Scored March 15, 2026 · Framework v1.1
Craft CMS 5.x ships with 23 built-in custom field types and a flexible section/entry-type architecture (channels, singles, structures). Entry types became globally reusable in Craft 5, allowing the same content type to serve multiple sections, Matrix fields, and CKEditor contexts. Custom field types are fully supported via the plugin API. No native schema-as-code option prevents a higher score.
Craft's Relations field supports many-to-many, polymorphic element references (entries, assets, categories, users), and bidirectional reverse traversal via `relatedTo` and reverse-relation queries. Not graph-native, but reverse lookup is built into the element query API. Score held below 80 because graph traversal is more verbose than GraphQL-native platforms.
Craft's Matrix field enables block-based composition with unlimited nesting; the new Content Block field (Craft 5.x) provides reusable structured components that can be shared across entry types. CKEditor integration adds block nodes within rich text. This is one of Craft's historically strongest differentiators. Not quite Portable Text equivalence (AST portability) keeps it below 85.
All 23 built-in field types include standard validation rules (required, min/max length, regex, file type/size, date ranges). Custom validation is achievable via Craft's event system (pre-save hooks) and module/plugin code. No cross-field or rule-engine UI out of the box, which keeps the score below 75.
Craft has a robust Drafts & Revisions system with full version history and one-click rollback. Scheduled publishing (scheduled drafts) is supported natively. The new Content Releases feature (announced Dot All 2025) lets teams group changes across entries and schedule them to go live together. No true content branching or diff UI between arbitrary revisions keeps it below 80.
Craft is a form-based CMS with a well-designed control panel but no native in-page visual editor. Live Preview allows editors to see a rendered preview alongside form fields, but layout changes require developer involvement. The Vizy plugin (third-party, $59/site) provides some visual block editing within a field, but it is not an in-page page-builder experience.
Craft's official CKEditor plugin (requires Craft 5.9+) brings CKEditor 5's full feature set: embedded entries/assets, block nodes, custom toolbar, paste handling. Output is structured HTML/JSON rather than a raw HTML blob, and the Matrix-conversion tooling allows migrating existing HTML content. CKEditor 5 supports collaborative editing as well. Slightly below 80 because output is not a fully portable AST like Portable Text.
Craft's built-in asset management supports volumes (local, S3, GCS, etc.), folder organization, tagging, metadata fields, and a full image editor with focal point. Image transforms support resize/crop/fit/letterbox modes, WebP and AVIF output. Focal point takes precedence over crop position, and S3 volumes can auto-detect subjects for focal point. Not a DAM replacement but strong for a built-in system.
Craft announced real-time collaborative editing at Dot All 2025, with Datastar-powered live co-editing allowing multiple editors on the same entry simultaneously with instant change propagation (tested with 70+ simultaneous editors). This is a meaningful step toward Google Docs-style collaboration. Scored conservatively at 72 because the feature is newly released and full production maturity/conflict resolution detail is still emerging.
Craft core provides only draft/published states plus revisions and role-based permissions. Multi-stage editorial approval workflows require the Workflow plugin by Verbb (open-source, free), which enables editor-to-publisher submission flows. Content Releases adds cross-entry change grouping and scheduling. Adequate for most use cases but dependent on a third-party plugin for true multi-stage workflows.
Craft ships with a built-in GraphQL API (since v3.3) with a GraphiQL IDE, token-scoped endpoints, filtering, sorting, and pagination. REST delivery is available via Element API plugin and native element controller endpoints. Not GraphQL-native (Craft is traditional-CMS-first) but headless use is well-supported and the GraphQL schema is auto-generated from content models.
Craft Cloud (the managed hosting product) includes CDN with edge-side includes, custom asset domains, CDN URL rewrites, and regional database clusters for latency reduction. Self-hosted Craft installations have no built-in CDN—operators must configure their own. Since Craft supports both hosting models, the score reflects an average: cloud users get solid CDN, self-hosted users get nothing out of the box.
The official craftcms/webhooks plugin enables GET/POST webhooks on Craft events, suitable for Zapier/Netlify/build hook integrations. Event coverage is reasonable (entry save, publish, delete) but the plugin lacks documented HMAC payload signing, per-event filtering granularity, and retry logic with delivery logs—features present in best-in-class webhook systems.
Craft can operate headlessly via GraphQL/REST, but it was designed as a traditional coupled CMS and headless is an add-on paradigm. Rich text output is CKEditor JSON/HTML (not a portable AST), and there are no official multi-platform SDKs for iOS, Android, or non-PHP runtimes. The platform is used headlessly in practice but lacks the SDK ecosystem and format-agnostic output of purpose-built headless platforms.
Craft CMS has no native audience segmentation engine. Personalization requires fully external tools like Croct, which publishes a Craft-specific integration guide but provides no CMS-side segment management. There is no CDP integration built into Craft. Score reflects a platform where segmentation is entirely handled outside the CMS.
Craft has no native content variant system per audience. Personalization requires an external decision engine (Croct, Ninetailed-style tools). Content can be structured for personalization, but serving different content to segments requires the external tool to make decisions and query the Craft API. Score per rubric for CMS platforms requiring fully external personalization.
The 'Optimum' plugin on the Craft Plugin Store provides server-side A/B testing within Craft, which is an improvement over client-side-only options. However, it is a third-party plugin with limited reporting and no native statistical significance engine — this is plugin-based, not platform-native. Score slightly above the 20–40 floor given a plugin exists.
No algorithmic content recommendation engine exists natively or as a widely adopted Craft plugin. Content recommendations are manual or require custom development. No evidence of ML-based or collaborative filtering support.
Craft ships with full-text search across element types (entries, assets, categories, users). It supports basic field-level search and parameterized filtering via ElementQuery. However, it lacks faceting, relevance tuning, typo tolerance, and autocomplete — and is noted to degrade on high-volume sites. Score reflects basic full-text search without advanced relevance features.
Multiple well-maintained Algolia plugins exist: Scout (automatic index sync, Craft 5 supported), Dexter (supports Algolia and Meilisearch, $50 intro price as of 2026), and the craftplugins/algolia plugin. The Scout plugin is the de facto standard with documented patterns and automatic index sync on element save. Strong extensibility ecosystem.
No native vector search or semantic similarity features in Craft CMS. Semantic search would require custom external integration with an embedding provider and vector database. No official plugin addresses semantic search.
Craft Commerce is a first-party paid plugin from Pixel & Tonic (same team as Craft CMS) providing genuine native ecommerce: product catalog, cart, checkout, orders, inventory, pricing tiers, discounts, shipping, taxes, and multi-storefront support. It integrates deeply with Craft's content model. While it's a paid add-on rather than bundled, it's the official commerce layer. Score at the lower end of 70+ given the additional purchase requirement.
Craft CMS maintains an official Shopify plugin (github.com/craftcms/shopify) that syncs products via Shopify GraphQL Admin API webhooks, bringing product data into Craft as native elements for content enrichment. The integration allows using Craft as a content layer over Shopify. It's a robust product-sync integration but not a bidirectional deep commerce sync.
Craft Commerce supports rich product content management with variant-level custom fields, flexible content models, and Craft's custom field system applied to product types. The Craft content model (Matrix blocks, relational fields, custom field types) maps well to rich product editorial needs. With Craft Commerce, product descriptions, images, and variant attributes are first-class.
Craft has no native content performance analytics dashboard (no page views, engagement, content health, or author productivity reporting built in). The control panel shows operational data (element counts, recent entries) but nothing qualifying as content intelligence or engagement analytics. Analytics requires external integration.
The Instant Analytics GA4 plugin (nystudio107) provides server-side GA4 tracking with automatic Craft Commerce Enhanced Ecommerce integration — one of the more mature analytics plugins in the Craft ecosystem. Standard tag manager setups (GTM) work via templates. Segment integration would require custom configuration. Score reflects solid GA4 path but no official Segment/Amplitude marketplace integration.
Craft has no native content intelligence, SEO gap analysis, or topic clustering. Basic tagging/categorization via Categories and Tags exists. SEO features require plugins like SEOmatic (nystudio107). No AI-powered content analysis is built into the platform.
Multi-site is a first-class, core Craft CMS capability. A single Craft installation natively manages unlimited sites with independent domains, templates, and settings, while allowing entries and assets to be shared or site-specific. Sites can share content models and components with locale-specific publishing. This is one of Craft's strongest differentiators.
Craft's multi-site architecture enables field-level localization: individual fields on entries can be set as translatable (per-site or per-language). Over 100 locale data sets are shipped. Locale-specific publishing is supported (publish an entry in EN without publishing its FR translation). This is field-level localization, meriting 75+ range, slightly discounted as locale fallback chains are less sophisticated than dedicated i18n systems.
Several translation connectors exist: LILT has an official Craft CMS connector, Acclaro has a Craft translation connector, and the Translations plugin supports professional translation service export/import workflows. DeepL integration is available via plugins. However, there are no official marketplace integrations with Phrase, Lokalise, or Smartling — coverage is patchwork rather than comprehensive.
Craft's multi-site can serve as a multi-brand management layer — separate brand sites under one installation with shared content types and users with site-specific permissions. However, there are no cross-brand approval workflows, global style policy enforcement, or centralized brand asset governance tools native to Craft. Multi-brand is achievable but requires custom configuration.
Multiple AI plugins bring in-editor AI writing assistance to Craft: AI Assistant (solspace, multi-model, rewrite/generate/translate/summarize), Content Buddy (OpenAI/DALL-E, multi-lingual), Promptly, and OpenAI Content Writer. These are plugin-based, not native Craft features, and lack brand voice controls or content-type-aware field-level AI. Score reflects several basic generation plugins without brand governance layer.
AI workflow automation in Craft is limited. Content Buddy adds AI-powered meta description and SEO field suggestions. Some plugins offer auto-translation suggestions. No auto-tagging, image recognition, quality checking, or smart scheduling features are widely documented. The ecosystem is largely generation-focused with minimal workflow automation.
No AI governance framework exists in Craft CMS core or in the plugin ecosystem. AI plugins pass prompts to OpenAI/Anthropic APIs without audit trails, hallucination detection, brand safety filters, or custom model governance. AI output goes directly into content fields with no oversight layer.
Craft ships a built-in GraphQL API (since 3.3) with a bundled GraphiQL IDE, token-scoped schemas, auto-generated from the content model, supporting filtering, sorting, and pagination with image transform directives. However, there is no first-class REST API — the Element API plugin provides custom JSON endpoints as a community add-on. GraphQL subscriptions and user mutations are unsupported. Strong for headless GraphQL use, but the REST gap and missing GraphQL features prevent a higher score.
Craft Cloud includes CDN for static and front-end assets with metered outbound bandwidth (250GB–500GB/month), regional DB clusters (EU/US), and a 60-second request timeout with 6MB max response. However, GraphQL query responses are not edge-cached by default, and self-hosted installations have no built-in CDN or rate limiting. No published throughput benchmarks or documented API call concurrency limits.
Pixel & Tonic publishes no official JavaScript, TypeScript, Python, Ruby, or mobile SDKs. The primary developer surface is the PHP plugin/module API. The community Query API plugin (@query-api/js) and standard graphql-codegen workflows provide JS/TS access but are not officially maintained. This is a significant gap vs. headless-native platforms with 4–6 official SDKs.
The Craft Plugin Store hosts approximately 800 plugins spanning all major categories: SEO (SEOmatic), forms (Formie, Freeform), e-commerce (Craft Commerce), workflow, translation, Algolia search (Scout), DAM, analytics integrations, and more. First-party plugins include CKEditor, Webhooks, and Shopify. The breadth is strong for a traditional CMS tier-2 platform but lacks the dedicated cloud marketplace infrastructure of SaaS-native platforms.
Craft has one of the most mature extensibility models in the traditional CMS space: full-MVC plugins with CP sections, modules for lightweight single-class extensions, custom field types via FieldInterface, custom element types, GraphQL schema extension from plugins, control panel Twig template overrides, custom dashboard widgets, utilities, and a comprehensive event/hook system throughout the framework. Self-hosted deployment enables server-side arbitrary code execution with full framework access.
Craft 5 ships native 2FA via TOTP apps (Google Authenticator, Bitwarden, 1Password) and WebAuthn passkeys, both enforceable per user group. API token management is built-in for GraphQL endpoint access. SSO (SAML 2.0, OIDC/OAuth 2.0) is plugin-only — the official oauthclient plugin and third-party saml-sp/saml-idp plugins fill this gap but add cost and deployment complexity. SSO is not in core, which creates friction for enterprise buyers.
Craft Pro offers unlimited user groups with granular section-level and entry-type-level create/publish/delete permissions, plus plugin-registered custom permissions. However, native field-level permissions do not exist — only field layout conditions (show/hide per user group) as a workaround. Content-instance access control (see only your own entries) requires custom module code. GitHub issue #4238 has tracked field-level permissions as a long-standing feature request.
Pixel & Tonic offers a GDPR Data Processing Agreement (DPA) on request at no charge and provides GDPR-related plugin tooling. No public documentation of SOC 2 Type 2, ISO 27001, or HIPAA certifications for Craft Cloud was found in official documentation, pricing pages, or trust center materials. Third-party hosting providers may hold infrastructure-level certifications, but these are not attributable to Craft itself. This is a major gap for regulated enterprise buyers.
Three critical/high-severity RCE vulnerabilities were disclosed in a six-month window (December 2024 – April 2025): CVE-2024-56145 (RCE via PHP register_argc_argv), CVE-2025-23209 (CVSS 8.1, code injection via security keys — added to CISA KEV catalog, actively exploited), and CVE-2025-32432 (CVSS 10.0, unauthenticated RCE via image transforms — ~300 instances compromised). No HackerOne bug bounty program was found; disclosure is via email only. This concentration of critical vulnerabilities, including a CISA KEV entry and a CVSS 10.0, is a significant negative signal.
Craft supports both self-hosted deployment (PHP on any LAMP/LEMP stack, Composer-managed) and managed SaaS hosting via Craft Cloud (official managed hosting from Pixel & Tonic with CDN, backups, and firewall). This dual model provides good flexibility — regulated industries can self-host, while teams wanting managed infrastructure use Craft Cloud. No private cloud or VPC deployment option is documented for Craft Cloud.
A public status page exists at status.craftcms.com and reported 100% CDN uptime in recent periods. However, no formal SLA with a documented uptime percentage guarantee was found in Craft Cloud documentation or pricing pages. For self-hosted deployments, there is inherently no vendor SLA. The absence of a contractual SLA is a significant gap for enterprise procurement processes.
Craft Cloud added EU and US regional database clusters in 2025 for latency improvements, and CDN handles edge caching of assets. Documented limits are permissive (no caps on entries, users, or content types; metered outbound only). However, multi-site installations multiply database query load proportionally, and no public enterprise-scale references or peak traffic benchmarks are documented. Craft is primarily mid-market positioned without evidence of Fortune 500 scale deployments in official marketing.
Craft Cloud performs automated nightly database backups with 30-day retention, and supports unlimited on-demand manual backups. Content export is available via the native DB backup and asset storage access. However, no formal RTO/RPO documentation was found, and no multi-region failover or point-in-time recovery capability is documented. Self-hosted installations rely on community backup plugins (enupal/backup). Adequate for mid-market but below enterprise DR expectations.
DDEV has official native Craft CMS support (project type since v1.21.2) with one-command setup via `ddev launch`, auto-configured `.env`, and a committed `.ddev/` directory for team reproducibility. The `craft` CLI handles migrations, cache clearing, and scaffolding. Multiple popular GitHub starters (onedarnleyroad/craftcms, kerns/craft-on-ddev) provide batteries-included DDEV+Vite+HMR setups. Docker-based local development is also documented in the Craft knowledge base.
Craft's Project Config system captures all schema changes (sections, fields, entry types, sites, plugins) as YAML committed to git, applied via `php craft up --interactive=0` on deployment. Craft Cloud automates this pipeline with pre-migration DB snapshots. GitHub Actions, Buddy, and Deployer integrations are documented. Craft Cloud provides production + staging environments, but branch-per-PR content environments are not available — environment count is limited by plan tier.
Craft maintains parallel documentation for v3, v4, and v5 at craftcms.com/docs, along with a comprehensive knowledge base for guides and how-tos. Coverage spans all field types, element queries, GraphQL schema, plugin/module development, and framework-specific integration guides. CraftQuest provides a dedicated paid video learning platform. Community resources (nystudio107 blog, putyourlightson.com, MadeByShape) supplement official docs extensively. Minor penalty for the large volume that can overwhelm newcomers.
No official TypeScript SDK or type generation tooling is published by Pixel & Tonic. The community Query API plugin (@query-api/js) advertises auto TypeScript generation from the Craft content model, and standard graphql-codegen workflows against Craft's introspected GraphQL schema are used by the community. No official @craftcms npm package exists. TypeScript is an ecosystem-driven pattern, not a platform-native offering, which positions Craft well below purpose-built headless platforms on this dimension.
Craft CMS shipped versions 5.6, 5.7, and 5.8 in 2025, with 5.9 imminent and Craft 6 Beta targeting Q3 2026. Craft Commerce tracked alongside with 5.3, 5.4, and 5.5. Release pace is roughly quarterly for minor versions with patch releases in between — solid for a mid-tier open-source CMS but not rapid-fire SaaS cadence.
Craft maintains a well-structured CHANGELOG.md on GitHub with per-version sections, distinguishes breaking changes, and links to migration notes. The 'What's New' section on craftcms.com and a monthly newsletter supplement the raw changelog with human-readable summaries. Not quite at the level of tools that auto-generate migration codemods, but clearly above average.
Craft publishes a public roadmap at craftcms.com/roadmap and communicates direction through annual Dot All conferences (Melbourne, Lisbon 2025) and detailed blog posts. The Laravel migration to Craft 6 was announced publicly with clear Beta/GA timelines. No community voting portal (e.g., Canny), but direction is transparent and well-documented.
The Craft 6 Laravel migration is a significant architectural shift, but Pixel & Tonic explicitly designated Craft 5 as an LTS release with 5 years of support after Craft 6 GA — a clear, generous deprecation window. Breaking changes are documented in the changelog with upgrade notes. Not fully automated (no codemods), but deprecation windows are among the better examples in the tier.
GitHub repository has 3,500 stars — below the 5K–20K range for a higher score. Discord has 8,206 members, which is respectable for a niche PHP CMS. Stack Exchange CraftCMS site exists with a reasonable question volume. Community is well-established but modest in absolute numbers compared to open-source peers like Drupal.
The Discord is described as extremely active with daily discussions and tips. GitHub Discussions are open and used. Pixel & Tonic team members participate actively in community channels. Dot All annual conference (two editions in 2025 alone) signals a deeply engaged practitioner community. Engagement quality is high for the community size.
Craft Partner Network offers three verification tiers (Craft Verified, Commerce Verified, Enterprise Verified) with a formal directory and lead referrals. Multiple agencies hold verified status globally. However, the network consists of boutique digital agencies — no major SIs (Accenture, Deloitte, Valtech) are present, limiting enterprise procurement confidence.
A healthy but not deep ecosystem of third-party tutorials, agency blog posts, and conference talks exists. Multiple UK and North American agencies publish Craft-specific content. Dot All conference talks are available. The 'Awesome Craft' GitHub curated list is maintained. Content volume is adequate for an experienced developer but no major Udemy courses or Pluralsight paths.
67 jobs on Glassdoor and 35+ on SimplyHired are tagged to Craft CMS developers; freelancers available on Upwork, Toptal, and Arc. Salary ranges of $65–$99/hr show market demand. Talent pool is real but niche — not easily found in general PHP developer pools without prior Craft exposure. No formal certification program to signal expertise.
Active partner expansion, two Dot All conference editions in 2025, and the Craft 6 Laravel announcement generating positive community buzz are positive signals. New agency case studies are published regularly. However, Craft does not publicize enterprise logo wins or customer count growth data, making momentum hard to quantify beyond community signals.
Pixel & Tonic is privately held and bootstrapped — no external funding rounds on Crunchbase. The company is small (estimated <20 employees: CEO Brandon Kelly, COO Leah Stephenson, CTO Brad Bell) but has sustained product development since 2013 without outside capital. No layoff signals; active Craft 6 development demonstrates ongoing investment. Risk is the concentration in a small, unfunded team.
Craft occupies a clear niche as a 'developer-first, bespoke experience' PHP CMS, and the Laravel migration sharpens its appeal to the Laravel developer ecosystem. It is not recognized in Gartner Magic Quadrant or Forrester Wave (too small). Competition from headless CMSes and Statamic is real. Positioning is coherent but narrow.
G2 shows approximately 48 reviews — below the 100-review threshold for a higher-confidence score. Content authoring capability scores 8.7/10 on G2, suggesting strong user satisfaction. Capterra reviews echo themes of flexibility, security, and clean UI. No significant negative sentiment patterns on forums around pricing or reliability. Low review volume keeps the ceiling down despite positive tone.
Craft CMS publicly lists Solo (free), Team, and Pro ($399/installation) on craftcms.com/pricing with clear renewal costs ($99/yr for updates). Enterprise tier is custom and sales-gated. This is the standard lower-tiers-public/enterprise-gated model. Not penalizing beyond the industry norm since the key commercial tiers are visible.
Craft uses a perpetual per-installation license model — pay $399 once, then optionally $99/yr for continued updates. No API-call metering, no bandwidth overages, no seat-based scaling surprises. Once purchased, teams can use that version indefinitely without further fees. Highly predictable for budget planning.
Solo (free) includes full content modeling, multi-site support, and GraphQL — core production capabilities available without payment. Pro ($399) unlocks unlimited user accounts and per-user permissions, which are needed for most professional team projects. Gating is reasonable: the paid step-up is for team collaboration features, not basic security or content functionality.
Perpetual licensing is buyer-friendly — purchase once and retain use of that version indefinitely without further payments. However, there is no monthly billing option; pricing is one-time plus annual update subscription. No public startup or nonprofit discount programs were identified. The absence of monthly plans and limited flexible purchasing paths constrains the score.
Solo edition is free forever — not a trial, not time-limited — and includes the full content modeling engine, GraphQL API, and multi-site. The meaningful limitation is a single admin account, which blocks team use but is genuinely workable for individuals and freelancers evaluating the platform. Commercial use is permitted. A strong free tier but the 1-admin cap is a real limit.
Craft has comprehensive official documentation including a getting-started tutorial for building a simple blog. An experienced PHP developer can have a working local installation and first content query within hours. However, the 'blank slate' approach and Twig-based templating system create genuine onboarding friction — community sources describe the initial experience as 'daunting.' Days-to-working-site is realistic for developers new to Craft.
For simple marketing sites, experienced Craft developers typically deliver in 2–4 weeks. The blank-slate CMS model means more initial setup than a theme-based CMS, but Craft's flexible field system accelerates content modeling once learned. No consistent community reports of dramatically overrun timelines. G2 reviews are generally positive on implementation. Scores adequately but not strongly on this dimension.
Craft CMS uses PHP and Twig — mainstream server-side skills — but requires platform-specific knowledge of Craft's custom field types, plugin system, and templating conventions. Craft specialists command $100+/hr. Talent pool is smaller than WordPress or general PHP development but meaningfully larger than proprietary DXP platforms. Premium is moderate — estimated 25–40% above a generalist PHP developer.
Craft CMS is predominantly self-hosted (PHP + MySQL/PostgreSQL), meaning buyers must provision and pay for their own servers, CDN, and database separately from the license. Craft Cloud (managed hosting) exists and reportedly includes Team/Pro licenses for Cloud-hosted projects, but pricing is not prominently published and adoption remains secondary. Most real-world deployments incur $20–200+/month in hosting costs on top of the license fee.
Self-hosted Craft deployments require PHP version management, security patching, database backups, and server-level monitoring — meaningful ongoing ops overhead, though less than Java-based DXPs. Managed hosting providers (Arcustech, Craft Cloud) reduce this significantly. For teams on managed hosting, ops burden is moderate-low. Scoring the likely deployment path for most buyers (managed VPS or shared hosting) as moderate overhead.
Craft stores data in standard MySQL or PostgreSQL — fully accessible and portable. As a self-hosted platform, buyers own their data outright. However, native first-party content export tooling is not built into core (a long-standing GitHub feature request). Community plugins (Feed Me, Migration Assistant) fill the gap but can be error-prone per user reports. Standard database portability keeps lock-in low, but the lack of clean built-in export tooling prevents a higher score.
Craft CMS has roughly 5–7 core concepts (Sections, Entry Types, Fields, Project Config, Matrix/Content Blocks, Assets) that map reasonably to standard CMS mental models. Craft 5's 'entrification' of Matrix adds one more abstraction to learn. Twig templating and PHP stack add some re-learning for JS-native developers. Not as clean as a pure API-first headless CMS but far simpler than enterprise DXP multi-subsystem architectures.
Craft provides a full getting-started tutorial (craftcms.com/docs/getting-started-tutorial), framework-specific starter guides, a Glossary added in 2025, and an active Discord community. CraftQuest offers a dedicated video learning platform. No in-app interactive onboarding tour, but structured paths and framework-specific guides (Next.js, Astro) launched in 2025 raise this above docs-only.
Headless use via GraphQL or REST APIs aligns with mainstream developer knowledge, and official Next.js and Astro starters launched in 2025 reinforce this path. Traditional (coupled) use requires PHP and Twig, which are less familiar to modern JS developers but transferable to other Twig-based CMSs. No proprietary query language for headless consumers. Not quite 'standard React first-class' for the full stack but the headless path is clean.
Official vendor-maintained starters exist for Next.js (craftcms/starter-next) and Astro, both added in 2025. Community starters for Tailwind/DDEV also available. Official starters include content model setup and GraphQL queries but are leaner than some SaaS competitors in terms of example content density and CI/CD configuration. Still a clear improvement over community-only starters.
Craft setup requires a PHP environment, MySQL/PostgreSQL database, composer install, multiple .env values (DB credentials, APP_ID, SECURITY_KEY, BASE_URL), and Project Config YAML. DDEV reduces local friction significantly but adds its own dependency. More than a few env vars with non-trivial infrastructure requirements. Moderate config surface — not as heavy as enterprise DXPs but more than headless SaaS platforms.
Craft stores schema definitions (Sections, Fields, Entry Types) in Project Config YAML files — version-controllable and deployable across environments. No hard field count limits like Contentful's 50-field cap. Migration tooling exists via database migrations and the Feed Me plugin for content imports. Field type changes can be tricky, and Craft 5's Matrix-to-entries migration was a significant breaking change for existing sites. MariaDB support was dropped as of recent versions, limiting database choices.
Headless live preview uses a token-based mechanism: configure preview targets in each Section, add a frontend preview API route, and handle the token + draft element lookup. Multiple tutorials exist (nystudio107, dev.to, trevor-davis.com) but implementation requires frontend code changes and attention to {sourceUid} vs {uid} gotchas. Not plug-and-play — moderate effort with good documentation. The starter-next repo includes preview wiring as a reference.
No proprietary certification program. Generalist PHP developers or JS developers using the headless path can be productive without Craft-specific training, though Project Config, Twig, and Craft's content modeling conventions require some platform learning. Craft specialists are less abundant than WordPress developers but the community (Discord, CraftQuest, forum) compensates. Headless consumers need only standard GraphQL/REST knowledge.
Craft is well-suited to solo developers or 2-person teams shipping production projects. No dedicated DevOps, solution architect, or enterprise implementation partner required for standard deployments. Craft Cloud simplifies hosting further. Scales up to larger teams without requiring a major restructuring of the engagement model. Well below enterprise DXP team size requirements.
Craft's control panel is widely praised for editor usability — content editors can create entries, manage assets, use live preview, and publish without developer involvement for routine content operations. Content Block fields (added in Craft 5.x) give editors flexible page-building capability. Adding new Entry Types or Fields requires a developer and Project Config deployment, which is standard for the category. Better operational independence than enterprise DXPs.
Craft CMS is self-hosted PHP, so major version upgrades (3→4, 4→5) involve breaking template changes, plugin compatibility checks, and manual database migrations — agencies consistently document multi-step preparation workflows. Minor updates within a major version run cleanly via `composer update` or the CP updater. The announced Craft 6 (Laravel rewrite, Q4 2026) with a Yii-to-Laravel adapter signals another disruptive forced architectural migration on the horizon. Not higher because major-version friction is real and well-documented.
Pixel & Tonic released patched versions for CVE-2025-32432 (CVSS 10.0 RCE) just three days after being notified — commendably fast disclosure-to-patch turnaround. However, Craft is self-hosted, so operators must manually apply patches via Composer; roughly 13,000 vulnerable instances remained exposed and ~300 were compromised as of April 2025, underscoring the real-world patching lag. Multiple high-severity CVEs in 2024–2025 (CVE-2025-23209 CVSS 8.1, CVE-2025-32432 CVSS 10.0) indicate an active vulnerability surface on the Yii framework underpinning.
Craft has historically provided 12+ month deprecation windows for major versions — Craft 4 general support ended April 2025 with security support extended to April 2026, giving teams a full year runway. The Craft 6 Laravel rewrite (GA Q4 2026) is a larger forced migration but the team is providing a Yii-to-Laravel adapter to ease the transition. Not higher because Craft 6 will require significant rework for plugins and custom code regardless of the adapter.
Craft CMS runs on a standard PHP/Composer stack with MySQL or PostgreSQL — a well-understood dependency set without exotic runtimes. Requires PHP (min 256M memory, max_execution_time 120s), a web server, and database; optional Redis for caching and a CDN layer. Composer manages plugins and framework dependencies, and transitive security issues can surface through the Yii 2 framework layer (as seen with CVE-2024-58136). Not lower because the dependency graph is relatively small compared to Java-based DXPs.
Craft's CP dashboard offers basic widgets (Updates, Drafts, Recent Entries, New Users) but provides no built-in APM, infrastructure health monitoring, or webhook delivery dashboards. Production monitoring requires third-party plugins (e.g., Semonto, craft-monitoring.com) or external tooling (Datadog, New Relic). Self-hosted deployments additionally require server-level OS and database monitoring to be configured entirely by the operator. Score reflects the significant custom monitoring burden typical of self-hosted PHP CMSes.
Craft includes basic content hygiene tools — draft tracking, entry status indicators, and a revision history — but lacks automated orphan asset detection, broken reference alerts, or content-expiry workflow automation out of the box. Content governance relies primarily on editorial discipline or custom plugin solutions. The 'Recent Entries' and 'Drafts' dashboard widgets provide minimal visibility. Not lower because the structured content model reduces ad-hoc hygiene issues compared to WordPress-style platforms.
Craft has built-in template caching and eager-loading for element queries, but CDN configuration, query tuning, and server-level caching (Redis/Memcached) are entirely operator-managed. There is no built-in CDN, no automated image optimization pipeline, and no performance dashboard. Servd.host provides a managed Craft hosting option with CDN included, but for standard self-hosted deployments performance requires active ongoing management. Score reflects the self-hosted reality.
Craft CMS offers official support plans with defined SLAs and email ticketing, and maintains a comprehensive knowledge base. G2 and SoftwareReviews users report responsive email support with 'defined timelines.' However, formal enterprise-grade support (dedicated CSM, phone, guaranteed SLAs) is not prominently documented for mid-tier plans — the community-first ethos means formal support is secondary. Reasonable for a Tier 2 platform, but below Tier 1 enterprise DXP support programs.
Craft CMS has one of the most consistently praised developer communities in the CMS space — Discord with 8,200+ members as of 2025, described as 'extremely active' with daily discussions, Pixel & Tonic team participation, and beginner-friendly channels with no-judgment policies. Multiple sources cite the community as a primary reason teams choose Craft. Timezone spread across a global community introduces minor response delays. Not higher because the community is smaller than Drupal or WordPress ecosystems.
Pixel & Tonic patched CVE-2025-32432 (CVSS 10.0) within three days of notification — a strong indicator of issue resolution velocity for critical bugs. The Craft GitHub repo is actively maintained and minor bug fixes ship in point releases. Self-hosted deployments add operator lag after patches are published. Community sentiment on GitHub and Discord reflects responsive issue handling for high-priority bugs, though lower-priority issues can linger. Broadly above average for a self-hosted CMS.
Craft CMS does not ship a native drag-and-drop page builder; marketers can edit existing entry content and use Matrix blocks for flexible layouts, but creating a new layout still requires developer involvement. Live Preview and third-party plugins (Vizy, Sprig) extend capabilities, but they are not bundled. Scores mid-range: above 'developer-only' but below true self-serve page builders.
Craft has scheduled publishing and entry status lifecycle, but no native multi-channel campaign coordination, content calendaring, or campaign analytics. The third-party 'Campaign' plugin (putyourlightson/craft-campaign) adds email campaign management, but this is not bundled. Score aligns with the prompt's 20–40 band for platforms where scheduled publishing is the only built-in campaign feature.
Craft core has no built-in SEO field types or sitemap generation; all SEO capabilities require plugins. However, the ecosystem is mature: SEOmatic (nystudio107) provides meta tags, JSON-LD, XML sitemaps, robots.txt, and canonical management; SEO Fields adds redirects and 404 tracking; Retour handles redirects. These are plugin-dependent but widely adopted and deeply integrated. Scored 55 (upper end of plugin/manual tier) due to depth of plugin coverage.
No native form builder, lead capture, or conversion tracking in Craft core. Third-party plugins (Freeform, Formie) add form handling, but UTM parameter awareness and CTA management require custom development or external integrations. Score reflects the 20–35 range for platforms where all performance marketing requires external tools.
Craft Commerce (first-party, maintained by Pixel & Tonic) provides custom product types with unique fields, variant content, rich media per SKU, product taxonomy, and tight coupling of editorial content to commerce data via standard Craft entries. The 2025 updates (Commerce 5.3–5.5) added customizable product and variant cards. This is well-adapted product content modeling, not a generic CMS workaround.
Craft Commerce includes promotions, discounts, and coupon management, but lacks advanced merchandising tooling such as search-result merchandising, automated cross-sell/upsell content rules, or promotional content scheduling. Category management and product spotlights require custom template work. Score falls in the 10–40 range; slightly above the floor because Craft Commerce does include promotions.
Craft Commerce is a first-party, deeply integrated commerce layer — product references live natively in the Craft control panel alongside editorial content, and GraphQL/REST API support is comprehensive. However, integration with third-party platforms (Shopify, commercetools, SFCC) relies on community plugins and custom webhook/API work rather than native federation. Scored 55: deep for Craft Commerce itself, but not strong for external platform synergy.
Craft Pro supports user groups with granular permissions per section, entry type, and asset volume — this is RBAC on content types. However, audience-based content visibility (restricting individual entries to specific departments or individuals at the content-instance level) requires custom plugin or front-end logic. SSO is supported via plugins (SAML, LDAP) but not built in. Score is 50: above simple public/private, below full audience-based access control.
Craft provides content versioning (draft/revision history), flexible taxonomy via categories and tags, and entry expiry dates — adequate for basic knowledge organization. However, there is no native knowledge lifecycle tooling: no review-due dates, no structured approval workflows for knowledge updates, no expiry reminders, and internal search requires Craft Search or third-party integrations. Score reflects adequate content modeling without knowledge-specific lifecycle features.
Craft has no native portal features: no news feed, employee directory integration, social reactions, notifications, or personalized dashboards. Building an intranet with Craft requires extensive front-end custom development. This matches the 20–35 scoring band for CMS platforms that are not purpose-built for employee experience. The search found no Craft-specific intranet case studies or purpose-built modules.
Craft's native multi-site feature allows multiple sites in a single installation with separate domains, templates, and content translations/overrides per site. This is silo-based isolation rather than true multi-tenant architecture — all sites share the same database, user table, and plugin set. Independent environments require separate Craft installations. Scored 55 as functional but not enterprise multi-tenant.
Craft Global Sets provide centrally managed content (nav, footer, global config) shared across all sites in an installation. Cross-site entry propagation allows content to be shared or translated per site. However, true cross-installation content federation (across separately licensed instances) requires API-level workarounds. Score is 55: solid federation within a single installation, limited across separate ones.
Craft supports organization-level user management, site-specific permissions, and group-based access control across a multi-site installation. However, there are no native cross-brand approval workflows, enforced content standards at a global policy level, or centralized governance dashboards. Score is in the 40–60 band: organization-level management is present but cross-brand enforcement is limited.
Craft CMS Pro is a flat annual license (~$299/yr) that includes unlimited sites within a single installation — adding brands/sites does not increase the base license cost. Craft Commerce is priced per-project but can serve multi-store setups. This creates favorable economics compared to per-site licensed platforms. Scored 65 for the flat per-installation model that avoids linear cost scaling for multi-site deployments.
Craft CMS offers a free DPA to all customers (not enterprise-only), and the privacy policy documents EU data subject rights (access, correction, deletion, transfer). However, personal data is stored in the United States only with no EU data residency option, the sub-processor list is informally embedded in the privacy policy (Stripe, Front App, Google Analytics) rather than a formal GDPR-specific published list, and no explicit SCCs are documented publicly. DPA available to all is the positive anchor, but residency and sub-processor documentation gaps cap the score in the 50–55 range.
Craft CMS explicitly prohibits use for HIPAA-regulated health data. The cloud security documentation states the Services 'are not designed to process or host data that is sensitive in nature or subject to regulatory oversight' and users 'may not use the Services to store or process protected health information under HIPAA.' No BAA is available and there is no healthcare-specific guidance in the documentation.
The only documented regional compliance framework is GDPR (with DPA availability). No explicit CCPA compliance documentation or California-specific rights are present in the privacy policy. No mention of UK GDPR IDTA, PIPEDA, LGPD, FedRAMP, IRAP, C5, PCI-DSS, or HITRUST was found. Craft CMS is a primarily developer-focused commercial CMS without the compliance breadth of enterprise DXP platforms.
No platform-level SOC 2 Type 2 attestation for Craft CMS (craftcms.com) was found. The Craft Cloud security page states infrastructure uses 'fully SOC-2 compliant access procedures' from underlying cloud providers, but per scoring rules, inheriting cloud provider certifications does not count. Note: craft.do (a different company) has SOC 2 Type 2, but this is unrelated to craftcms.com. Score reflects no SOC 2 at the platform level.
No ISO 27001 or ISO 27018 certification was found for Craft CMS (Pixel & Tonic). Searches returned no ISO 27001 evidence on craftcms.com. The ISO 27001 reference found in searches relates to craft.io (a separate product management platform by a different company), which is not relevant here. Score is at the floor for platforms without any ISO certification.
No additional certifications were found: no CSA STAR, PCI-DSS, Cyber Essentials Plus, FedRAMP, IRAP, ENS, or C5 documentation exists on craftcms.com. The absence of even a platform-level SOC 2 means the additional certifications portfolio is empty. Base score applied for a CMS with no documented certification stack beyond good security practices.
Craft Cloud stores data in the United States only — the privacy policy explicitly states 'personal information is stored in the United States' with no mention of EU, APAC, or multi-region hosting options for Craft Cloud. Self-hosted deployments allow customers to choose any region independently, which partially offsets this for on-premise use cases, but the SaaS/cloud offering provides no contractual residency guarantee beyond US storage. Scores in the lower end of the 35–55 range for US-only cloud.
Craft Cloud provides daily automated backups retained for 30 days with manual backup triggering. Data deletion is available via contact ([email protected]) for marketing/product data; EU residents can request data transfer. No self-service data export portal or automated right-to-erasure mechanism was found — deletion and export requests go through support. For self-hosted deployments, customers own their database entirely. Mixed picture caps the score at the lower end of the 50–70 range.
Craft CMS includes application-level logging via Monolog (configurable to files, databases, or web services), and third-party audit plugins (craft-audit on Plugin Store) provide element-level action logs. Craft Cloud monitors for unauthorized access and anomalous activity but does not document native SIEM integration or compliance-grade audit log export. For self-hosted deployments, customers can configure their own log pipelines. No native SIEM push, configurable retention policy, or compliance reporting feature was documented.
Craft CMS has formally committed to WCAG 2.2 AA and ATAG 2.0 Level AA for the authoring interface and published a formal Accessibility Conformance Report (ACR) using the ITI VPAT template. The ACR covers content-authoring screens specifically and includes screen reader testing across NVDA/Firefox, JAWS/Chrome, and VoiceOver/Safari. However, the ACR honestly documents significant gaps: many criteria as 'partially supports,' and 8 criteria 'does not support' (including media captions, drag alternatives, and some keyboard accessibility). Formal ACR with honest gap documentation warrants the mid-60s.
Craft CMS publishes both a current Accessibility Conformance Report (ACR) at craftcms.com/accessibility/reports/acr and a separate ATAG Report at craftcms.com/accessibility/reports/atag, both using the ITI VPAT template — the leading global procurement format. The ACR is version-specific (v5.0.0) covering WCAG 2.0/2.1/2.2 A and AA. This level of formal, versioned accessibility documentation is strong for a mid-market CMS and meets the 70+ threshold for a current VPAT/ACR available for procurement.
