How can I tell what CMS a website uses?

You can check the page source for a tag, try visiting /wp-admin or /wp-login.php (WordPress), inspect HTTP headers like X-Powered-By, or look at cookies. For a faster and more reliable approach, use a technology detection API like DetectZeStack, which checks DNS records, TLS certificates, HTTP headers, and page content in a single call.

Can you detect headless CMS?

Headless CMS platforms like Contentful, Sanity, and Strapi are harder to detect because they serve content through a separate frontend (often Next.js or Gatsby) and don't leave obvious HTML signatures. DetectZeStack uses DNS CNAME analysis and TLS certificate inspection to identify hosting and infrastructure patterns associated with headless setups, catching what manual HTML inspection would miss.

Is DetectZeStack free?

Yes. DetectZeStack offers a free tier with 100 API requests per month — no credit card required. Sign up on RapidAPI to get your API key instantly. Paid plans start at $9/month for higher volume.

What's the difference between DetectZeStack and browser extensions?

Browser extensions like WhatRuns and Wappalyzer only analyze what's visible in the rendered page — JavaScript, HTML, and HTTP headers. DetectZeStack also inspects DNS CNAME records, TLS certificates, and server-side signals. This means DetectZeStack detects CDN providers, hosting platforms, certificate authorities, and headless CMS setups that browser extensions miss entirely. DetectZeStack also provides a programmable API, so you can automate detection at scale.

How to Detect What CMS a Website Uses (WordPress, Shopify, Squarespace)

March 18, 2026 · 8 min read

You find a website with a design you like, a checkout flow that converts, or a blog layout that loads fast. The first question: what CMS is this built on? Is it WordPress? Shopify? Squarespace? Something custom?

Sometimes you can tell at a glance. More often, you can't. Modern websites strip out generator tags, use custom themes that hide CMS signatures, or run headless CMS setups where the frontend is completely decoupled from the content backend. Manual detective work gets you partway there; automated detection gets you the rest.

This guide covers both approaches: manual methods you can try right now, and API-based detection that catches what manual checks miss.

Manual Detection Methods

These are the classic techniques. Each works in specific situations and fails in others.

1. Check the `<meta name="generator">` tag

View the page source (right-click → View Page Source) and search for generator. Many CMS platforms inject a meta tag identifying themselves:

<meta name="generator" content="WordPress 6.4.3">
<meta name="generator" content="Drupal 10">
<meta name="generator" content="Ghost 5.0">

Limitation: Many site owners remove this tag for security reasons. WordPress security plugins like Wordfence strip it by default. Shopify, Squarespace, and Wix don't use generator tags at all. If the tag is there, it's definitive. If it's missing, you know nothing.

2. Try common admin URLs

Each CMS has characteristic admin paths:

WordPress — /wp-admin or /wp-login.php
Drupal — /user/login or /admin
Joomla — /administrator
Magento — /admin (though often renamed)
Ghost — /ghost

Limitation: Hosted platforms like Shopify and Squarespace don't expose admin URLs on the site's domain. Custom admin paths defeat this method entirely. And getting a 404 doesn't prove anything—the site might use WordPress with a renamed login page.

3. Inspect HTTP headers

Open your browser's Developer Tools (F12 → Network tab), reload the page, and check the response headers on the main document:

X-Powered-By: PHP/8.2 — suggests WordPress, Drupal, or another PHP-based CMS
X-Powered-By: Express — Node.js backend, possibly Ghost
Server: Shopify — dead giveaway
X-Wix-Request-Id — Wix site

Limitation: Many servers strip X-Powered-By for security. Reverse proxies and CDNs (Cloudflare, CloudFront) often overwrite the Server header. You might see Server: cloudflare and learn nothing about the underlying CMS.

4. Check cookies

CMS platforms set characteristic cookies:

wp-settings-* or wordpress_* — WordPress
_shopify_s or _shopify_y — Shopify
crumb — Squarespace

Limitation: Cookies may only appear after login or interaction. Some platforms set cookies on subdomains only. And cookie names can change between versions.

5. Look at page source patterns

Experienced developers can spot CMS signatures in the HTML:

WordPress: /wp-content/ and /wp-includes/ in asset URLs
Shopify: cdn.shopify.com in asset URLs
Squarespace: static1.squarespace.com in asset URLs
Wix: static.parastorage.com or static.wixstatic.com
Webflow: assets.website-files.com in asset URLs

Limitation: This is the most reliable manual method for hosted platforms, but it requires knowing what to look for. It completely fails for headless CMS setups where content is fetched via API and no CMS-specific assets appear on the page.

Bottom line on manual methods: Each technique detects some CMS platforms some of the time. No single manual check covers all cases. Headless CMS setups defeat almost all of them.

API-Based Detection with DetectZeStack

Instead of running five manual checks and hoping one works, you can query the DetectZeStack API and get a definitive answer in one call. DetectZeStack combines four detection layers:

DNS CNAME records — identifies hosting platforms (Shopify, Squarespace, Webflow, Wix) by their DNS signatures
TLS certificate inspection — reveals certificate authorities and platform-specific certificate patterns
HTTP headers — parses Server, X-Powered-By, cookies, and other response headers
Page content analysis — scans HTML for generator tags, asset URLs, JavaScript globals, and DOM patterns

Here's how to detect the CMS on stripe.com:

curl -s "https://detectzestack.p.rapidapi.com/analyze?url=stripe.com" \
  -H "X-RapidAPI-Key: YOUR_KEY" \
  -H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" | jq '.'

Response:

{
  "url": "https://stripe.com",
  "domain": "stripe.com",
  "technologies": [
    {
      "name": "Amazon S3",
      "categories": ["CDN"],
      "confidence": 100
    },
    {
      "name": "Amazon Web Services",
      "categories": ["PaaS"],
      "confidence": 100
    },
    {
      "name": "DigiCert",
      "categories": ["SSL/TLS certificate authority"],
      "confidence": 70
    },
    {
      "name": "HSTS",
      "categories": ["Security"],
      "confidence": 100
    },
    {
      "name": "Nginx",
      "categories": ["Web servers", "Reverse proxies"],
      "confidence": 100,
      "cpe": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*"
    }
  ]
}

In this case, stripe.com doesn't use a traditional CMS—it's a custom build on AWS infrastructure with Nginx. That's a useful answer too: knowing a site is not on a CMS tells you it's a custom-built frontend, which changes how you'd approach replicating its design or selling to the company.

For a site running Shopify, you'd see "name": "Shopify" in the technologies array with "categories": ["Ecommerce"]. For WordPress, you'd see "name": "WordPress" with "categories": ["CMS"]. The response tells you exactly what's running.

CMS Platforms DetectZeStack Detects

DetectZeStack identifies CMS platforms through multiple detection layers—not just HTML patterns. Here are the major platforms it covers:

CMS	Detection Method	Notes
WordPress	HTML patterns, headers, cookies	Detects even when generator tag is stripped
Shopify	DNS CNAME, headers, HTML	CNAME to `shops.myshopify.com`
Squarespace	DNS CNAME, HTML patterns	CNAME to `ext-squarespace.com`
Wix	DNS, HTML, headers	Asset URLs on `static.parastorage.com`
Webflow	DNS CNAME, HTML patterns	CNAME to `proxy-ssl.webflow.com`
Ghost	HTML patterns, headers	Generator tag and `/ghost` API
Hugo	HTML patterns	Generator tag in page source
Gatsby	HTML patterns, JS globals	`___gatsby` div and route data
Drupal	HTML patterns, headers, cookies	`X-Drupal-Cache` header
Joomla	HTML patterns, headers	Generator tag and `/administrator`
Magento	HTML patterns, cookies, headers	`Mage` cookies and class names

Beyond CMS platforms, DetectZeStack also detects the surrounding infrastructure: CDN providers, hosting platforms, JavaScript frameworks, analytics tools, and security technologies. A single API call returns the full stack.

Why Headless CMS Is Harder to Detect

Headless CMS is the fastest-growing segment of the CMS market, and it breaks most detection methods. Here's why.

In a traditional CMS like WordPress or Drupal, the CMS generates the HTML. Every page contains CMS-specific markup: asset URLs pointing to /wp-content/, generator meta tags, characteristic JavaScript files, and recognizable class names. Detection tools have decades of patterns to match against.

In a headless setup, the CMS is just a content API. The frontend is a completely separate application—usually built with React, Next.js, Gatsby, or Nuxt.js. The CMS (Contentful, Sanity, Strapi, Prismic) delivers content via API at build time or request time, but no CMS-specific code appears in the final HTML.

Consider a site built with Next.js + Contentful:

The HTML contains React-rendered markup—no Contentful signatures
No <meta name="generator"> tag for Contentful
No /wp-admin or similar admin URL
HTTP headers show the hosting platform (Vercel, Netlify), not the CMS
Cookies are from the frontend framework, not the CMS

Manual inspection would tell you the site uses Next.js and is hosted on Vercel. It would not tell you the content comes from Contentful. The CMS is invisible at the HTML layer.

How DNS and TLS analysis helps

While headless CMS platforms don't leave traces in HTML, they do leave traces in infrastructure. DetectZeStack's DNS and TLS layers can identify:

Hosting platform — DNS CNAME records reveal whether the frontend is on Vercel (cname.vercel-dns.com), Netlify (*.netlify.app), or another platform. This narrows the CMS possibilities: Vercel-hosted sites are disproportionately likely to use headless CMS.
Frontend framework — page content analysis identifies Next.js, Gatsby, or Nuxt.js. Combined with hosting data, this strongly suggests a headless architecture.
API subdomains — some headless CMS setups expose API endpoints on subdomains (e.g., cdn.contentful.com referenced in JavaScript). DetectZeStack's content analysis can catch these references.

The combination of DNS-level hosting detection and content-level framework detection provides a more complete picture than any single manual method.

Key insight: For traditional CMS platforms (WordPress, Shopify, Squarespace), both manual checks and API detection work well. For headless CMS setups, manual checks fail almost completely. API-based detection that combines DNS, TLS, and content analysis is the only reliable approach.

Quick Start

Get an API key from RapidAPI (free tier: 100 requests/month, no credit card) and run:

curl -s "https://detectzestack.p.rapidapi.com/analyze?url=stripe.com" \
  -H "X-RapidAPI-Key: YOUR_KEY" \
  -H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" | jq '.technologies[] | select(.categories[] | contains("CMS"))'

This filters the response to show only CMS-related technologies. Remove the jq filter to see the full technology stack including hosting, CDN, security, and frontend frameworks.

Detect Any Website's CMS in Seconds

100 requests/month free. DNS + TLS + HTTP + content analysis in a single API call.

Get Your API Key

How to Detect What CMS a Website Uses (WordPress, Shopify, Squarespace)

Manual Detection Methods

1. Check the <meta name="generator"> tag

2. Try common admin URLs

3. Inspect HTTP headers

4. Check cookies

5. Look at page source patterns

API-Based Detection with DetectZeStack

CMS Platforms DetectZeStack Detects

Why Headless CMS Is Harder to Detect

How DNS and TLS analysis helps

Quick Start

Related Reading

Detect Any Website's CMS in Seconds

Get API updates and tech detection tips

1. Check the `<meta name="generator">` tag