Joomla remains a genuinely free, self-hosted GPL CMS with unmatched cost transparency (TCO 69.5), one of the strongest native ACL systems in open source, and complete multilingual support built into core.
WordPress VIP offers an enterprise-managed platform with FedRAMP-grade hosting, a vastly larger talent pool, and a healthier ecosystem, while Joomla's advantages are its zero cost and stronger native ACL and multilingual support in core. For any organization with budget, VIP's compliance posture, managed operations, and market momentum outweigh Joomla's free licensing; Joomla wins only when the software budget is effectively zero.
Full Comparison →Both are free, self-hosted open-source CMS, but Drupal decisively outclasses Joomla in content modeling (custom entities and field-level localization vs fixed content types), API maturity, multi-site capability, and enterprise ecosystem — Acquia and Pantheon provide compliance-grade managed hosting Joomla lacks. Joomla counters with a gentler learning curve and simpler solo-developer builds; pick Joomla only for simpler sites where Drupal's power is overhead.
Full Comparison →Umbraco pairs a similarly free open-source license with a healthier trajectory: growing adoption, a commercial company backing cloud hosting and support, better developer experience on modern .NET, and a friendlier editor UX. Joomla retains stronger out-of-box multilingual support and its granular ACL, but Umbraco's momentum, support options, and build simplicity make it the safer open-source pick for most new projects.
Full Comparison →Both are PHP open-source CMS in similar market positions, but Concrete ships best-in-class in-context visual editing in core — precisely the authoring gap that forces Joomla users onto risky third-party page builders (whose 2026 CVSS-10 RCEs proved costly). Joomla offers deeper multilingual support, broader versioning, and a larger extension directory; Concrete wins on editor experience and its government-sector accessibility focus.
Full Comparison →Joomla is free GPL software with no tiers, no seat pricing, no API metering, and no feature gating — every core capability including the 6.1 visual workflow editor and PoW CAPTCHA ships free. Hobby and evaluation paths are effectively free (launch.joomla.org, $1-5/mo shared hosting), and there are no vendor contracts or exit clauses of any kind. This is the platform's single most defensible advantage.
Joomla's ACL is among the best in open-source CMS: unlimited hierarchical user groups with inheritance, per-component/per-category/per-item permission overrides, and configurable viewing access levels, backed by native MFA and WebAuthn/passkeys in core. The 6.1.1/6.1.2 releases patched access-check bugs but the underlying model remains a genuine differentiator for membership and intranet-style content gating.
As self-hosted software on a standard LAMP stack with an official Docker image, Joomla gives operators full control over data location — no SaaS data flows, and 6.1's ALTCHA proof-of-work CAPTCHA even removes the reCAPTCHA external-service dependency. For organizations with strict residency requirements and the ops capacity to self-manage, this is a real advantage over cloud-only competitors.
Joomla ships an exceptionally complete document-level localization system without any extension: language associations for content, categories, and menus, per-language menu structures and templates, content-language filtering, and (new in 6.1) multilingual module associations. It is document-level rather than field-level, but it is more complete out of the box than most traditional CMS peers.
The 6.x line delivers a published, dated roadmap with named release managers, a steady six-month minor cadence (6.2 GA scheduled Oct 13, 2026), semver discipline that defers breaking changes to majors, and coordinated same-day security backports across the 5.x and 6.x branches. Eight core releases shipped in eight months, each preceded by RC stages — remarkable rigor for a volunteer-run project.
Versioning now covers articles, custom fields, tags, categories, and (since 6.1) modules, with diff comparison and one-click restore. The 6.1 Vue.js visual workflow editor lets administrators design multi-stage publication pipelines with role-based transitions as an interactive diagram — capabilities several commercial competitors charge for.
2026 brought CVE-2026-48898 (CVSS 9.8 unauthenticated privilege escalation in core, actively exploited and added to CISA KEV) plus recurring access-control and XSS CVEs in every point release. Worse, three of the most-installed extensions (JCE, SP Page Builder, Page Builder CK) shipped actively exploited CVSS-10.0 unauthenticated RCEs, forcing operators to patch out of band. The JSST responds promptly, but the attack surface — especially the extension ecosystem — is a live liability.
AI Enablement scores 22.4 — no native text generation, translation, personalization, agentic workflows, governance, or observability; everything depends on third-party JED extensions of varying quality. The GSoC AI Framework and official MCP server remain unmerged proofs-of-concept explicitly excluded from 6.2, leaving Joomla years behind competitors shipping AI in core today.
Joomla has no audience segmentation, no behavioral personalization, no A/B testing, and no recommendation engine — access levels provide visibility control, not targeting. The extension ecosystem for these capabilities is thin and largely unmaintained for Joomla 6, making the platform a non-starter for data-driven marketing programs.
As a volunteer-run open-source project, Joomla holds no SOC 2, ISO 27001, HIPAA BAA, FedRAMP, or PCI attestation, and — unlike Drupal with Acquia or WordPress with VIP — has no enterprise managed-hosting ecosystem to supply platform-specific compliance coverage. Every certification burden falls entirely on the implementer's infrastructure.
Joomla is the only major CMS still losing share — down to 1.7% of the CMS market (from 9.3% in 2014), with migration outflow to WordPress outnumbering inflow roughly 5:1. Open Source Matters' last published budget projected a ~$38K deficit, it is absent from all analyst evaluations, and no notable enterprise wins surfaced in 2025-2026. The talent pool and extension ecosystem shrink accordingly.
The JSON:API enables headless delivery in theory, but content is stored as HTML blobs, there are no official SDKs in any language, zero TypeScript support, no CI/CD or migration tooling, and no headless preview surface for decoupled frontends. Teams building modern JavaScript frontends will fight the platform at every step.
Joomla remains a genuinely free, self-hosted GPL CMS with unmatched cost transparency (TCO 69.5), one of the strongest native ACL systems in open source, and complete multilingual support built into core. The 6.x line shows disciplined engineering — TUF-secured auto-updates, a visual workflow editor, and an on-schedule six-month release cadence — but the platform is structurally behind on everything modern buyers weigh: personalization, AI enablement (22.4), compliance certifications, multi-site governance, and headless developer experience. A rough 2026 security year (critical core privilege-escalation CVEs plus actively exploited CVSS-10 RCEs in its most popular extensions) and a market share that keeps shrinking (1.7% of the CMS market, the only major CMS still declining) make Joomla best suited to budget-driven, self-managed sites that play to its ACL and multilingual strengths rather than to enterprise digital experience programs.
Joomla 6.1 offers ~23 custom field types including the audio, video, and document media fields added in 6.1.0, but core content types remain fixed (Articles, Categories, Contacts, Banners, Newsfeeds) — true custom content types still require extensions. No schema-as-code, no polymorphic unions, no JSON field type. 6.1.1 and 6.1.2 were security/bugfix only, so field capabilities are unchanged.
Joomla 6.x relies on categories, tags, and Related Articles for content relationships. No native reference fields between content types, no bidirectional linking, no reverse traversal. Custom fields lack a 'reference to another content item' type in core. No relationship changes in 6.1.1 or 6.1.2.
Joomla 6.1's responsive subform grid layout improved rendering but added no structural capability. Still no reusable content blocks/components in core, no portable structured rich text, no block-based editing. The subform field remains the only composition mechanism. No changes in 6.1.1 or 6.1.2.
Custom fields support basic validation — required, min/max for numeric types, list constraints. No regex validation in UI, no cross-field validation, no custom validator hooks for content editors. 6.1.1 and 6.1.2 contained no validation changes.
Joomla 6.1 extended versioning to modules with com_contenthistory tracking, green/red diff comparison, and one-click restore, on top of 6.0's custom fields and tags versioning, giving broad entity coverage. Still no content branching and no programmatic API access to version history. Unchanged in 6.1.1 and 6.1.2.
Joomla 6.x ships TinyMCE 8 with WCAG 2.2 AA accessibility improvements from 6.1, but there is still no true in-context visual page builder in core — editing remains form-based in the admin backend with separate preview. Extensions like SP Page Builder are third-party. 6.1.2 only updated TinyMCE with bug fixes and language improvements.
TinyMCE 8 in Joomla 6.x provides standard formatting, media embeds, tables, and improved accessibility. Output remains HTML — no structured AST, no portable rich text format, no custom marks/annotations, no embedded entry references within rich text. 6.1.2 shipped only editor bugfixes.
Joomla 6.1 added native audio, video, and document media custom fields plus a root-level 'files' folder in the Media Manager, expanding handling beyond images; 6.1.2 fixed save/display bugs in those media fields. Still no focal point cropping, no URL-based image transforms, no WebP/AVIF auto-conversion, no CDN pipeline, and limited metadata/tagging.
Joomla 6.x continues to use article checkout/locking — only one user can edit at a time. No real-time co-editing, no presence indicators, no automatic conflict resolution, no inline commenting; TinyMCE's own RTC plugin is not integrated. Action logs provide audit capability but not collaboration. Nothing in 6.1.x addresses this gap.
Joomla 6.1's Visual Workflow Editor (Vue.js) provides an interactive graphical view to drag, connect, and edit workflow stages and transitions, a major usability leap for the multi-stage workflow engine with role-based transitions. The underlying engine still lacks conditional routing and advanced notification rules. 6.1.2 only hardened workflow access-control security.
Joomla 6.x Web Services API follows the JSON:API v1.0 spec with filtering, sorting, pagination, and sparse fieldsets for core content types, REST only. No native GraphQL support documented for 6.1, and extension content still requires custom API endpoints. No API changes in 6.1.1 or 6.1.2.
Self-hosted with no built-in CDN. Joomla 6.1's Lazy Load Plugin helps page performance but is not CDN integration. Page caching via core cache plugin; CDN integration is entirely user-managed. No granular cache invalidation tied to publishing, no edge computing. Expected for self-hosted open source.
Joomla 6.x retains the webhook system and mature internal plugin event system. External webhook configurability remains basic — limited event filtering, basic retry logic, minimal debugging tools, no HMAC signing documented in core. No webhook changes in 6.1.x.
Joomla's JSON:API enables headless delivery, but the content architecture remains coupled to web rendering — articles are HTML blobs, not structured content, limiting multi-channel repurposing. No official SDKs for other platforms, no structured rich text output. Headless use is technically possible but Joomla 6.x was not designed for it.
Joomla 6.1 has no built-in audience segmentation. User groups exist for access control purposes but not for content targeting or behavioral segmentation. No CDP integration, no segment builder, no behavioral targeting. Any segmentation requires third-party extensions or custom development.
No native content personalization in Joomla 6.1. Access-level-based content visibility exists (registered/special/public) but this is access control, not personalization. No component-level personalization, no rule engine, no A/B content variants. Extensions exist but the ecosystem for personalization is thin.
No built-in experimentation or A/B testing capability. Third-party extensions like DM A/B Test and VWO integration exist but are not native. Testing would require external tools with manual integration.
No recommendation engine in Joomla core. Related articles are manually curated or based on simple category/tag matching. No algorithmic recommendations, no ML-powered suggestions. Would require entirely custom or third-party solutions.
Joomla has Smart Search (com_finder), a full-text search with basic indexing, auto-complete suggestions, and taxonomy filters. Functional but not competitive — no typo tolerance, limited relevance tuning, no faceting beyond taxonomy, and no search analytics. Performance degrades with large content volumes. Adequate for small to medium sites; no search improvements in 6.1.x.
Integrating external search (Algolia, Elasticsearch) requires custom development or rare third-party extensions. No first-class integration points for external search. The Smart Search plugin architecture allows custom content indexing but not external search replacement without significant work.
Joomla has no built-in commerce capabilities. No PIM, no cart, no checkout, no order management. Commerce relies entirely on extensions like VirtueMart, HikaShop, or J2Store. These are third-party, not native to the platform.
No pre-built connectors for modern commerce platforms (Shopify, commercetools, BigCommerce). Integration requires custom middleware. Extensions like VirtueMart are self-contained commerce solutions within Joomla rather than integrations with external platforms.
Through extensions like VirtueMart, product content management is possible with variants, pricing, and media. However, these are extension-dependent, not purpose-built into the CMS content model. Product content modeling via core Joomla articles and custom fields requires significant workarounds for variants and attributes.
No built-in content analytics in Joomla 6.1. No performance dashboards, no content lifecycle tracking, no author productivity metrics. Action logs provide audit trail capability but not analytics. Third-party extensions exist for basic statistics but nothing competitive with modern platforms.
Analytics integration is possible via template modifications, custom HTML modules, or extensions that inject GA/GTM scripts. Extensions exist for Google Analytics integration. However, there are no platform-specific event helpers, no CDP connectors, and no analytics middleware. Essentially manual script injection with some extension assistance.
Joomla does not have native multi-site management in version 6.1. Each site is a separate installation with no shared content across sites and no centralized governance. Compared to WordPress Multisite or Drupal's multi-site capabilities, Joomla is behind.
Joomla's native multilingual is document-level (separate articles/modules per language linked via associations) rather than field-level, which places it in the rubric's document-level band — but it is an exceptionally complete implementation: language associations for content, categories, and menus, content-language filtering, per-language menu structures and templates, and (new in 6.1) multilingual module associations. Scored at the top of the document-level band with a small completeness premium; not higher because it is not field-level localization.
No native TMS integrations. Translation is a manual process — create content in one language, then create the translated version and associate them. Some extensions exist for XLIFF export/import workflows, but there's no in-platform translation UX, no machine translation integration, and no translation memory.
No multi-brand concept in Joomla 6.1. User groups and access levels provide some separation, but there are no brand-level permissions, no shared component library with brand overrides, and no centralized design system support. Multi-brand requires separate instances or heavy customization.
Joomla's Media Manager provides folder-based organization with per-asset metadata (title, alt text, description, author, copyright), file filtering, drag-and-drop uploads, and basic image cropping/resizing. No asset versioning, no usage tracking across content, no rights/expiry management, and no bulk operations beyond move/copy. Joomla 6.1's expanded media custom fields (audio, video, documents) improve content-to-asset linking but don't change the DAM itself.
No built-in CDN integration in Joomla 6.1. Image resizing on upload is possible via the Media Action plugin but limited and not automatic. No native WebP/AVIF conversion, no focal point, no responsive image delivery pipeline. CDN requires third-party Cloudflare or Cloudinary setup external to Joomla.
Joomla 6.1 adds audio, video, and document media custom fields, allowing these media types to be attached to content via custom fields. However, there is still no native video hosting, transcoding, adaptive streaming, or thumbnail generation. Videos uploaded to the Media Manager have no playback pipeline. The custom field improvement makes it easier to reference rich media but doesn't add processing capabilities.
Joomla core provides form-based article editing with TinyMCE. There is no native drag-and-drop page builder or live in-context layout editing. Third-party extensions (SP Page Builder, YOOtheme Pro, Quix, JPageBuilder, Gridbox) are popular and capable but are commercial add-ons, not core. Out-of-box authoring experience is form-only.
Joomla 6.1's Visual Workflow Editor (Vue.js/VueFlow interactive diagram) lets administrators create, edit, and delete workflow stages and transitions directly on the diagram, centralizing workflow management. Custom workflow states, configurable transitions, condition checks, and role-based routing remain from com_workflow. Still no SLA/due-date enforcement and no parallel approval paths, which caps the score.
Joomla articles support Start Publishing and Finish Publishing date/time fields, enabling scheduled publishing and auto-expiry. Per-article featured scheduling is also supported. No visual content calendar, no bulk scheduling, no release bundles. Timezone is set at the site level. Functional but purely item-level with no editorial planning view.
No real-time collaboration in Joomla 6.1. No simultaneous multi-author editing, no presence indicators, no inline commenting, and no @mentions. Article and module versioning (modules added in 6.1) tracks changes with author attribution. Checkout/check-in locking prevents concurrent editing but is pessimistic locking, not collaboration.
Core Joomla has com_contact providing a basic contact form with email notification and CAPTCHA support. Joomla 6.1's privacy-friendly Proof-of-Work CAPTCHA operates silently without external accounts or APIs, improving spam protection. Still no conditional logic, no multi-step forms, no submission storage in core. Third-party extensions (Convert Forms, RSForm!Pro) deliver advanced capabilities but are not bundled.
No native email marketing in Joomla. JED lists ESP integration extensions: Mailjet Email Marketing (official Mailjet plugin), Brevo integration with real-time contact sync and automation workflows, and Mailchimp extensions. These provide subscriber sync and triggered sends but require extension installation and third-party accounts. No in-platform email preview or list management.
No native marketing automation in Joomla. Brevo's Joomla integration provides some automation (welcome series, drip campaigns) but depends on a third-party platform and extension. No behavioral CMS event triggers, no native lead scoring, no multi-channel campaign management.
No native CDP or deep CDP integration in Joomla 6.1. User groups track registered users but there is no behavioral profiling, no unified customer profile, no identity resolution, and no audience sync with Segment, mParticle, or similar. Custom middleware would be required for any CDP integration.
The Joomla Extensions Directory (JED) lists over 6,000 extensions across all major categories. The breadth is genuine — commerce, forms, SEO, security, workflow, analytics, page builders, and more are represented. However, many extensions are outdated (targeting Joomla 3/4 only), curation and quality standards are inconsistent, and first-party official integrations are rare. Volume is high; freshness and quality are uneven.
No native webhook infrastructure in Joomla 6.1 core. A community extension 'Content Sharing - Webhooks' (JED) provides basic content event notifications. Convert Forms sends form-submission webhooks conditionally. No signed payload support, no retry logic, no webhook logs, and no event streaming alternative. Coverage is sparse and extension-dependent.
Joomla offers a frontend preview of unpublished articles for logged-in editors via the Preview button in the article editor. No shareable draft preview links, no branch/staging environments, no headless decoupled preview integration, and no multi-channel preview. The Joomla API enables headless delivery but has no built-in preview surface for external frontends.
Joomla's ACL is one of its strongest features: unlimited hierarchical user groups, per-component/per-category/per-article permission overrides, and configurable viewing access levels. Supports create, edit, edit own, edit state, and delete actions per group/context. Joomla 6.1.1 patched ACL bypass and privilege escalation CVEs, hardening the model. No field-level permissions, no native SSO (SAML/OAuth via extensions only), and no SCIM provisioning.
Joomla 6's Web Services API follows the JSON:API v1.0 specification with consistent response formatting, bearer-token HMAC auth, error handling, and pagination, and manual.joomla.org publishes versioned docs (6.1 current, 6.2 upcoming). The JoomlaLABS webservices-documentation component now auto-generates an OpenAPI 3.1.0 spec plus interactive Swagger UI/Redoc from installed components for J6.0+, closing the interactive-playground gap — but it is a community add-on, not core, there is no GraphQL in core (only a POC), and extension endpoint coverage is inconsistent. Small bump for OpenAPI 3.1.0 generation and interactive docs; the core API remains bolted-on rather than API-first.
Joomla 6.1 introduced plugin lazy loading — plugins load only when an event calls them — measurably reducing server response times and peak memory, which benefits API request handling. Still no published rate limits, no API benchmarks, no batch operations, and no CDN-backed delivery layer; performance remains entirely dependent on self-managed hosting. Small bump retained for the lazy-loading improvement only.
No official client SDKs for the Joomla API in any language as of Joomla 6.1 — developers use raw HTTP against the JSON:API endpoints. Generic JSON:API client libraries work but nothing Joomla-specific or type-safe exists, and no code generation tooling. Unchanged through the 6.x branch.
The Joomla Extensions Directory now displays Joomla 6 compatibility badges and the 2026 JED Checker rewrite enforces J6 coding structure and mandatory update servers — a governance improvement for patch delivery. But 2026 exposed acute quality risk: critical unauthenticated RCEs in three of the most-installed extensions (JCE CVE-2026-48907, SP Page Builder CVE-2026-48908 CVSS 10.0, Page Builder CK CVE-2026-56290 CVSS 10.0) were actively exploited, several added to CISA KEV. Thousands of extensions exist across all major categories, but the long tail keeps shrinking and the security quality floor is low; the marketplace is stabilizing around J6 yet remains contracted and uneven.
Joomla 6 retains the mature five-type extension architecture (components, modules, plugins, templates, languages) with namespaced code, dependency injection, service providers (services/provider.php), and PSR-12 standards; 6.1's event-driven lazy loading modernizes the plugin lifecycle. Custom field types (including new audio/video/document media fields in 6.1), server-side hooks, and custom admin UI are all possible. Powerful but requires deep PHP and Joomla MVC knowledge — no low-friction app framework.
Joomla 6 ships native MFA and WebAuthn/passkeys in core, LDAP via plugin, and token-based API authentication; 6.1 added an invisible proof-of-work CAPTCHA in core and 6.1.2 hardened MFA settings against unauthorized changes. SSO via SAML or OIDC still requires third-party extensions — not native. The 2026 mixed-content flaw in password reset links (CVE-2026-48902) is minor but shows rough edges in auth-adjacent code.
Joomla 6's ACL supports granular permissions at global, component, category, and item levels with custom inheriting user groups — still one of the platform's strongest features, and 6.1's visual workflow editor adds graphical stage/transition design on top of it. No field-level permissions, and the permissions matrix UX remains notoriously confusing. The 2026 com_users privilege-escalation CVEs (48898/48904) were access-check bugs in enforcement, not model flaws, and were patched in 6.1.1.
As self-hosted open-source software, Joomla 6 carries no platform-level certifications — no SOC 2, no ISO 27001. GDPR tooling (privacy consent, data export/deletion requests) remains in core, a notable positive. Enterprise compliance posture is entirely the implementer's infrastructure responsibility, structural to all self-hosted OSS.
2026 was a rough security year for Joomla 6: CVE-2026-48898 (com_users batch task, CVSS 9.8 critical unauthenticated privilege escalation, affecting 6.0.0–6.1.0) and CVE-2026-48904 (com_users webservice privesc) were patched in 6.1.1, CISA added actively-exploited Joomla flaws to its KEV catalog, and 6.1.2 (2026-07) shipped yet another round of access-check hardening across media, privacy, custom fields, vCard, and MFA. The Security Strike Team discloses responsibly and patches promptly, but confirmed in-the-wild exploitation of a critical core unauthenticated privesc, plus a wave of actively-exploited CVSS-10 RCEs across the top extensions, drags the track record well below a clean baseline.
Joomla 6 is self-hosted only with no official SaaS offering; it runs on standard LAMP/LEMP (PHP 8.3+, MySQL 8.0.13+/MariaDB 10.4+), has an official Docker image (php:8.3-apache and 8.4 variants), and works with virtually any managed PHP host. Automatic core updates (since 6.0) reduce maintenance burden. Per the rubric, self-hosted-only flexibility lands at 65–75; modest requirements keep it solidly in that band but the absence of any vendor-managed option caps it at the low end.
No platform SLA exists — uptime is entirely determined by the implementer's hosting infrastructure, and there is no status page for Joomla as a service. Incident communication is limited to software security announcements. Expected for self-hosted platforms, but a significant gap versus SaaS competitors.
Joomla 6.1's plugin lazy loading delivers genuinely lower peak memory and faster responses, and the 6.x caching layer is improved — but the platform remains a PHP monolith with no auto-scaling, no application-layer multi-region support, and no documented scale limits or enterprise-scale references. Scaling is achievable with infrastructure investment (load balancers, replicas, caching) but the architecture is not designed for horizontal scale. Small bump retained for the measurable 6.1 performance work.
Backup is self-managed, but Akeeba Backup is a mature de facto standard covering full site and database snapshots, and content in standard MySQL/MariaDB ensures portability. No documented RTO/RPO from the project and no built-in automated backup in core. Automatic core updates help patch currency but don't address DR.
Joomla 6 runs locally via the official Docker image with live folder mounts, docker-compose recipes documented in the guide.joomla.org user manual, the Lando plugin, or classic XAMPP/MAMP; core development uses Composer and NPM. The Joomla CLI handles basic operations but offers no scaffolding, hot reload, or environment-parity tooling. Local dev works because it's standard PHP, not because of dedicated tooling.
No built-in environment management, no schema/content migration CLI, no deploy previews, and no branch-based environments in Joomla 6. An open joomla-cms discussion (#35582) on updating Joomla via CI/CD pipelines confirms the gap — the community explicitly requests a repeatable CLI migration system that core does not provide. Deployments remain manual or built on generic tooling (Git, rsync, Docker).
Documentation has consolidated meaningfully for 6.x: manual.joomla.org publishes versioned developer docs (6.1 current, 6.2 upcoming) maintained on GitHub, guide.joomla.org provides a structured user manual including migration and local-setup guides, and api.joomla.org covers the CMS 6.0.x API reference. Coverage is still incomplete in places, code examples are uneven, and there is no core interactive playground or framework-specific getting-started guides. Bump retained for the versioned, restructured doc portals.
Joomla 6 is a PHP platform with zero TypeScript support: no official SDKs in any language, no type generation from content schemas, and an admin interface being migrated to plain VueJS (not TypeScript). Consuming the JSON:API from a TypeScript frontend requires hand-writing every type. Unchanged in the 6.x branch.
Cadence remains strong and predictable: 6.1.2 + 5.4.7 security/bugfix releases shipped July 7-8, 2026 (six weeks after 6.1.1), and 6.2.0 Alpha 2 landed June 23 on the steady six-month minor cycle with GA scheduled Oct 13, 2026. Dual-track 5.x/6.x maintenance continues. Still below SaaS-level feature-shipping frequency, which caps the score.
Release announcements clearly describe features and security content — the 6.1.2 notes categorize the twelve fixes (six XSS, six access-control) and even document a known regression (#48058) with a hotfix and target fix in 6.1.3. Migration/backward-compat docs are maintained. However, changelogs still lack structured per-item breaking vs. non-breaking categorization in a machine-readable format.
The public roadmap shows the full 6.2 schedule (Alpha 3 Jul 21 → Beta 1/feature-freeze Aug 18 → RC1 Sep 29 → GA Oct 13, 2026) with named release managers (Charvi Mehra & Martin Kopp), and Alpha 1/2 shipped on schedule — extending a multi-release track record of on-time delivery on a predictable six-month cadence. Still no formal community voting portal like Canny, which keeps it below the 70+ band.
6.x minors (6.1, upcoming 6.2) defer breaking changes to the next major, and 6.1.1/6.1.2 were pure security/bugfix releases — consistent semver discipline. The Backward Compatibility 6 plugin continues to enable J5 extensions on J6, and migration docs are published. No automated codemods, which keeps the score in the mid range.
GitHub shows ~5.1K stars and ~3.9K forks on joomla/joomla-cms — stable to slightly up. However, W3Techs (July 2026) now measures Joomla at just 1.2% of all websites / 1.7% of the known-CMS market, down from ~1.9% in Dec 2025, confirming a shrinking installed base beneath the still-substantial forum and extension counts. Raw size remains meaningful for open source but the trend is down.
Engagement signals are holding: Joomla is participating in GSoC 2026 with multiple funded projects (Ajaxified Backend, Automated Workflow, Smart Search) coordinated via Mattermost, the 6.2 milestone reached 98% of 63 issues closed via ongoing volunteer PRs, and in-person events (JoomlaDay USA Apr 2026, Joomla World Conference Potsdam Oct 2026) are running. However, the core maintainer team remains thin and Stack Overflow activity keeps declining.
Joomla has a Service Providers Directory at community.joomla.org and an official Partners page. DesignRush lists 1,600+ Joomla development companies. However, there is no formal certification or training program, and no major SIs (Accenture, Deloitte) list Joomla as a practice area. The ecosystem exists but lacks the structure of commercial CMS partner programs.
The 6.1.x releases continue to generate third-party coverage (mySites.guru, Joomill, db8 walkthroughs and migration/security guides), and the Joomla Community Magazine publishes regularly. However, mainstream tech education platforms (Udemy, Pluralsight) have minimal current Joomla content, and sustained output remains far below WordPress, Drupal, or headless platforms.
ZipRecruiter shows ~38 Joomla developer jobs ($87K-$148K), SimplyHired lists ~123 positions, and freelance platforms (Upwork, Toptal, Fiverr) maintain active Joomla developer pools. Talent exists but is concentrated in freelance/contract work rather than full-time enterprise roles, with no certification program or training pipeline.
W3Techs (July 2026) shows Joomla at 1.2% of all sites / 1.7% of the CMS market, down from ~1.9% in Dec 2025 — still the only major CMS trending downward while peers hold or grow. No notable new enterprise logo wins found in 2025-2026; 6.x feature work targets retention of existing users rather than new adoption at scale.
Open Source Matters' most recent published budget (FY2024/2025) shows $65K projected income vs $103K estimated expenditures — a ~$38K gap — and OSM is actively courting sponsors for 2026 events (Joomla World Conference Potsdam, JoomlaDays); no newer budget has been published. The project cannot be acquired (community-owned, volunteer-run, unfunded) but faces real sustainability pressure from chronic underfunding.
Joomla remains absent from Gartner MQ and Forrester Wave evaluations for CMS/DXP. It continues to lose ground to WordPress and Drupal in open source and to headless platforms in modern architecture, and is the only top-five CMS still shedding share in 2026 (now 1.7% of the CMS market). The steady 6.x release train has not changed analyst or market perception.
G2 holds at 4.0/5 across ~387 reviews (updated Feb 2026), with review-volume growth having slowed — reflecting a contracting user base. Per scoring guidance, G2 4.0 maps to the 45-60 band; persistent complaints (outdated/'messy' admin, steep learning curve vs WordPress) keep it at the bottom of that band despite praise for flexibility and customizability.
Joomla 6.x is free and open source under GPL v2+. Zero licensing cost, no tiers, no hidden fees — the pricing model is maximally transparent at $0 for the software. All costs are hosting, development, and maintenance, fully within the buyer's control.
Free software scales perfectly in licensing terms — no per-seat, per-API-call, or usage-based charges. Unlimited users, content, and API calls. Only hosting infrastructure and development labor scale with usage, making this the most predictable pricing model available.
All core features ship in the free open-source distribution — no premium tiers, no enterprise-only features, no upsell gating. Joomla 6.1 added Proof-of-Work CAPTCHA, Visual Workflow Editor, and Media Custom Fields, all free in core; the 6.1.2 maintenance release (July 2026) is likewise free. Some third-party extensions are commercial, but the core platform has zero feature restrictions.
No vendor contracts — download and use freely under GPL. No annual commitments, no exit clauses, no lock-in periods. Hosting contracts are independent and switchable at any time. Maximum flexibility inherent to the open-source model.
Joomla is fully free GPL software with no usage limits or commercial restrictions. launch.joomla.org provides free hosted sites for instant evaluation, and CloudAccess.net offers a free Joomla hosting tier. Self-hosting on shared hosting runs $1-5/month. The hobby path delivers full platform capabilities at near-zero cost.
launch.joomla.org and CloudAccess deliver a working site in seconds, and one-click installers on shared hosting take minutes — first published content is achievable within an hour. However, customization to production quality takes days to weeks: template selection, extension configuration, and content modeling add significant time before a real project delivers value.
Simple Joomla sites can be built in 2-4 weeks; medium complexity with custom templates and extensions takes 1-3 months; complex sites with custom components run 3-6 months. Comparable to other traditional CMS platforms but longer than modern headless projects. 2026 project budgets range from ~$1,000-5,000 for basic sites to $80,000+ for large custom portals.
Joomla specialists command a moderate-to-high premium driven by talent scarcity rather than platform complexity. Market share continues to fall (down ~20% since 2024; ~1.9% in 2025 vs 9.3% in 2014), and migration outflow to WordPress outnumbers inflow roughly 5:1, shrinking the experienced 6.x developer pool. General PHP developers can learn Joomla and base rates are only moderate (~$48/hr US avg), but the scarcity-driven premium and shrinking pool partially offset the zero licensing cost.
Joomla 6.x runs on cheap shared hosting — basic sites cost $1-5/month on a standard PHP + MySQL/MariaDB stack. CloudAccess.net offers managed Joomla hosting from $10/mo (free tier available, Developer Plan $50/mo), and managed VPS options like ScalaHosting start near $15/mo. For higher-traffic sites, standard VPS/cloud hosting works at $20-100/month. Hosting costs are among the lowest of any CMS; the trade-off is self-managed infrastructure unless using a managed provider.
Self-hosted means full ops responsibility — updates, security patches, backups, monitoring, server maintenance. Joomla 6.x's automatic minor-version updates reduce patch burden, but parallel maintenance tracks persist (5.4.7 alongside 6.1.2, with 6.2 in alpha). The managed-hosting ecosystem (CloudAccess) remains limited compared to Drupal's Acquia/Pantheon, so larger deployments still need dedicated ops attention.
Content is stored in MySQL, accessible and exportable, and the Web Services API provides programmatic content access. Migration tooling is mature: FG Joomla to WordPress is actively maintained and tested through Joomla 6.x, and LitExtension/CMS Minds offer professional migration services. However, content uses Joomla-specific table structures requiring transformation, and third-party extensions create proprietary data structures — lock-in is moderate.
Joomla 6.1 retains the same conceptual model: articles, categories, menus, modules, components, plugins, templates, and ACL levels are all distinct concepts a developer must learn, and the visual workflow editor added earlier in 6.1 is one more concept to grasp. The menu-content relationship remains confusing for newcomers. More complex than WordPress, simpler than Drupal — 6.1.2 (July 2026) was a security & bugfix release with no conceptual changes.
The developer manual at manual.joomla.org covers getting-started guides, local environment setup, a module development tutorial as the recommended entry point, and a growing 5.4→6.0 migration guide. There is still no certification program, no interactive tutorials, no sandbox environment, and no structured learning paths beyond docs. Joomla 6.1.2 introduced no onboarding resources, keeping this in docs-only territory per the rubric.
Joomla 6.x uses modernized PHP with namespaces and dependency injection as standard, but remains Joomla-specific MVC rather than Symfony or Laravel, and template development requires Joomla-specific knowledge. The built-in Web Services REST API enables headless use with React/Next.js, but integration is community-documented (e.g. Joomla Community Magazine March 2026 headless guide) rather than first-class. 6.1.2 made no framework changes; skills transfer partially from modern PHP but Joomla-specific patterns persist.
Joomla provides the Cassiopeia default template and sample data for quick starts, plus extension scaffolding guidance in the developer manual. No official framework-specific starters exist (no Next.js, Nuxt, or Astro starters), no TypeScript boilerplates, and no first-party CLI scaffolding in core; headless starters remain community efforts. 6.1.2 introduced no starter templates, keeping this at community-only per the rubric.
Joomla 6.1's Global Configuration covers many settings with reasonable defaults, and the built-in Proof-of-Work CAPTCHA eliminates external service configuration for spam protection (no account or API key needed). Per-component configuration adds surface area, the system remains GUI-based with no config-as-code in core, and environment management requires manual configuration.php edits. Manageable but limits automation; 6.1.2 changed nothing here.
Joomla 6.1's media custom fields support audio, video, and document types beyond images, on top of 6.0's Date/Datetime fields, and adding custom fields to content remains safe and low-risk. However, schema evolution for custom components still requires manual database migration management with no built-in migration tooling, and the core article-category-menu data model remains rigid compared to headless CMS platforms. 6.1.2 only fixed save/display bugs in the audio/video/document fields — no modeling changes.
Joomla 6.1's module versioning brings version history consistency across content types, and the visual drag-and-drop workflow editor makes publication pipelines easier to design than the prior form-field configuration. Combined with 6.0's view transitions and TinyMCE 8, the coupled editing experience is solid. However, there is still no headless preview setup, no deploy previews, and no preview API for decoupled frontends, which caps the score for teams building decoupled.
PHP developers can learn Joomla basics relatively quickly, and the modernized 6.x framework (namespaces, DI) makes patterns more recognizable to modern PHP developers. However, advanced extension development still requires understanding Joomla-specific MVC, the event system, and ACL — platform-specific knowledge that takes weeks to months to master. No certification is required but Joomla experience remains essential for efficient development; nothing in 6.1.2 reduces this.
A solo developer can build and deploy a complete Joomla 6 site — the coupled architecture means one person handles frontend and backend, and standard LAMP stack knowledge suffices for the self-hosted ops burden. For production sites 2-3 people is typical, and 6.1's PoW CAPTCHA removes one external service dependency. Per the rubric, solo-viable platforms with some self-hosting ops needs sit at the low end of the 60-70 band; ongoing CVE patching (6.1.2 shipped multiple security fixes) keeps ops attention nonzero.
Content authors can create and publish articles, manage media (including audio/video/document custom fields), and self-serve for basic operations without developer involvement. The 6.1 visual workflow editor lets content teams design and manage publication pipelines without developer help, and multilingual module associations reduce developer intervention on multilingual sites. However, new page layouts, template modifications, and complex ACL configuration still require a developer; 6.1.2 made no cross-functional changes.
TUF-secured automatic minor updates are proven across the full 6.0.x–6.1.x cycle, and 6.1.2 (Jul 8, 2026) added an update-installation fix plus improved CSS compatibility to stop third-party extensions breaking layouts after core updates. Community guidance still recommends keeping auto-updates off until extensions are confirmed compatible, and major upgrades (5→6) remain manual with extension compatibility as the main friction. Not higher because cross-major extension breakage persists and there are no codemods.
Joomla 6.1.2 (Jul 8, 2026) delivered another coordinated batch of core CVE fixes — incorrect-access-control in com_workflow (CVE-2026-48955), com_modules (48956), com_privacy (48957), com_media (48947) and com_fields (48958), plus multiple XSS vectors — with a 5.4.7 backport the same day and auto-updates cutting application lag on minor releases. Not higher because access-control/XSS CVEs keep recurring in core every release, and the third-party attack surface is actively exploited: JCE, SP Page Builder and Page Builder CK RCEs (CVSS 10.0) were added to CISA's KEV catalog on Jul 7, 2026, forcing urgent out-of-band extension patching.
The parallel release strategy continues — 5.4.7 shipped alongside 6.1.2 on Jul 8, 2026 — and the Behaviour - Backward Compatibility 6 plugin keeps Joomla 5 extensions working through the entire 6.x cycle before being dropped in 7.0. As open-source self-hosted software, no vendor can force an upgrade on its own timeline. Not higher because unsupported branches become security liabilities (Joomla 4 is EOL) and the recurring access-control CVEs show older versions carry real exposure.
Joomla 6 requires PHP 8.3+ (recommended 8.4), MySQL 8.0.13+ and manages core packages via Composer with actively maintained PHP compatibility across point releases — a conventional, well-understood LAMP stack. Lowered because the third-party extension dependency graph is a live security liability: critical RCEs in widely deployed extensions (JCE, SP Page Builder, Page Builder CK, all CVSS 10.0) were being actively exploited and added to CISA's KEV catalog in July 2026, meaning operators must independently track and patch extension dependencies out of band. Not lower because the core runtime/dependency stack itself is mature and stable.
Joomla 6.1.x still ships no built-in monitoring, health-check endpoints, or observability features — the 6.1.2 release notes add none. Production monitoring requires standard LAMP tooling (Nagios, Datadog, New Relic) configured entirely by the operations team, and the admin panel exposes only basic system information unsuitable for automated alerting. Everything remains fully DIY.
Joomla 6.1's visual workflow editor lets administrators manage the publication process as an interactive diagram, and module versioning plus multilingual module associations reduce day-to-day operational overhead. Still no automated orphan detection, broken-link scanning, or content-expiry workflows in core — content hygiene remains manual editorial discipline. Not higher because automated hygiene tooling is absent.
Performance still requires standard PHP application optimization — opcode caching, query optimization, CDN configuration and Joomla cache-plugin tuning. Joomla 6.1 improved article-list performance for large sites, and the 6.2 alphas (Alpha 2 Jun 23, Alpha 3 Jul 21) preview concrete gains — a smart-preload method for access rules and MySQL index enforcement cutting 50k+-article list queries from seconds to milliseconds — but these are not GA until Oct 13, 2026. Not higher because there is no auto-optimization or built-in performance monitoring and caching requires manual tuning and invalidation.
No commercial support from the Joomla project — unchanged. Support is entirely community-based (forums, Stack Exchange) or via third-party consultants and agencies, with no SLA, no guaranteed response times, and no escalation paths; enterprise support must be procured independently. Not higher because there is simply no formal support channel to evaluate.
The community remains active — 800K+ forum members, active moderation, Joomla Stack Exchange, and 130+ volunteers contributing across development, testing, translation and documentation on recent releases. However, it is smaller than its historical peak and much circulating content still references older versions, with 6.x-specific knowledge still building (e.g. threads troubleshooting auto-update activation). Not lower because the core community stays dedicated and well-organized.
Release cadence stays strong and disciplined: 6.0.1–6.0.4 (Nov 2025–Mar 2026), 6.1.0 (Apr), 6.1.1 (May) and 6.1.2 (Jul 8, 2026) — eight core releases in eight months, each preceded by multiple RC stages, with 5.x security backports shipped in lockstep and 6.2 alphas landing on a published dated schedule. The rapid coordinated response to July's access-control CVE wave underscores solid velocity. Not higher because volunteer-driven, non-security bug-fix timing still varies and some fixes wait for the next scheduled point release.
No visual page builder in Joomla core. Landing page creation requires template customization and module arrangement. SP Page Builder (actively maintained for Joomla 6 — v6.6.2 released June/July 2026, a critical zero-day emergency fix on top of the 6.6.0 dynamic-content feature line), Quix, and JA Page Builder add drag-and-drop page building, but these are third-party extension dependencies. Without extensions, creating marketing landing pages requires developer involvement. Marketer self-service is not possible in core Joomla. Joomla 6.1.2 (July 2026) is a security/bugfix release with no landing page additions.
No campaign management features in Joomla 6.1.x. No content calendaring, no multi-channel scheduling, no campaign analytics. Scheduled publishing exists at the article level (publish up/down dates), but there is no campaign concept. jInbound (third-party) provides landing pages and lead nurturing but is not a native capability. Marketing teams would need external tools for campaign coordination. Joomla 6.1.2 adds no campaign features (security/bugfix only).
Joomla has solid built-in SEO capabilities. Meta title and description are configurable per article and menu item. SEF URLs are built in. Redirect management exists as a core component (com_redirect). Canonical URL handling exists. Notably, Joomla ships a native frontend Schema.org structured data system — the System — Schema.org plugin plus content-type sub-plugins (Article, BlogPosting, Event, Organization, Person, JobPosting, Recipe, etc.) inject JSON-LD into frontend pages without a third-party extension (introduced in Joomla 5, carried into and actively maintained in 6.x; issue #47444 tracks a 6.2 Schemaorg image-handling improvement). This closes a gap flagged in prior scoring. Remaining gaps: sitemap generation still requires an extension, and OG/Twitter card meta tags require SEO extensions (4SEO, EFSEO). The SEO foundation is now genuinely competitive but still short of a fully built-in suite. No SEO changes in 6.1.2.
No built-in form handling beyond basic contact form. Joomla 6.1 added a native Proof-of-Work CAPTCHA (PR #46514) — privacy-friendly spam protection that requires no external account or API — improving native form security for the basic contact form and extension forms using the CAPTCHA API (SP Page Builder adopted it across all its forms). However, forms still require extensions (RSForm, BreezingForms) for anything beyond basic contact. No CTA management, no conversion tracking, no lead capture integration. Landing page optimization requires external tools. No performance-marketing changes in 6.1.2.
No native personalization engine in Joomla. Access-level-based content visibility (registered/special/public) provides role-based content restriction but this is access control, not behavioral personalization. No geo-targeting, no ML-driven segmentation, no rule-based targeting beyond manual user group assignment. No personalization features in Joomla 6.1.x.
No native A/B testing in Joomla. DM A/B Test extension exists in JED but shows no evidence of active maintenance or Joomla 6 compatibility. VWO can be integrated via JS tag but is fully external. No statistical significance tracking, no auto-winner selection, no experimentation framework in core or via maintained extension. No changes in Joomla 6.1.x.
Once templates are set by a developer, content editors can create and publish articles relatively quickly through the admin UI. Article duplication (save as copy), category-based organization, and scheduled publishing reduce some cycle time. However, new page layouts require developer involvement, there is no true inline frontend editing, and bulk operations are limited. The article editor (TinyMCE 8.0.1 in Joomla 6) is competent but not optimized for marketing velocity workflows. No content velocity improvements in 6.1.x.
Joomla has a JSON:API (REST) for headless content delivery, technically enabling distribution to external channels. However, the content model stores HTML blobs rather than structured channel-agnostic content, limiting utility. No native email publishing, no push-to-social, no SMS or push notification integration. Channel-specific content variants are not supported. Multi-channel delivery requires significant custom development around the API.
No native analytics dashboards within Joomla. Standard tag-based integration with GA4 and similar tools is possible via extensions or manual script injection in templates. No pre-built connectors to GA4, Adobe Analytics, or Mixpanel with content performance metrics surfaced in the CMS. Content decay and engagement data remain fully in external tools. No analytics changes in Joomla 6.1.x.
Joomla templates provide some consistency enforced at the theme level. Joomla 6 introduced Cassiopeia child templates with extended color and font customization via template parameters. However, there are no locked style tokens, no approved component palettes, and no platform-level enforcement preventing off-brand content. Marketers can override styling via HTML modules or article content. No brand guardrail tooling in 6.1.x.
Open Graph and Twitter Card meta tags are not built into Joomla core — they require SEO extensions (4SEO, EFSEO, Advanced SEO). Joomla's native System — Schema.org plugin outputs JSON-LD structured data but is distinct from social preview cards (OG/Twitter), so it does not close the social-sharing gap. Social sharing buttons are available via multiple extensions (JA Social Share, Fast Social Share, AMPZ supporting 50+ networks). No push-to-social scheduling or social workflow capability exists. No changes in 6.1.2.
Joomla's Media Manager provides folder-based file organization with per-asset metadata (title, alt text, description, author, copyright). Basic image cropping and resizing via the Media Action plugin in core. Joomla 6.1 added Media Custom Fields for audio, video, and documents (PR #45013), expanding the content model to natively reference non-image media types in custom fields; Joomla 6.1.2 fixed bugs in these audio/video/document fields so they now save and display correctly. However, still missing: no asset versioning, no usage tracking across content, no rights/expiry management, no focal point cropping, no CDN integration, no WebP auto-conversion.
Joomla has robust built-in multilingual support with separate content per language and language-specific menu items. Joomla 6.1 added multilingual module associations (PR #46671/46772), enabling modules to be linked across language versions the same way articles are associated — improving consistency of localized marketing content including sidebars, banners, and promotional modules across languages. However, no transcreation workflows, no locale-specific campaign variants, no market-level scheduling, and no regional compliance tooling natively.
Some MarTech integrations exist via extensions: Agile CRM, Mailchimp, ActiveCampaign, HubSpot, Constant Contact. However, these are third-party extensions of varying maintenance quality — not pre-built native connectors. No event-based triggers for orchestration. No CDP integration. No ad platform connectors. Marketing automation requires jInbound or external tools. The MarTech ecosystem for Joomla is thinner than most competing platforms. No changes in 6.1.x.
No native PIM or product content modeling. There is no variant/SKU support, no attribute management, no product relationships in core. VirtueMart, HikaShop (v6.4.1 updated May 2026 with Joomla 6 compatibility), J2Commerce, and EShop provide product content through their own models separate from the CMS content layer. The 6.1 media custom fields (audio, video, documents) could enrich product descriptions but don't address the fundamental lack of product content modeling.
No merchandising tools in core Joomla. Commerce extensions provide basic category management and some promotional content support, but sophisticated merchandising (search merchandising, cross-sell/upsell content management, content-driven discovery) is not available. This is not a use case Joomla was designed for. No changes in Joomla 6.1.x.
No pre-built integrations with modern commerce platforms (Shopify, commercetools, BigCommerce). The commerce story remains VirtueMart, HikaShop, or J2Commerce — self-contained e-commerce solutions within Joomla, not integrations with external commerce platforms. Connecting Joomla to headless commerce would require entirely custom development. No changes in 6.1.x.
No native shoppable content or editorial commerce capability. Commerce extensions (VirtueMart, HikaShop) operate in their own content layer separate from Joomla articles. No inline product references within editorial content, no lookbook templates, no buying guide patterns. Creating shoppable content requires custom template development to bridge the CMS and commerce extension layers.
No CMS-managed content in transactional flows. Commerce extension templates (VirtueMart, HikaShop) control cart and checkout pages independently from the Joomla article/module system. There is no mechanism to inject CMS-managed trust badges, upsell banners, or promotional content into checkout without modifying the commerce extension templates directly.
Post-purchase content (order confirmations, delivery tracking, review solicitation) is handled entirely within the commerce extension layer, not the CMS. VirtueMart and HikaShop manage their own transactional email templates. No CMS-managed post-purchase sequences or order-event-triggered content delivery.
Joomla's ACL system can be used to gate catalog sections by user group, providing rudimentary B2B access control. HikaShop has customer group pricing tiers. Sellacious offered multi-vendor B2B capability but shows no evidence of active maintenance or Joomla 6 compatibility. No native contract management, no quote-request flows, no spec sheet management. B2B use is possible via ACL+commerce extension but requires significant customization.
Smart Search (com_finder) provides full-text search with indexed content but no faceted search filtering for product discovery. No blended content-product search results — commerce extensions maintain separate search from the CMS search index (HikaShop ships its own search plugins, updated for Joomla 6 class loading changes). No search merchandising, no synonym management, no search landing pages. The gap between CMS content search and product content search is unbridged.
Joomla supports publish up/down dates for articles and modules, enabling time-activated promotional banners and content scheduling. The core Banners component provides basic ad placement with scheduling. However, there are no countdown timers, no tiered pricing tables, no promo code messaging managed from the CMS, and no channel-specific promotional targeting. Scheduled publishing exists but as a content management feature, not a purpose-built promotions tool.
No native multi-storefront architecture. Serving multiple storefronts would require separate Joomla installations per brand/region with separate commerce extension instances. JMS Multi Sites remains only partially compatible with Joomla 5 and has no confirmed Joomla 6 support. MightySites is positioned as a Joomla 6 multi-site alternative but shares content across instances via shared hosting, not true multi-storefront content management. A core multisite RFC (GitHub discussion #47369) and the in-development SiteHive component signal future direction but nothing stable ships today.
VirtueMart and HikaShop support multiple product images and basic galleries. Video embeds are possible via HTML in product descriptions. Joomla 6.1's media custom fields (audio, video, documents) make it easier to attach video and other media types to content via structured fields rather than HTML embeds — a modest improvement for product media richness, with the fields' save/display bugs fixed in 6.1.2. Still no 360-degree views, no AR/3D model support, no image hotspots, no zoom feature in core Joomla or its major commerce extensions.
HikaShop has multi-vendor capabilities. Quick2Cart and jMarket also offer marketplace-style functionality. However, these are not purpose-built marketplace content platforms — they provide basic seller product submission and category management without sophisticated content quality moderation, seller profile management, or review aggregation systems. Sellacious, which had more B2B/marketplace features, appears to be unmaintained.
Joomla's native multilingual system provides generic localization that can be applied to product content in commerce extensions. Joomla 6.1's multilingual module associations improve cross-language consistency for modules used alongside commerce content. However, currency-aware content blocks and regional regulatory content (EU labels, CA Prop 65) are not natively supported. Commerce extensions handle their own currency display separately from CMS localization.
No connection between CMS content and commerce outcomes. Revenue attribution to content pages, content-assisted conversion tracking, and product content performance measurement are not available natively. GA4 e-commerce tracking can be set up via third-party extensions but requires custom configuration and produces data entirely in Google Analytics — not surfaced within the CMS.
Joomla's ACL provides hierarchical user groups with inheritance, per-article and per-category permissions via the assets table, and configurable viewing access levels that restrict content to specific user groups. Built-in MFA and passwordless login strengthen authentication for intranet use. SSO possible via extensions. The system goes beyond simple RBAC — it is genuinely audience-based content visibility — but no field-level security exists. Joomla 6.1.2 continued hardening the model with additional security fixes (restricted access to media management, privacy features, vCard downloads, and MFA settings), following 6.1.1's MFA-bypass and privilege-escalation CVE patches — hardening without changing capabilities.
Categories, tags, and Smart Search provide basic taxonomy and discovery. Joomla's workflow system enables custom content stages and approval transitions for knowledge updates. Joomla 6.1 added a Vue.js-based graphical workflow editor with drag-and-drop stages, keyboard shortcuts, undo/redo, and mini-map navigation, making knowledge lifecycle configuration more accessible. Module versioning (6.1) extends version tracking beyond articles to modules. Extended versioning tracks custom fields, tags, and categories. However, no automated review reminders, no archival workflows beyond manual unpublishing, and no knowledge base templates exist.
Joomla can serve as a basic portal but lacks employee experience features. No notification system for content updates without extensions. No social features (likes, comments require extensions). No employee directory integration in core. No personalized dashboard. JA Intranet template exists as a third-party offering but relies on multiple third-party components (EasySocial, EasyBlog, DocMan). It is a website CMS being repurposed as an intranet, not built for the purpose. No employee experience changes in 6.1.x.
Joomla's ACL-based access levels enable department-specific news publishing by restricting article visibility to relevant user groups, providing basic targeted internal communications. The workflow system supports approval-gated publishing. However, there are no read receipts, no acknowledgment tracking, no mandatory-read workflows, and no audience segmentation beyond manual user group assignment. It is a basic news publishing model, not a purpose-built internal comms platform.
No native employee directory or org chart in Joomla core. The user management system tracks login accounts but not employee profiles, skills, or team hierarchies. miniOrange LDAP/Active Directory integration plugin enables AD-synced user lists but does not provide directory browsing or org chart visualization. EasySocial (third-party, separate product) provides social profiles. Building a functional employee directory requires custom content types or third-party extensions.
Joomla's article versioning and workflow system provide rudimentary content version control and approval stages. Joomla 6.1 extended versioning to modules (PR #46772) and added document-type media custom fields (PR #45013, with save/display bugs fixed in 6.1.2), making it easier to manage document attachments via structured fields rather than file upload links. DocMan (third-party extension) adds document management with folder structure and access control. However, there is no mandatory acknowledgment tracking, no automated review/expiry reminders for policies, and no audit trail specifically for compliance.
No structured onboarding journey features in Joomla. Articles and categories can be organized into an onboarding section with ACL-restricted access, and scheduled publishing could approximate staged content delivery. However, there is no progressive disclosure framework, no task checklists, no HR-system integration for new-hire triggers, and no completion tracking. Building a functional onboarding experience requires extensive custom development.
Smart Search (com_finder) provides indexed full-text search with a map of indexed terms. It supports boosting and filtering by category, author, and date but lacks advanced faceted filtering for intranet knowledge volumes. No federated search across external systems (SharePoint, Confluence, Drive). No AI-powered relevance ranking. Search analytics (failed queries) are not surfaced in the admin panel. Adequate for small sites but not enterprise intranet scale. No search changes in 6.1.x.
No official Joomla mobile app for content access. Joomla sites use responsive templates (Cassiopeia is mobile-responsive by default) providing adequate web-based mobile access. No offline support, no push notifications, no native app distribution, no kiosk/shared-device modes. Frontline workers would access via a mobile browser on a responsive site — functional but not purpose-built for deskless access.
No built-in LMS capability or dedicated learning content management in Joomla. Learning content can be hosted as articles with ACL-restricted access, but there is no course assignment, no completion tracking, no certification management. Third-party LMS extensions exist in JED but are not well-maintained for Joomla 6. Integration with enterprise LMS platforms (Cornerstone, Workday Learning) would require entirely custom development.
No native social or collaboration features in Joomla core — comments, likes, reactions, polls, and community spaces all require third-party extensions. The forum story has improved: Kunena 7.0 stable (current 7.0.6) now runs natively on Joomla 6.0/6.1 without a compatibility plugin, giving Joomla 6 intranets a maintained discussion forum option. EasySocial provides a fuller social layer but is a separate commercial product with its own stack. The capability remains entirely extension-dependent, which caps the score.
Some workplace tool integrations exist via extensions: Microsoft Teams Call extension (OAuth 2.0 via Azure), Slack live chat integration, Microsoft 365 Mail Connect (OAuth 2.0). These are thin integrations — call launching and email connection — not deep embedded content cards, bot-driven notifications, or single-pane employee experiences. No Microsoft 365 document embedding, no Teams channel posting from CMS, no Slack content alerts.
Joomla supports publish up/down dates for automatic content expiry and unpublishing. The graphical workflow editor in Joomla 6.1 (PR #46021) makes it easier to configure content lifecycle stages including review and archive states with a visual drag-and-drop interface. Module versioning in 6.1 extends lifecycle tracking to modules. However, there are no automated review date reminders, no stale content flagging based on age, and no ownership assignment for freshness accountability. Content expiry is possible but requires manual configuration per article — there is no global freshness policy enforcement.
No native internal analytics in Joomla admin. Basic page view tracking available via GA4 integration through extensions, but this provides aggregate site data rather than department-level engagement analysis. No failed search term reporting in admin, no content engagement heatmaps, no intranet adoption dashboards. Analytics for internal content performance require full external analytics setup. No analytics changes in 6.1.x.
No multi-tenant architecture in core. JMS Multi Sites is only partially compatible with Joomla 5 and has no confirmed Joomla 6 support. MightySites provides shared-hosting multi-site management for Joomla 6.x, not true application-level tenant isolation. A core multisite RFC (GitHub discussion #47369, March 2026) and the in-development SiteHive component (single-table site_id architecture for Joomla 6) signal community momentum, but neither has shipped stable — each brand/tenant realistically still requires a separate Joomla installation.
No mechanism for sharing content components across separate Joomla installations. Within a single installation, modules and articles can be shared across pages, but there is no cross-instance sharing, no global templates with brand overrides, no design system support. Multi-brand content reuse requires manual duplication across separate instances.
No cross-brand governance capabilities. Each Joomla instance is independently managed. No central admin across instances, no approval hierarchies spanning brands, no global policy enforcement. Multi-brand governance would require custom tooling or manual processes. The graphical workflow editor in 6.1 improves per-instance workflow management but does not address cross-instance governance.
Zero licensing cost means each additional brand costs only hosting and development — no per-brand licensing increment. Shared hosting can run multiple Joomla instances cheaply. However, there are no shared infrastructure efficiencies within the application — each instance is fully separate. Operational overhead per brand is significant since each requires independent maintenance, updates, and monitoring.
Joomla 6 introduced Cassiopeia child templates with extended color and font customization via template parameters, reducing the need for CSS overrides for basic per-brand theming. 900+ third-party templates are available. Per-brand theming is achievable through template assignment per-instance. However, this is basic CSS/config-level theming — there are no design tokens, no centrally maintained component library with brand extensions, and no version-controlled brand theming across instances.
No brand-locale governance model. Each Joomla instance manages its own multilingual content independently. There is no per-brand translation approval workflow, no shared vs. isolated translation workflow configuration, and no regional legal content governance spanning brands. Multi-brand localization governance requires entirely manual coordination across separate instances.
No cross-brand analytics capability. Each Joomla instance would have its own GA4 property or analytics setup. Portfolio-level content performance reporting requires manual aggregation from multiple analytics accounts. No platform-level reporting across the brand portfolio, no content velocity comparisons, no publishing cadence benchmarking across instances.
Each separate Joomla instance has its own workflow configuration, meaning brands with separate installations can independently configure their publishing workflows using the graphical workflow editor in Joomla 6.1. However, there is no central audit across brands, no cross-brand visibility into publishing activity, and no workflow templates enforced from a central parent configuration. Workflow independence exists only as a byproduct of separate instances.
No content syndication mechanism between Joomla instances. Corporate-to-brand content distribution requires manual copy/paste or custom scripted migration. No syndication feeds between instances, no controlled override points, no push update capability from a parent brand to child brands. Content sharing across the brand portfolio requires entirely custom tooling.
No per-brand/region compliance rule enforcement. Cookie consent is handled via the core Privacy Tool Suite plus extensions. Each instance manages its own compliance settings. No guardrails preventing non-compliant publishing, no centralized data residency controls, no per-brand accessibility enforcement. Generic compliance tooling available per instance but not multi-brand aware.
No federated design system in Joomla. Each instance manages its own template independently. There is no centrally maintained component library with brand-level extensions, no design token versioning, and no update propagation across instances. Maintaining design consistency across multiple Joomla brand instances requires manual template synchronization or a custom build process.
Fully isolated user management per Joomla instance. No central admin console managing users across multiple brand installations. No cross-brand contributor roles, no SSO across Joomla tenants natively (SSO within a single instance is possible via extensions). Each brand team manages its own user accounts and permissions independently.
Fully separate content models per Joomla instance. No shared base content type that brands extend with per-brand fields. Custom fields must be recreated independently per installation. There is no parent content model framework that child brands inherit or extend without forking. Multi-brand content consistency requires manual schema duplication.
No portfolio-level reporting capability. Each Joomla instance is a fully independent CMS with no awareness of sibling brand installations. Content freshness by brand, publishing SLA adherence, cost allocation per tenant, and capacity planning would all require custom-built external tooling aggregating data from multiple independent systems.
Joomla 6.x ships the Privacy Tool Suite in core (com_privacy, verified on the 6.1 branch): consent management, data access/deletion request handling, and a privacy dashboard, and 6.1's built-in ALTCHA PoW CAPTCHA is privacy-first with no external service or data flows. However, no DPA is available to deployers — the Joomla Project is not a data processor, so GDPR obligations fall entirely on the site operator, which caps this in the basic-compliance band. The 6.1.2 security release (2026-07-08) fixing an access-control flaw in com_privacy webservice endpoints shows the suite is actively maintained but does not add new GDPR capability.
No HIPAA BAA is available from the Joomla Project or any affiliated entity, and there are no HIPAA-specific features in Joomla 6 core. Joomla is a volunteer-run OSS project with no healthcare compliance positioning; it is technically deployable on HIPAA-compliant hosting but carries zero platform-level support or documentation.
No FedRAMP, CCPA tooling, LGPD, PIPEDA, or sector-specific compliance features ship in Joomla 6.x. The core GDPR Privacy Suite is the only regulatory feature; broader regional coverage relies entirely on third-party extensions. Score reflects near-absence of regional regulatory tooling beyond basic EU privacy.
As an open-source volunteer project, SOC 2 does not apply — Open Source Matters is not a service organization and holds no SOC 2 attestation. Unlike Drupal or WordPress, Joomla has no enterprise managed-hosting ecosystem providing Joomla-specific SOC 2 coverage; all SOC 2 responsibility falls to the hosting provider chosen by the operator.
ISO 27001 is an organizational certification and Open Source Matters is neither ISO 27001 nor 27018 certified. The Joomla Security Strike Team (JSST) actively manages vulnerability disclosure for the 6.x branch (e.g., the 6.1.2 security release, 2026-07-08) but operates without a formal ISMS certification framework.
No PCI DSS, FedRAMP, CSA STAR, Cyber Essentials, or any other formal compliance certifications exist at the project or software level for Joomla 6.x. Joomla is not positioned for enterprise compliance contexts requiring these certifications, and there is no commercial entity to hold them.
As self-hosted software, Joomla 6 gives operators complete control over data residency — all data-location decisions are determined by the chosen hosting environment. Joomla 6.1's ALTCHA PoW CAPTCHA reinforces this by eliminating the external-service dependency that reCAPTCHA-style solutions introduce, so there are no CDN or SaaS data-flow concerns at the platform level.
Joomla 6's core Privacy component enables data access and deletion requests with manual admin fulfillment, and the Privacy Consent plugin supports configurable consent expiration. Joomla 6.0 added advanced content and custom-field versioning, but that is authoring history, not lifecycle governance. No automated retention policies, data classification, systematic erasure workflows, or API-based erasure exist.
The Action Logs component (com_actionlogs, verified in 6.1 core) logs admin actions — content changes, user management, and configuration changes — providing a basic who-did-what audit trail with CSV export. However, there is no SIEM integration, no external log shipping, no tamper-evident logging, and no compliance-grade reporting.
Joomla's accessibility statement claims WCAG 2.1 and ATAG 2.0 conformance for the backend, and the Joomla 6.x roadmap now prioritizes a 'WCAG 2.2 AA compliance' feature item targeting both backend and frontend. Joomla 6.1 shipped concrete increments — the ALTCHA PoW CAPTCHA (documented WCAG 2.2 AA) and editor abbreviation support (a WCAG AAA step). Still no formal third-party conformance audit, which holds the score in the stated-target band rather than the documented-conformance band.
No VPAT or ACR has been published for Joomla 6. The accessibility statement and developer accessibility documentation (manual.joomla.org) exist but are not formal conformance reports suitable for procurement, and there is no Section 508 conformance statement. Slightly above minimal due to the public statement, the active Accessibility Team, and the documented 6.x WCAG 2.2 roadmap item.
Joomla 6.x core ships no native AI text generation — the latest 6.1.2 (2026-07-07) is a security/bugfix release and 6.2 Alpha 1/2 add no AI. Third-party JED extensions remain the only delivery path: AI Content Assistant by Technodrome (GPT/Gemini/Claude/DeepSeek with tone/length controls, WebSources, bulk generation), 4AI (Gemini/OpenAI editor integration), JoomAI by miniOrange (articles/summaries with scheduled publishing), AI Content Generator, and AI Content Rewriter. The GSoC 2025 AI Framework (provider-agnostic abstraction) remains unmerged into 6.x core; score stays in the third-party-plugin-only band.
No native AI image generation or AI media processing in Joomla 6.x core — 6.1's media custom fields (audio/video/document) and 6.1.2's fixes to them are structural, not AI. Third-party coverage exists: 4AI supports DALL-E image generation, JoomAI by miniOrange generates images, SP Page Builder Pro includes an AI image generator, and AutoAlt.ai provides AI alt-text for the Media Manager. No native smart focal-point crop or AI DAM processing, holding the score in the 20–35 plugin-only band.
No native AI/MT translation in Joomla 6.x — the multilingual core handles language associations structurally (6.1 adds multilingual module associations, but no MT). AI translation is available only via third-party extensions (JoomAI by miniOrange advertises AI translations) or external orchestration (a December 2025 Joomla Community Magazine case study built a multilingual AI content factory with n8n). No native MT engine, AI-TMS integration, or bulk AI translation with quality scoring, so the score reflects the no-native-AI-translation band.
Plugin-only but growing coverage on Joomla 6: JT AI SEO Assistant explicitly targets Joomla 6 site owners for OpenAI-generated meta descriptions inside the admin workflow; System - AI Meta generates meta descriptions/keywords via Ollama or OpenAI-compatible APIs; JSitemap Pro ships an AI Engines Indexing System with LLMS.txt, Markdown conversion, and AI indexing schema markup; Route 66 and 4SEO add SEO automation. Nothing is built into 6.x core (confirmed absent through 6.1.2 and 6.2 Alpha 2), capping the score at the top of the third-party band.
No native AI content operations in Joomla 6.x: no auto-tagging, smart scheduling, AI routing, or duplicate detection. Joomla 6.1's headline Visual Workflow Editor is a drag-and-drop UI for designing manual publication workflow stages — a workflow usability improvement, not AI automation — and 6.2 Alpha 2 adds no AI ops. AI-driven content ops are only demonstrated via external orchestration (n8n case study), so the score stays in the no-AI-workflow band.
No named agentic product, agent marketplace, or autonomous multi-step workflow capability exists for Joomla 6.x. The official MCP work (PoC, January 2026 sprint) is protocol plumbing that may eventually enable external agents, not a platform agent product, and it is confirmed absent from 6.2. Relevance AI lists Joomla only as an external agent-template target via API. Score reflects no native agentic support.
No built-in AI content intelligence in Joomla 6.x: no content gap analysis, topic clustering, performance scoring, stale content detection, or editorial priority recommendations. Analytics relies entirely on external tools, and the JED ecosystem has not produced a dedicated AI content intelligence product. Neither 6.1.2 nor the 6.2 alphas add such features.
No AI-powered content auditing, brand voice compliance checking, or AI quality scoring in Joomla 6.x core or as established JED products. Existing audit tooling (Route 66, 4SEO accessibility/SEO checks) is rule-based, not AI-driven, and there is no at-scale AI compliance review. Score reflects the no-AI-auditing band.
Joomla 6.x Smart Search remains keyword/boolean-based with no vector search, embedding generation, or RAG-ready indexing in core. Semantic search requires fully external integration (e.g., Expertrec paid service); community forum threads confirm it is DIY territory. JSitemap Pro's LLMS.txt support aids AI-engine discoverability but is not semantic search. Score stays in the external-integration-required band.
No ML personalization engine exists for Joomla 6.x. Native targeting is limited to user groups and access levels — structural rules only, with no predictive segment assignment, next-best-content recommendations, or personalization analytics. Neither 6.1.2 nor the 6.2 alphas introduce any personalization capability, and no JED extension provides a genuine ML engine.
An official Joomla MCP server exists as a working proof-of-concept from the January 2026 core discovery sprint (backend UI for client connections and token management, a functional Streamable HTTP endpoint, abilities implemented as plugins), but it still needs cleanup, install scripts, and tests, has no open PR in joomla-cms, and is explicitly NOT expected in 6.2 (GA ~2026-10-13). Community servers work today: nasoma/joomla-mcp-server (article CRUD via Web Services API), genr8r/plg_mcp (installable system plugin), and nikosdion MCP4Joomla. Score holds at the upper announced/PoC band; not higher because nothing official is GA.
The GSoC 2025 Joomla AI Framework is explicitly provider-agnostic — OpenAI, Anthropic, and Ollama (local models) behind one interface with user-supplied keys — but it remains in the joomla-projects repo and is not merged into 6.x core (absent through 6.1.2 and 6.2 Alpha 2). BYOK is real today only via third-party extensions: AI Content Assistant (GPT/Gemini/Claude/DeepSeek keys), JoomAI (multi-provider), 4AI (Gemini/OpenAI), System - AI Meta (Ollama/OpenAI-compatible endpoints). Not higher because no shipped, governed core BYOK exists.
Joomla 6.x exposes a REST Web Services API that AI agents can consume, proven by three community MCP implementations built on it, and the official MCP PoC plans a generic plugin wrapping web services to expose CRUD for all entities to AI agents. The unmerged GSoC AI Framework provides provider-agnostic developer interfaces for extension authors. No dedicated AI SDK, official LangChain/LlamaIndex guides, or RAG-ready delivery endpoints ship in core, keeping the score in the standard-API band.
No AI-specific governance exists in Joomla 6.x: no AI audit trails, prompt template governance, hallucination detection, brand safety controls, IP indemnification, or AI privacy controls. The 6.x Action Log tracks general admin activity but has no AI coverage; the MCP PoC's token management is access control, not output governance. Third-party AI extensions provide no governance layer. Score reflects near-zero governance.
No AI observability exists in Joomla 6.x core or the extension ecosystem: no token consumption tracking, AI cost/credit dashboards, per-user AI usage metrics, or model performance analytics. AI usage through third-party plugins is completely opaque to site administrators, and neither the MCP PoC nor the AI Framework includes usage metrics. Score reflects the lowest band.
How composite scores (0–100) have changed over time. Click legend items to show/hide metrics.
Joomla's momentum is essentially stable, with every composite dimension flat except a slight uptick in Platform Velocity (+0.3) driven by clearer roadmap communication around the 6.2 release schedule and genuine performance work in 6.1, notably plugin lazy loading that improved API performance and scalability. The headline caution for practitioners is security: a rough 2026 for Joomla 6, including the critical unauthenticated CVE-2026-48898 in com_users, dropped the security track record five points even though the composite Compliance & Trust score held steady. Net-net, Joomla is quietly improving its engineering fundamentals while its security record and overall capability position remain the key concerns for evaluators.
Score Changes
2026 was a rough security year for Joomla 6: CVE-2026-48898 (com_users batch task, CVSS 9.8 critical unauthenticated privilege escalation, affecting 6.0.0–6.1.0) and CVE-2026-48904 (com_users webservice privesc) were patched in 6.1.1, CISA added actively-exploited Joomla flaws to its KEV catalog, and 6.1.2 (2026-07) shipped yet another round of access-check hardening across media, privacy, custom fields, vCard, and MFA. The Security Strike Team discloses responsibly and patches promptly, but confirmed in-the-wild exploitation of a critical core unauthenticated privesc, plus a wave of actively-exploited CVSS-10 RCEs across the top extensions, drags the track record well below a clean baseline.
The public roadmap shows the full 6.2 schedule (Alpha 3 Jul 21 → Beta 1/feature-freeze Aug 18 → RC1 Sep 29 → GA Oct 13, 2026) with named release managers (Charvi Mehra & Martin Kopp), and Alpha 1/2 shipped on schedule — extending a multi-release track record of on-time delivery on a predictable six-month cadence. Still no formal community voting portal like Canny, which keeps it below the 70+ band.
No native social or collaboration features in Joomla core — comments, likes, reactions, polls, and community spaces all require third-party extensions. The forum story has improved: Kunena 7.0 stable (current 7.0.6) now runs natively on Joomla 6.0/6.1 without a compatibility plugin, giving Joomla 6 intranets a maintained discussion forum option. EasySocial provides a fuller social layer but is a separate commercial product with its own stack. The capability remains entirely extension-dependent, which caps the score.
Joomla 6.1 introduced plugin lazy loading — plugins load only when an event calls them — measurably reducing server response times and peak memory, which benefits API request handling. Still no published rate limits, no API benchmarks, no batch operations, and no CDN-backed delivery layer; performance remains entirely dependent on self-managed hosting. Small bump retained for the lazy-loading improvement only.
Joomla 6.1's plugin lazy loading delivers genuinely lower peak memory and faster responses, and the 6.x caching layer is improved — but the platform remains a PHP monolith with no auto-scaling, no application-layer multi-region support, and no documented scale limits or enterprise-scale references. Scaling is achievable with infrastructure investment (load balancers, replicas, caching) but the architecture is not designed for horizontal scale. Small bump retained for the measurable 6.1 performance work.
Documentation has consolidated meaningfully for 6.x: manual.joomla.org publishes versioned developer docs (6.1 current, 6.2 upcoming) maintained on GitHub, guide.joomla.org provides a structured user manual including migration and local-setup guides, and api.joomla.org covers the CMS 6.0.x API reference. Coverage is still incomplete in places, code examples are uneven, and there is no core interactive playground or framework-specific getting-started guides. Bump retained for the versioned, restructured doc portals.
Joomla specialists command a moderate-to-high premium driven by talent scarcity rather than platform complexity. Market share continues to fall (down ~20% since 2024; ~1.9% in 2025 vs 9.3% in 2014), and migration outflow to WordPress outnumbers inflow roughly 5:1, shrinking the experienced 6.x developer pool. General PHP developers can learn Joomla and base rates are only moderate (~$48/hr US avg), but the scarcity-driven premium and shrinking pool partially offset the zero licensing cost.
Cadence remains strong and predictable: 6.1.2 + 5.4.7 security/bugfix releases shipped July 7-8, 2026 (six weeks after 6.1.1), and 6.2.0 Alpha 2 landed June 23 on the steady six-month minor cycle with GA scheduled Oct 13, 2026. Dual-track 5.x/6.x maintenance continues. Still below SaaS-level feature-shipping frequency, which caps the score.
Joomla shows broad-based improvement across all six composite dimensions, with Operational Ease (+0.9), Build Simplicity (+0.6), and Platform Velocity (+0.6) leading the movement on the strength of Joomla 6.1's Visual Workflow Editor and the January 2026 core discovery sprint that produced an official MCP server proof-of-concept. The standout for practitioners is the workflow tooling shift — content workflows jumped 7 points and editorial approvals gained 5 — signaling that Joomla is closing a long-standing gap in graphical editorial process design. AI and rich-media handling remain weak spots despite small gains, so teams with heavy media or generative-AI requirements should still treat this as an evolving rather than competitive area.
Score Changes
An official Joomla MCP server exists as a working proof-of-concept from the January 2026 core discovery sprint: backend UI for client connections and token management, a functional Streamable HTTP MCP endpoint, and abilities implemented as plugins — but it needs cleanup, install scripts, and tests before it is PR-ready, and it shipped in neither 6.1 nor the 6.2 alpha. Community servers are functional today: nasoma/joomla-mcp-server (article CRUD via Web Services API), genr8r/plg_mcp (installable system plugin), and nikosdion MCP4Joomla. Score holds at the upper announced/PoC band; not higher because nothing official is GA.
Joomla 6.1's Visual Workflow Editor (Vue.js/VueFlow) provides an interactive graphical view to drag, connect, and edit workflow stages and transitions, a major usability leap for the multi-stage workflow engine with role-based transitions. The underlying engine still lacks conditional routing and advanced notification rules. Unchanged in 6.1.1.
Joomla 6.1's Visual Workflow Editor (Vue.js/VueFlow interactive diagram) lets administrators create, edit, and delete workflow stages and transitions directly on the diagram, centralizing workflow management. Custom workflow states, configurable transitions, condition checks, and role-based routing remain from com_workflow. Still no SLA/due-date enforcement and no parallel approval paths, which caps the score.
No native AI image generation or AI media processing in Joomla 6.x core — 6.1's expanded media custom fields (audio/video/document) are structural, not AI. Third-party coverage exists: 4AI supports DALL-E image generation, SP Page Builder Pro includes an AI image generator, and AutoAlt.ai provides AI alt-text generation for the Media Manager. No native smart focal-point crop or AI DAM processing. Score remains in the 20–35 band for plugin-only media AI.
Joomla 6.1 adds audio, video, and document media custom fields, allowing these media types to be attached to content via custom fields. However, there is still no native video hosting, transcoding, adaptive streaming, or thumbnail generation. Videos uploaded to the Media Manager have no playback pipeline. The custom field improvement makes it easier to reference rich media but doesn't add processing capabilities.
The 6.1 cycle drew 130+ pull requests from global volunteers, and the 6.2 cycle launched on time with named release managers and active alpha testing calls — the community continues to mobilize for releases. However, the core maintainer team remains thin, PR activity for 6.2 suggests incremental improvements rather than headline features, and Stack Overflow activity keeps declining.
Content is stored in MySQL, accessible and exportable, and the Web Services API provides programmatic content access. Migration tooling is mature: FG Joomla to WordPress is actively maintained and tested through Joomla 6.x, and LitExtension/CMS Minds offer professional migration services. However, content uses Joomla-specific table structures requiring transformation, and third-party extensions create proprietary data structures — lock-in is moderate.
Joomla's accessibility statement claims WCAG 2.1 and ATAG 2.0 conformance for the backend, and the official Joomla 6.x roadmap now includes a 'WCAG 2.2 AA compliance' feature item targeting both backend and frontend. Joomla 6.1 shipped concrete increments: the ALTCHA PoW CAPTCHA (documented WCAG 2.2 AA) and abbreviation support in the editor (a WCAG AAA step). Still no formal third-party conformance audit, which caps the score in the stated-target band.
Joomla 6.1 offers ~23 custom field types including the audio, video, and document media fields added in 6.1.0. Core content types remain fixed (Articles, Categories, Contacts, Banners, Newsfeeds) — true custom content types still require extensions. No schema-as-code, no polymorphic unions, no JSON field type. 6.1.1 was security/bugfix only, so nothing changed.
Joomla 6.1 extended versioning to modules with history tracking and rollback, on top of 6.0's custom fields and tags versioning, giving broad entity coverage. Still no visual diff, no content branching, no programmatic API access to version history. Unchanged in 6.1.1.
Joomla 6.1 added native audio, video, and document media custom fields plus a root-level 'files' folder in the Media Manager, expanding handling beyond images. Still no focal point cropping, no URL-based image transforms, no WebP/AVIF auto-conversion, no CDN pipeline, and limited metadata/tagging. 6.1.1 only fixed a file-renaming error.
One of Joomla's genuine strengths, further improved in 6.1. Built-in multilingual support with language associations, content language filtering, and per-language menu structures. Joomla 6.1 adds multilingual module associations, allowing module instances to be linked across languages similar to articles. Document-level localization via associations rather than field-level, but comprehensive and fully native.
Core Joomla has com_contact providing a basic contact form with email notification and CAPTCHA support. Joomla 6.1's privacy-friendly Proof-of-Work CAPTCHA operates silently without external accounts or APIs, improving spam protection. Still no conditional logic, no multi-step forms, no submission storage in core. Third-party extensions (Convert Forms, RSForm!Pro) deliver advanced capabilities but are not bundled.
Cadence remains strong and predictable: 6.1.0 GA (Apr 14, 2026) was followed six weeks later by the 6.1.1 + 5.4.6 security/bugfix releases (May 26) and 6.2.0 Alpha 1 the same day, with 6.2 GA scheduled Oct 13, 2026 on a steady six-month minor cycle. Dual-track 5.x/6.x maintenance continues. Still below SaaS-level feature shipping frequency, which caps the score.
The public roadmap now shows the full 6.2 schedule (Alpha 1 May 26, 2026 → GA Oct 13, 2026) with named release managers (Charvi Mehra & Martin Kopp), and Alpha 1 shipped exactly on date — extending a multi-release track record of on-time delivery on a predictable six-month cadence. Still no formal community voting/feedback portal like Canny, which keeps it below the 70+ band.
Self-hosted means full ops responsibility — updates, security patches, backups, monitoring, server maintenance. Joomla 6.x's automatic minor-version updates reduce patch burden (6.1.1 shipped May 2026 as a routine maintenance release), but parallel maintenance tracks persist (5.4.6 alongside 6.1.1, with 6.2 in alpha). The managed-hosting ecosystem (CloudAccess) remains limited compared to Drupal's Acquia/Pantheon, so larger deployments still need dedicated ops attention.
Joomla 6.1's media custom fields support audio, video, and document types beyond images, on top of 6.0's Date/Datetime fields, and adding custom fields to content remains safe and low-risk. However, schema evolution for custom components still requires manual database migration management with no built-in migration tooling, and the core article-category-menu data model remains rigid compared to headless CMS platforms. No data modeling changes in 6.1.1.
Joomla 6.1's module versioning brings version history consistency across content types, and the visual drag-and-drop workflow editor makes publication pipelines easier to design than the prior form-field configuration. Combined with 6.0's view transitions and TinyMCE 8, the coupled editing experience is solid. However, there is still no headless preview setup, no deploy previews, and no preview API for decoupled frontends, which caps the score for teams building decoupled.
Content authors can create and publish articles, manage media (now including audio/video/document custom fields), and self-serve for basic operations without developer involvement. The 6.1 visual workflow editor lets content teams design and manage publication pipelines without developer help, and multilingual module associations reduce developer intervention on multilingual sites. However, new page layouts, template modifications, and complex ACL configuration still require a developer.
TUF-based automatic minor updates are now proven through the 6.0.x–6.1.x cycle, and 6.1.1 fixed auto-updater cleanup (leftover update archives now deleted after core updates). Community guidance still recommends keeping auto-updates off until extensions are confirmed compatible, and major upgrades (5→6) remain manual with extension compatibility as the main friction. Not higher because extension breakage across majors persists and there are no codemods.
Joomla 6.1.1 (May 26, 2026) patched 10 CVEs in one coordinated release including a High-severity MFA bypass (CVE-2026-48896, CVSS 8.2, affecting 4.0.0–6.1.0), privilege escalation via com_users webservice (CVE-2026-48904), SQL injection, and multiple XSS vectors. Patch cadence remains regular with clear advisories on the security centre, and auto-updates reduce application lag for minor versions. Not higher because High-severity authentication and privilege-escalation CVEs keep recurring — 16 CVEs patched across March–May 2026.
Joomla 6.1's visual workflow editor lets administrators manage the publication process as an interactive diagram, and module versioning plus multilingual module associations reduce operational overhead. Still no automated orphan detection, broken-link scanning, or content-expiry workflows in core — content hygiene remains manual editorial discipline. Not higher because automated hygiene tooling is absent.
Release cadence remains strong: 6.0.1 through 6.0.4 (Nov 2025–Mar 2026), 6.1.0 (Apr 2026), and 6.1.1 (May 26, 2026) fixing 10 CVEs plus bug fixes — seven releases in seven months, with 6.2 Alpha 1 shipping the same day and a published dated roadmap through October 2026 GA. RC stages before each release show disciplined process. Not higher because volunteer-driven, non-security bug-fix timing still varies and some fixes wait for the next scheduled point release.
No built-in form handling beyond basic contact form. Joomla 6.1 added a native Proof-of-Work CAPTCHA (PR #46514) — privacy-friendly spam protection that requires no external account or API — improving native form security for the basic contact form and extension forms using the CAPTCHA API (SP Page Builder 6.5.0 adopted it for its forms). However, forms still require extensions (RSForm, BreezingForms) for anything beyond basic contact. No CTA management, no conversion tracking, no lead capture integration. Landing page optimization requires external tools.
Joomla's Media Manager provides folder-based file organization with per-asset metadata (title, alt text, description, author, copyright). Basic image cropping and resizing via the Media Action plugin in core. Joomla 6.1 added Media Custom Fields for audio, video, and documents (PR #45013), expanding the content model to natively reference non-image media types in custom fields. However, still missing: no asset versioning, no usage tracking across content, no rights/expiry management, no focal point cropping, no CDN integration, no WebP auto-conversion. No media changes in 6.1.1.
Joomla has robust built-in multilingual support with separate content per language and language-specific menu items. Joomla 6.1 added multilingual module associations (PR #46671/46772), enabling modules to be linked across language versions the same way articles are associated — improving consistency of localized marketing content including sidebars, banners, and promotional modules across languages. However, no transcreation workflows, no locale-specific campaign variants, no market-level scheduling, and no regional compliance tooling natively.
VirtueMart and HikaShop support multiple product images and basic galleries. Video embeds are possible via HTML in product descriptions. Joomla 6.1's media custom fields (audio, video, documents) make it easier to attach video and other media types to content via structured fields rather than HTML embeds — a modest improvement for product media richness. Still no 360-degree views, no AR/3D model support, no image hotspots, no zoom feature in core Joomla or its major commerce extensions.
Joomla's article versioning and workflow system provide rudimentary content version control and approval stages. Joomla 6.1 extended versioning to modules (PR #46772) and added document-type media custom fields (PR #45013), making it easier to manage document attachments via structured fields rather than file upload links. DocMan (third-party extension) adds document management with folder structure and access control. However, there is no mandatory acknowledgment tracking, no automated review/expiry reminders for policies, and no audit trail specifically for compliance.
Joomla supports publish up/down dates for automatic content expiry and unpublishing. The graphical workflow editor in Joomla 6.1 (PR #46021) makes it easier to configure content lifecycle stages including review and archive states with a visual drag-and-drop interface. Module versioning in 6.1 extends lifecycle tracking to modules. However, there are no automated review date reminders, no stale content flagging based on age, and no ownership assignment for freshness accountability. Content expiry is possible but requires manual configuration per article — there is no global freshness policy enforcement.
Plugin-only but growing coverage on Joomla 6: JT AI SEO Assistant explicitly targets Joomla 6 site owners for OpenAI-generated meta descriptions inside the admin workflow; System - AI Meta generates meta descriptions/keywords via Ollama or OpenAI-compatible APIs; JSitemap Pro ships an AI Engines Indexing System with LLMS.txt, Markdown conversion, and AI indexing schema markup; Route 66 and 4SEO add SEO automation. Nothing is built into 6.x core, capping the score at the top of the third-party band.
The 6.1/6.1.1 releases continue to generate third-party coverage (mySites.guru, Joomill walkthroughs, migration guides), and the Joomla Community Magazine publishes regularly. However, mainstream tech education platforms (Udemy, Pluralsight) have minimal current Joomla content, and sustained output remains far below WordPress, Drupal, or headless platforms.
Categories, tags, and Smart Search provide basic taxonomy and discovery. Joomla's workflow system enables custom content stages and approval transitions for knowledge updates. Joomla 6.1 added a Vue.js-based graphical workflow editor with drag-and-drop stages, keyboard shortcuts, undo/redo, and mini-map navigation, making knowledge lifecycle configuration more accessible. Module versioning (6.1) extends version tracking beyond articles to modules. Extended versioning tracks custom fields, tags, and categories. However, no automated review reminders, no archival workflows beyond manual unpublishing, and no knowledge base templates exist.
Joomla remains fully stable across all composite dimensions, with no movement in Capability (38.5), Platform Velocity (40), Cost Efficiency (69.2), Build Simplicity (52.4), Operational Ease (49.7), or Compliance & Trust (30.9) since the last review. The platform continues to hold its strongest position in Cost Efficiency while Compliance & Trust and Capability remain its weakest areas, reflecting Joomla's ongoing challenge to modernize its security posture and feature depth relative to newer headless and hybrid CMS competitors. Without meaningful item-level shifts, Joomla's trajectory is flat, suggesting the project has not yet translated recent development activity into measurable scoring gains.
Joomla remains largely stable this cycle with no movement across Capability, Platform Velocity, Cost Efficiency, Build Simplicity, or Operational Ease. The only composite shift is a slight decline in Compliance & Trust, dropping 0.9 points to 30.9, driven by a modest downgrade in GDPR and data protection scoring as the platform's built-in privacy tooling shows its age relative to evolving regulatory expectations. On the positive side, accessibility-related items within the platform saw incremental gains, reflecting Joomla 4's WCAG 2.1 commitments, though the absence of formal conformance documentation like a VPAT keeps those scores from climbing higher — a gap practitioners in regulated industries should weigh carefully.
Score Changes
Joomla's official accessibility statement claims WCAG 2.1 and ATAG 2.0 conformance starting with Joomla 4. The Cassiopeia/Atum templates include keyboard support, focus management, and ARIA markup. Joomla has a dedicated Accessibility Team. However, no formal third-party conformance audit has been published, and the statement itself notes current properties may not fully meet the standard. Score reflects stated commitment with ATAG 2.0 target — stronger than most OSS peers but unverified.
No VPAT or ACR published for Joomla. The accessibility statement exists but is not a formal conformance report suitable for procurement. No Section 508 formal conformance statement. The Joomla Accessibility Team maintains documentation but not procurement-grade artifacts. Slightly above minimal due to the public accessibility statement and team existence.
Joomla 3.9+ Privacy Tool Suite provides consent management, data access/deletion request handling, and privacy controls. The Joomla Project (Open Source Matters) has a DPO and publishes a privacy policy with GDPR rights. However, no DPA is available for deployers of the software — the project is not a data processor. No EU residency guarantees or sub-processor list (self-hosted, so N/A). Score reflects genuine but basic GDPR tooling without a DPA.
Joomla 5.2 delivers incremental improvements but the community faces a leadership and contributor crisis as core team members drift away. W3Techs data shows continued market share decline below 2%. Extension ecosystem stagnation means fewer modern integrations are available compared to competing platforms.
Platform News
Continued refinements to admin UI and API; HTTP/2 push support removed per deprecation
W3Techs data shows continued erosion; WordPress holds ~63%, Joomla falls behind Shopify and Squarespace
Joomla 5.1 adds schema.org integration and improved editor capabilities but community engagement metrics continue to soften. GitHub contribution activity and extension directory growth are both trending down. The platform occupies an increasingly narrow niche between WordPress dominance and modern headless CMS options.
Platform News
Schema.org structured data support, improved TinyMCE integration, accessibility fixes
Joomla 5.0 arrives alongside the final Joomla 4.4, requiring PHP 8.1+ and dropping all legacy compatibility layers. The release features improved media manager, dark mode, and guided tours. Community momentum briefly spikes but overall market trajectory continues downward as the CMS landscape favors either WordPress scale or modern headless architectures.
Platform News
PHP 8.1+ required, legacy code removed, dark mode, guided tours, improved media manager
4.4 serves as bridge release; extensions compatible with 4.4 should work on 5.0
Clean break from legacy allows modernization but fragments community further
Joomla 4.2 introduces built-in multi-factor authentication and WebAuthn support, significantly boosting security posture. The extension ecosystem is slowly adapting to Joomla 4 but adoption remains sluggish as many site owners stay on 3.x. Release cadence is steady with incremental improvements to the admin UI and API.
Platform News
Core MFA and WebAuthn support added; task scheduler introduced for background jobs
WCAG 2.1 AA compliance improvements to admin interface
Joomla 4.0 launches as a ground-up rewrite with Bootstrap 5, a modern admin UI, and a native Web Services API for headless delivery. Developer excitement peaks as the platform finally addresses years of technical debt. However, extension ecosystem fragmentation creates migration pain — many popular Joomla 3 extensions are not yet compatible.
Platform News
Major rewrite: Bootstrap 5, new admin template Atum, Web Services API, improved accessibility, child templates
Native REST API enables headless content delivery for the first time in Joomla core
3.10 released as bridge version to ease migration to 4.x
Joomla 3.9.x is in its final stretch with the community focused on the upcoming 4.0 rewrite. The platform retains solid traditional CMS capabilities but its aging MVC architecture and jQuery-heavy frontend limit developer appeal. Market share continues its slow erosion to WordPress and newer headless platforms.
Platform News
Continued security maintenance for 3.x branch while 4.0 development progresses
First release candidate signals 4.0 is nearing completion after years of development