band: generic localization applied to marketing content is well-supported; marketing-specific locale governance is absent.

A HubSpot Connector plugin exists in the Plugin Store for pulling HubSpot form and CRM data into Craft templates. Generic API/webhook integrations are possible via developer work for Marketo, Salesforce CRM, CDP, and ad platforms. No native Marketo, Pardot, Salesforce CRM, or CDP connectors exist as first-party or widely-deployed plugins. No event-trigger framework for MarTech orchestration is built in. Score 32: one CRM integration exists plus generic API capability, but the MarTech ecosystem is thin compared to purpose-built marketing platforms.

Craft Commerce (first-party, Pixel & Tonic) provides custom product types with unique fields, variant content, rich media per SKU, product taxonomy, and native integration of editorial content alongside commerce data. The 2025 updates (Commerce 5.3–5.5) added customizable product and variant cards; multi-store support (up to 5 stores per installation) enables independent storefronts with separate catalogs. This is well-adapted product content modeling with strong editorial-commerce coupling, not a generic CMS workaround.

Craft Commerce includes promotions, discounts, coupon management, and inventory tracking across up to five locations — a step above bare-bones CMS commerce. However, it lacks search-result merchandising, automated cross-sell/upsell content rules, promotional content scheduling, and category-level product spotlights without custom template work. Score is at the upper edge of the 10–40 band given the promotions engine but remains well short of native merchandising tooling.

Craft Commerce is a first-party, deeply integrated commerce layer with native GraphQL/REST API support and product references living in the Craft control panel alongside editorial content. A first-party official craftcms/shopify plugin synchronizes Shopify products into Craft as native elements for use in Twig templates — this is deeper than webhook-only custom integration. Integration with commercetools, BigCommerce, and SFCC requires community plugins and custom API work rather than native data federation. Scored 58: bumped from prior assessment to reflect the first-party Shopify sync plugin, but limited external platform synergy beyond Shopify and Craft Commerce.

Craft's relation fields allow editorial entries (buying guides, lookbooks, editorial articles) to natively reference Commerce products. Templates can render product data inline with editorial content, enabling shop-the-look and editorial-product blended experiences within developer-built templates. This is not a first-class visual authoring pattern for marketers — building shoppable content requires developer template work — but the content model supports it more naturally than platforms where commerce is a bolt-on. Score 50 in the 35–55 band: product embeds possible but not a first-class no-code authoring pattern.

Craft Commerce provides full template control over checkout step design — trust badges, shipping callouts, upsell banners in cart, and post-add modals can all be added via Twig templates and Commerce events. This is CMS-managed checkout content for Craft Commerce's own checkout flow. For third-party commerce platforms (Shopify, commercetools), injecting CMS-managed content into the native checkout requires custom headless integration. Score 48 in the 30–50 band: solid checkout content control for Craft Commerce, limited for third-party platform checkouts.

Order confirmation email templates in Craft Commerce are Twig-based and fully editable within the control panel. Product onboarding and review solicitation content can be structured as entries linked to order events, but triggering post-purchase content sequences tied to order status changes requires custom plugin development. No native event-triggered post-purchase content management or loyalty program content tooling. Score 38 in the 30–50 band: order confirmation templates are CMS-managed; post-purchase sequencing requires custom development.

Foster Commerce documents B2B capabilities in Craft Commerce: customer-specific catalog and pricing, complex pricing rules, approval workflows for purchase orders, and B2B + B2C from one installation. User group-based access control can gate product catalogs and spec sheets to authenticated customers. Gated product documentation and quote-request flows require custom form/entry development. Score 48 in the 30–50 band: native B2B pricing and access control exist, but B2B-specific content management (spec sheets, gated docs, account-based catalogs) requires developer customization.

Craft CMS has a native search index for content but it is not faceted search, not commerce-specific, and not equipped for search merchandising. Third-party plugins (Craft Search, Algolia integration, Elasticsearch) provide faceted search and blended content-product results, but these are not bundled. No native synonym management, search landing pages, or content-product relevance tuning. Score 35 in the 35–55 band (lower bound): basic search with some content enrichment possible via plugins, but limited out-of-the-box.

Craft Commerce provides discount/coupon rules, promotions engine, and time-limited pricing. On the content side, entry scheduling and expiry support time-based activation of promotional banners and messaging. Countdown timer widgets require custom template development. Channel-specific promotional content requires per-channel template logic. Score 42 in the 30–50 band: scheduled promotional content works well within Craft templates, and the Commerce promotions engine adds native activation logic, but advanced countdown timers and channel targeting require developer effort.

Craft Commerce supports up to 5 stores per installation, each attachable to one or more Craft sites. Product content, pricing, and currency can be configured per-store; editorial content is site-scoped with cross-site entry propagation available for shared assets. This is functional multi-storefront content management for small-to-mid-size brand portfolios within a single installation. Beyond 5 storefronts requires separate installations. Score 52 in the 35–55 band: native multi-storefront with shared product content and storefront-specific editorial within a 5-store limit.

Craft's native Assets support image transforms (eager, lazy, on-demand), focal point management, and Craft Cloud CDN delivery. Video embeds are handled through custom fields and URL-based third-party embeds (YouTube, Vimeo). No native 360-degree product viewer, AR/3D model references, image hotspots, or zoom capability — these require third-party JavaScript libraries and developer template integration. Score 38 in the 30–50 band: solid image gallery and basic video embed support, but advanced visual commerce media features require external tools.

No marketplace content management features in Craft CMS or Craft Commerce. Multi-author content creation is possible via user permissions, but there is no seller profile system, seller-contributed product description moderation, review aggregation, or content quality controls at marketplace scale. Building a marketplace on Craft would require extensive custom development. Score 22 in the 25–45 range (lower bound): basic multi-author content is the only applicable feature; marketplace-specific tooling is absent.

Per-site product content localization is natively supported: each Craft site can have its own locale and language, with store-scoped currency and pricing. Locale-specific product descriptions, regional pricing, and per-site promotional calendars are possible within the multi-site/multi-store architecture. Regulatory content (EU product labels, CA Prop 65) requires custom fields. The Multi Translator plugin assists with AI-driven translation of product descriptions across sites. Score 52 in the 35–55 band: solid generic localization for product content within the 5-store architecture.

No native content-to-commerce revenue attribution within Craft CMS or Craft Commerce. The Instant Analytics plugin tracks GA4 events server-side, and Google Tag Manager can capture commerce events, but connecting content engagement to commerce outcomes (revenue attribution, assisted conversions, product content performance) requires external analytics configuration and lives entirely in GA4 or a third-party analytics platform. Score 28 in the 10–25 to 30–50 range: basic analytics integration is achievable via plugin, but content-revenue attribution is entirely outside the CMS.

Craft Pro supports user groups with granular permissions per section, entry type, and asset volume — RBAC on content types. The Enterprise edition now includes first-party SAML SSO as a native feature, and third-party plugins (miniOrange, Flipbox Factory SAML) provide SSO for lower tiers. Audience-based content visibility (restricting individual entries to specific departments or users at the content-instance level) requires custom plugin or front-end logic. Score is 50: above simple public/private with solid RBAC plus native SSO in Enterprise, but below full audience-based content visibility.

Craft provides draft/revision history, flexible taxonomy via categories and tags, and entry expiry dates — adequate for basic knowledge organization. There is no native knowledge lifecycle tooling: no review-due dates, no structured approval workflows for knowledge updates, no expiry reminders, and internal search requires Craft Search or third-party integrations. No intranet-specific features added in 2025 updates. Score reflects adequate content modeling without knowledge-specific lifecycle management.

Craft has no native portal features: no news feed, employee directory integration, social reactions, notifications, or personalized dashboards. Building an intranet with Craft requires extensive custom front-end development for every employee experience touchpoint. Research confirms no Craft-specific intranet solutions exist in the market and Craft does not appear on any intranet platform comparisons. Matches the 20–35 band for CMS platforms not purpose-built for employee experience.

Craft CMS can publish news articles and announcements via standard entry sections, but there are no native internal communications features: no targeted delivery to specific departments or user groups, no read receipts, no acknowledgment tracking, no mandatory-read workflows, and no internal push notifications. Internal comms features would require extensive custom development. Score 18 in the 10–25 band: basic news publishing is possible, but no targeted internal comms capability exists natively.

No native people directory, org chart, or team page features in Craft CMS. A basic employee directory could be built using Craft's Users element type with custom fields (title, department, bio, photo), but org chart visualization, HR system integration (Workday, BambooHR), and manager hierarchy display all require custom development. Score 18 in the 10–20 band: directory content is technically possible via user content types but entirely custom development is required.

Craft provides entry revision history (configurable retention), draft/live states, and entry expiry dates — basic document publishing with version control is achievable. However, there is no policy-specific versioning with audit trail, mandatory acknowledgment tracking, automated review-due reminders, or approval workflows for policy updates. The Workflow plugin in the Plugin Store adds approval chains but is not policy-lifecycle-specific. Score 28 approaching the 30–50 band: basic document publishing with revision control only.

No onboarding-specific features in Craft CMS. Role-specific content paths, progressive content disclosure over 30/60/90 days, task checklists, and HR-triggered new-hire portals would all require custom development. Content modeling for onboarding journeys is possible via Craft's flexible entry types, but there is no native framework for structured onboarding delivery. Score 18 in the 10–20 band: onboarding content could be structured via custom development, but no native onboarding tooling exists.

Craft CMS has a built-in content search index that supports keyword search and basic attribute filtering for internal content. There is no federated search across connected systems (SharePoint, Confluence, Google Drive), no AI-powered relevance tuning, and limited faceted filtering capability. Third-party plugins (Algolia, Elasticsearch) improve search quality significantly but are site-specific, not enterprise-federated. Score 22 in the 15–30 band: basic internal content search with plugin-extensibility, not enterprise federated search quality.

Craft CMS's headless GraphQL API enables content delivery to custom-built native mobile applications. The control panel itself is responsive and mobile-accessible for content editors. However, there is no native mobile app for content consumers, no offline content support, no push notification system, and no low-bandwidth optimization or kiosk mode for frontline workers. Custom mobile apps built on top of Craft's headless API require significant development investment. Score 25 below the 30–50 band: responsive web access without native consumer app.

No LMS integration in Craft CMS. Learning content (articles, videos, guides) can be hosted as standard entries, but there is no connection to LMS platforms (Cornerstone, Workday Learning), no course assignment framework, no completion tracking or certification management, and no micro-learning content sequencing. Building a training hub on Craft would require full custom development with external LMS integration via API. Score 12 in the 10–20 band: no learning features beyond content hosting.

No native social or collaboration layer in Craft CMS. Comments, reactions, discussion forums, peer recognition, polls/surveys, and community spaces all require custom development or third-party JavaScript libraries integrated into Craft templates. Some comment plugins exist in the Plugin Store but are for website visitor comments (blog-style), not employee engagement features. Score 18 in the 10–25 band: no employee social features exist natively.

No first-party integration with Microsoft 365, Microsoft Teams, Google Workspace, or Slack. Research found no Teams connector or Google Workspace integration plugin in the Craft Plugin Store. Content can be shared to Teams/Slack via custom webhook integrations or Zapier, but this is generic third-party orchestration rather than embedded content cards, bot-driven notifications, or single-pane workplace experiences. Score 15 in the 15–30 band: no native workplace tool integration.

Craft supports entry expiry dates (disable or change status at a scheduled time), draft/live states, and configurable revision history. These provide basic content expiry and manual review capability. There are no automated review-due date reminders, stale content flagging, ownership assignment for content accountability, or archival workflows with audit trail. Score 30 at the lower bound of the 30–50 band: basic content expiry and manual review via scheduling, but no automated lifecycle management.

No native internal content analytics in Craft CMS. Page views and engagement data require external GA4 or similar integration via template tags. No department-level view breakdown, failed search term reporting, engagement heatmaps, or adoption dashboards for intranet ROI measurement are available natively or as Craft plugins. Score 18 in the 10–20 band: no internal analytics beyond what external tools provide.

Craft's native multi-site feature supports multiple sites in a single installation with separate domains, templates, localized content, and site-specific permissions. This is silo-based isolation: all sites share the same database, user table, and plugin set. True independent environments require separate Craft installations. The Multie plugin automates multi-site configuration but does not change the underlying shared-infrastructure architecture. Scored 55 as functional silo isolation, not enterprise multi-tenant architecture.

Craft Global Sets provide centrally managed content (navigation, footer, global config) shared across all sites in an installation. Cross-site entry propagation allows content to be shared or translated per site. In Craft 5, entry types are now section-independent and reusable across multiple sections — enabling shared content modeling patterns. True cross-installation content federation requires API-level workarounds. Score is 55: solid shared content management within a single installation, limited across separate deployments.

Craft supports organization-level user management, site-specific permissions, and group-based access control across a multi-site installation. There are no native cross-brand approval workflows, enforced content standards at a global policy level, or centralized governance dashboards. Craft Console infrastructure improvements (VCS integration, environment cloning) are planned for 2026 but not yet delivered. Score in the 40–60 band: organization-level management is present but cross-brand enforcement tooling is absent.

Craft CMS Pro is a flat annual license (~$299/yr) covering unlimited sites within a single installation — adding brands or sites does not increase the base CMS license cost. Craft Commerce is per-project but supports multi-store (up to 5) within one license. This is favorable compared to per-site licensed platforms and creates near-linear economics only when separate installations are required. Scored 65 for the flat per-installation model that avoids linear cost scaling for multi-site deployments within a single instance.

Craft supports per-site template sets in the file system — each site in a multi-site installation gets its own Twig template folder, enabling distinct visual identity per brand. CSS, typography, color palettes, and logo treatment are managed at the template/CSS layer. There is no native design token system, no visual theme management interface, and no token propagation across brands within the CMS. Brand theming is fully developer-controlled via config/template files. Score 40 in the 35–55 band: basic file-system/CSS theming per brand without platform-level visual token management.

Per-brand, per-locale content is managed through the multi-site architecture, with each site scoped to a locale. Translation workflows are assisted by the Multi Translator plugin (DeepL/Google/OpenAI). However, brand-specific translation approval chains — where Brand A's French content goes through a different approval process than Brand B's French content — are not supported natively. Legal content governance per brand requires custom development. Score 35 in the 30–50 band: basic per-brand localization with shared translation workflows.

No portfolio-level analytics dashboard in Craft CMS. Each brand/site can be tracked individually in GA4 or similar external tools, but aggregating performance across the brand portfolio into a single reporting view requires manual configuration in the analytics platform — nothing is provided within the CMS. No content velocity benchmarking, publishing cadence comparison, or cross-brand engagement analytics exist natively or via available plugins. Score 18 in the 10–20 band: no cross-brand analytics capability.

The third-party Workflow plugin in the Craft Plugin Store adds approval chains with configurable review stages. Per-site user groups and section permissions enable some differentiation of who approves what per brand. However, there is no first-party multi-brand workflow management with central audit trails, independently configurable approval chains per brand, or cross-brand publishing SLA monitoring. Score 32 in the 30–50 band: some workflow variation per brand is achievable via plugin, but no native brand-workflow management exists.

Craft 5.6 added cross-site field copying, enabling content created at the corporate/parent site level to be propagated to child brand sites with per-site override capability. Entry propagation across sites in a multi-site installation supports basic content syndication patterns: press releases, legal disclaimers, and product announcements can be shared from a parent site with site-specific customization. This is not a formal syndication hub with push-update workflows, but it is functional content sharing within one installation. Score 42 in the 35–55 band: basic content copying with per-site override, approaching formal syndication.

No native compliance guardrails in Craft CMS for per-brand/region publishing. GDPR cookie consent and accessibility controls require third-party plugins or external tools (CookieYes, OneTrust). Per-site locale settings and custom field validation can constrain some content inputs, but there are no native data residency controls, regional publishing guardrails, or compliance-blocking publishing workflows. Craft Cloud offers EU/US database cluster selection as a deployment option. Score 25 at the lower bound of the 25–45 band: basic per-site settings available, but no native compliance enforcement framework.

No native design system management in Craft CMS. Shared Twig components (macros, includes) and shared entry type definitions in Craft 5 represent the closest equivalent, but there is no centrally versioned component library, no brand-level extension mechanism, and no update propagation across tenant instances. Template files are managed in the file system without CMS-level design system versioning. Score 22 in the 10–25 band: reusable Twig templates provide some sharing but no design system management platform features.

Craft Pro and Enterprise editions support unlimited users and groups with granular per-site permissions, enabling a central admin to manage all brands within a single installation while granting brand teams autonomous access to their own sections. Enterprise SAML SSO provides single sign-on across all sites in one installation. Cross-installation user federation (for separately deployed brand instances) requires custom SSO integration. Score 48 in the 35–55 band: central admin with per-brand autonomy and native SSO (Enterprise), limited to single-installation scope.

Craft 5 made entry types section-independent — a content type (e.g., Product Page) can be defined once and reused across multiple sections serving different brands. Per-section field customization allows brand-specific fields to extend a shared base entry type without fully forking the model. This is closer to shared-model-with-customization than pure forking. However, there is no formal inheritance hierarchy, type versioning, or model governance across brands. Score 45 in the 30–50 band: reusable entry types with per-section customization, below formal inheritance/extension systems.

No executive portfolio reporting in Craft CMS. Content freshness by brand, publishing SLA adherence, per-brand cost allocation, and capacity planning dashboards are entirely absent. Per-brand basic analytics must be assembled manually from external tools. No native reporting layer, no publishing audit across brands, no content velocity benchmarking across the portfolio. Score 18 in the 10–20 band: no portfolio reporting capability.

Craft CMS offers a free DPA to all customers (not enterprise-only), and the privacy policy documents EU data subject rights (access, correction, deletion, transfer). However, personal data is stored in the United States only with no EU data residency option, the sub-processor list is informally embedded in the privacy policy (Stripe, Front App, Google Analytics) rather than a formal GDPR-specific published list, and no explicit SCCs are documented publicly. DPA available to all is the positive anchor, but residency and sub-processor documentation gaps cap the score in the 50–55 range.

Craft CMS explicitly prohibits use for HIPAA-regulated health data. The cloud security documentation states the Services 'are not designed to process or host data that is sensitive in nature or subject to regulatory oversight' and users 'may not use the Services to store or process protected health information under HIPAA.' No BAA is available and there is no healthcare-specific guidance in the documentation.

The only documented regional compliance framework is GDPR (with DPA availability). No explicit CCPA compliance documentation or California-specific rights are present in the privacy policy. No mention of UK GDPR IDTA, PIPEDA, LGPD, FedRAMP, IRAP, C5, PCI-DSS, or HITRUST was found. Craft CMS is a primarily developer-focused commercial CMS without the compliance breadth of enterprise DXP platforms.

No platform-level SOC 2 Type 2 attestation for Craft CMS (craftcms.com) was found. The Craft Cloud security page states infrastructure uses 'fully SOC-2 compliant access procedures' from underlying cloud providers, but per scoring rules, inheriting cloud provider certifications does not count. Note: craft.do (a different company) has SOC 2 Type 2, but this is unrelated to craftcms.com. Score reflects no SOC 2 at the platform level.

No ISO 27001 or ISO 27018 certification was found for Craft CMS (Pixel & Tonic). Searches returned no ISO 27001 evidence on craftcms.com. The ISO 27001 reference found in searches relates to craft.io (a separate product management platform by a different company), which is not relevant here. Score is at the floor for platforms without any ISO certification.

No additional certifications were found: no CSA STAR, PCI-DSS, Cyber Essentials Plus, FedRAMP, IRAP, ENS, or C5 documentation exists on craftcms.com. The absence of even a platform-level SOC 2 means the additional certifications portfolio is empty. Base score applied for a CMS with no documented certification stack beyond good security practices.

Craft Cloud stores data in the United States only — the privacy policy explicitly states 'personal information is stored in the United States' with no mention of EU, APAC, or multi-region hosting options for Craft Cloud. Self-hosted deployments allow customers to choose any region independently, which partially offsets this for on-premise use cases, but the SaaS/cloud offering provides no contractual residency guarantee beyond US storage. Scores in the lower end of the 35–55 range for US-only cloud.

Craft Cloud provides daily automated backups retained for 30 days with manual backup triggering. Data deletion is available via contact ([email protected]) for marketing/product data; EU residents can request data transfer. No self-service data export portal or automated right-to-erasure mechanism was found — deletion and export requests go through support. For self-hosted deployments, customers own their database entirely. Mixed picture caps the score at the lower end of the 50–70 range.

Craft CMS includes application-level logging via Monolog (configurable to files, databases, or web services), and third-party audit plugins (craft-audit on Plugin Store) provide element-level action logs. Craft Cloud monitors for unauthorized access and anomalous activity but does not document native SIEM integration or compliance-grade audit log export. For self-hosted deployments, customers can configure their own log pipelines. No native SIEM push, configurable retention policy, or compliance reporting feature was documented.

Craft CMS has formally committed to WCAG 2.2 AA and ATAG 2.0 Level AA for the authoring interface and published a formal Accessibility Conformance Report (ACR) using the ITI VPAT template. The ACR covers content-authoring screens specifically and includes screen reader testing across NVDA/Firefox, JAWS/Chrome, and VoiceOver/Safari. However, the ACR honestly documents significant gaps: many criteria as 'partially supports,' and 8 criteria 'does not support' (including media captions, drag alternatives, and some keyboard accessibility). Formal ACR with honest gap documentation warrants the mid-60s.

Craft CMS publishes both a current Accessibility Conformance Report (ACR) at craftcms.com/accessibility/reports/acr and a separate ATAG Report at craftcms.com/accessibility/reports/atag, both using the ITI VPAT template — the leading global procurement format. The ACR is version-specific (v5.0.0) covering WCAG 2.0/2.1/2.2 A and AA. This level of formal, versioned accessibility documentation is strong for a mid-market CMS and meets the 70+ threshold for a current VPAT/ACR available for procurement.

Craft CMS has no native AI text generation; all capability is plugin-only. However, the plugin ecosystem is notably mature: Sidekick (168 installs, GA, $49), Content Buddy (GPT-4o/o3-mini, GA, $69), GPT Content Generator (105 installs, GA, $39), OpenAI Content Writer (GA, $40), and AI Assistant (multi-provider: OpenAI/Gemini/Anthropic/xAI/Replicate, GA, $49). Scores at the top of the plugin-only band (20–35 guidance) given five concurrent GA plugins with meaningful install counts and multi-model support; no platform-level brand guardrails prevents scoring higher.

Image generation is plugin-only. Content Buddy supports DALL-E 2 and Stable Diffusion with generated images saved directly to Craft Assets; AI Assistant (Solspace) also provides image creation to Assets. Alt-text automation has four dedicated plugins (Alt Text Generator via alttext.ai at 85 installs, AI Alt Text by Solspace, AI Alt Text Generator via AltTextLab, and altpilot). No native image gen or DAM AI in core Craft. Scores above the 20–35 plugin floor given combined alt-text + image gen coverage.

Translation is the strongest AI story in the Craft plugin ecosystem. LILT (v4.6.3, 927 installs — the most-installed AI plugin in the store) provides enterprise AI translation with custom language models, brand voice preservation, two workflows (Verified and Instant), and 100+ languages; note it currently supports only Craft 3/4, not Craft 5. Weglot (110+ languages, custom AI language model) and Multi Translator (DeepL + Google Cloud + OpenAI) provide Craft 5-compatible MT. Content Buddy and GPT Content Generator add whole-site ChatGPT translation. Mature ecosystem reaching the lower end of the 40–60 range.

Alt-text generation is well-served by four dedicated GA plugins (Alt Text Generator at 85 installs being the most mature). SEO meta-description generation is partially addressed by AI Summary (click-to-generate summaries useful for meta descriptions, Jan 2026, GA, $39) and Sidekick's AI Summary field type. However, there is no integrated title tag, OG tag, or full on-page SEO AI automation at the platform level. Traditional SEO plugins (SEOmatic, SEOMate) provide field mapping but no AI generation. Scores mid-plugin-only range given decent alt-text coverage but incomplete SEO automation.

This is the weakest area of the Craft AI ecosystem. No dedicated plugin exists for AI auto-tagging, smart content routing, intelligent scheduling, or bulk enrichment. Sidekick can create and update entries via natural language commands but is admin/developer-oriented rather than editorial workflow automation. Content Buddy has 'Scheduled Content Generation' on its roadmap but unshipped as of March 2026. Scores near floor of 15–20.

Agentic capability is early but clearly directional. The Agents plugin (Marcus Scheller, v0.29.0, Mar 2026, $59, 7 installs) provides scoped machine accounts, bounded write access via Target Sets, approval routing with field-aware diffs, webhook management, and OpenAPI endpoints explicitly designed for AI orchestrators — the closest thing to production agentic infrastructure in the ecosystem. The Craft CMS MCP server also enables AI agents to perform read/write/publish operations across 50 tools. Both are very new with low install counts. Scores in the 20–25 early/emerging band.

No productized content intelligence exists in the Craft ecosystem. There is no plugin for topic clustering, portfolio-level content gap analysis, editorial priority recommendations, or content health dashboards. Community blog posts describe manually assembling content analysis workflows using MCP + external LLMs, but nothing is packaged. Chatagent provides per-chatbot conversation analytics but not content portfolio intelligence. Scores near floor.

No AI content auditing plugin exists in the Craft ecosystem. No quality scoring, brand voice compliance checking across the content library, accessibility AI scanning, or thin-content detection at scale. LILT enforces brand voice within translation workflows only. General web content describes bespoke integrations using external AI tooling, but nothing is productized as a Craft plugin. Scores near floor.

Semantic search is emerging via the plugin ecosystem but remains early-stage. Chatagent (Eventiva, v1.0.0, Mar 2026, 2 installs) provides vector embeddings per entry using OpenAI embedding models (text-embedding-3-small/large, ada-002) with auto-training on save and RAG-style Q&A. An unofficial 'Craft AI' GitHub project by markhuot adds vector embedding to search. Meilisearch integration (documented by Viget, 2025) enables hybrid keyword+semantic search. LLMify (44 installs) generates llms.txt/llms-full.txt making content RAG-ready. All require external infrastructure and setup; no native vector indexing in Craft core.

No ML-driven personalization engine exists natively or as a plugin in the Craft ecosystem. Craft CMS is explicitly documented by third-party analysts as lacking native personalization (no CDP, no real-time user profiling, no predictive segment assignment). The documented approach is external integration with platforms like Croct via the headless delivery layer. No dedicated Craft personalization plugin leveraging AI or ML exists as of March 2026. Scores near floor.

The Craft CMS MCP server (Stimmt Digital B.V., v1.2.2, free/MIT, Mar 2026) is the standout AI capability in the ecosystem. It provides 50 tools covering entries, assets, categories, users, global sets, schema, config, logs, cache, routes, database, GraphQL, and Commerce — plus 12 read-only URI resources and 9 guided analysis prompts. It is extensible via EVENT_REGISTER_TOOLS so other plugins can expose their own MCP tools. Compatible with Claude Code, Cursor, and Claude Desktop. 299 installs make it the highest-installed AI plugin in the store. While third-party (not from Pixel & Tonic), it is production-grade, actively maintained, and free. Scores in the upper community/well-supported range.

BYOK is universal across the Craft AI plugin ecosystem by design — the platform has no hosted AI service, so every plugin requires user-supplied API keys. AI Assistant (Solspace) is the broadest with support for OpenAI, Google Gemini, Anthropic/Claude, xAI Grok, and Replicate. Content Buddy, GPT Content Generator, and Chatagent are OpenAI-only. Meilisearch requires separate infrastructure. The limitation is the absence of a unified platform-level BYOK control plane — each plugin stores and manages keys independently, with no central model configuration or data residency controls. Scores mid-range at 50.

Developer AI extensibility is a genuine strength, driven primarily by three complementary plugins. The Craft CMS MCP server provides 50 tools with EVENT_REGISTER_TOOLS for third-party extension plus arbitrary PHP execution via Tinker. LLMify (44 installs) generates llms.txt/llms-full.txt and enables Accept: text/markdown header support for AI-friendly content delivery. The Agents plugin exposes OpenAPI endpoints for machine-readable contracts. Craft's native GraphQL API and Element API provide the RAG-ready content delivery foundation. No official LangChain integration guide or dedicated AI SDK, but the combined tooling is genuinely useful for agent developers.

AI governance is minimal and fragmented. The Agents plugin (v0.29.0) provides the closest thing to governance infrastructure: approval routing with field-aware diffs before changes apply, rate limiting, IP allowlists, expiry policies, and token-based scoped access control. Craft's core revision history captures all content changes but is not AI-specific. The MCP server is read-heavy by design with database queries restricted to read-only; PHP Tinker execution represents an ungoverned risk vector. No native AI audit logging, brand safety controls, hallucination detection, or IP indemnification exist at platform level.

AI observability is per-plugin only with no cross-platform visibility. OpenAI Content Writer includes an optional dashboard widget for token/request usage monitoring. Chatagent provides conversation statistics, activity metrics, training data summaries, and suggestion analytics for its chatbot sessions. The Agents plugin offers status and observability dashboards for runtime diagnostics and dead-letter webhook visibility. No platform-wide AI usage dashboard, cost aggregation across plugins, or AI-specific billing/quota management exists in Craft core or as a standalone plugin.