Concrete CMS

Concrete CMS models content through page attributes (text, textarea, boolean, image/file, address, date, number, URL, email, rating, select, topics, etc.) and the Express system for custom relational data objects. ~12–15 built-in attribute types cover most use cases but there is no repeater/matrix field equivalent for page attributes. No schema-as-code option. Custom attribute types require PHP development. 9.4.0 added Open Graph attribute mapping but no new modeling primitives.

Express supports associations (one-to-many and many-to-many) between Express objects, with traversal available through the PHP API. Page-to-page relationships exist via the Page Selector attribute and page alias system. Relationships are functional but not graph-native; there is no bidirectional query API or reverse-lookup shorthand comparable to Craft or Hygraph.

Block-based page composition is Concrete CMS's core paradigm — content areas hold multiple block types that can be reordered. Express blocks allow embedding structured data objects inside pages, and 9.4.0 improved Express form set controls and block import/export. However, there is no matrix/nested-block field for deeply composing structured components within a single entry; nesting is limited to the page-level block stack.

Each attribute type includes standard validation rules: required, text min/max length, file type and size restrictions for image/file attributes, date range constraints. Unique constraint support for Express attributes was added in 9.1.0. Custom validation is achievable via PHP event hooks pre-save. No cross-field validation GUI or rule-engine builder.

Page versioning is a core Concrete CMS feature: every edit creates a new version, full version history is viewable, rollback is one click. The 9.1.0 release added HTML diff comparison between arbitrary page versions. Scheduled publishing is natively supported. No content branching or diff UI for non-page content (Express objects, files).

In-page visual editing is Concrete CMS's founding differentiator. Editors click any content area on the live page, add blocks, and drag-and-drop to rearrange — no form-based panel required. Non-technical users can reorganize page layouts entirely within the front-end. 9.4.x maintenance releases continued refining the editing experience (dialog behavior, mobile editing, dark mode). This is genuine in-page visual editing comparable to best-in-class among traditional CMSes.

Concrete CMS still ships CKEditor 4 (pinned at 4.22.1), a library that reached end-of-life in June 2023; the team has stated there are no plans to upgrade to CKEditor 5 due to license incompatibility and is still exploring alternatives for Concrete 10. Formatting, embedded images/files, and paste handling are solid, but output is an HTML blob and the underlying editor is EOL with no announced successor as of mid-2026.

Concrete CMS includes a file manager with folder organization, search, custom attributes on files, automatic responsive thumbnail generation, and an in-browser image editor (crop, rotate, resize, filters). 9.4.0 improved external storage (S3) performance and added file-download columns. WebP output requires a marketplace add-on or custom event listeners — no native focal point or WebP/AVIF URL transforms. Below average for modern media handling.

No evidence of real-time co-editing in Concrete CMS through 9.5.x. The version/approval workflow model is sequential — editors create a draft that routes through approvers. Last-write-wins behavior applies when multiple users edit concurrently without locking. No presence indicators or conflict resolution documented in any 9.4.x or 9.5.x release notes.

Workflow is a native Concrete CMS feature. Editors can attach multi-stage approval workflows to any page or page type via permissions. Role-based stage transitions, notification emails, and audit trail via version history are supported. Scheduled publishing integrates with workflows. More capable than a basic draft/published toggle and does not require a plugin.

A built-in REST API with OAuth2 and OpenID Connect authentication is available since Concrete 9.2+. Documented endpoints cover pages, files, Express objects, and more. No GraphQL API — the 2022 proposal noted GraphQL work had 'not yet been started' and no evidence it has shipped through 9.5.1 (mid-2026). REST API is functional for headless use but not built with headless-first filtering/sorting depth.

Concrete CMS is primarily self-hosted open source with no built-in CDN. CDN integration requires external configuration (CloudFront, Azure CDN) following community tutorials; 9.4.0 added a misc.img_src_absolute config option that eases serving assets from external origins but is not a CDN layer. The official enterprise hosting includes managed infrastructure but is not a globally distributed CDN with sub-second cache purge. Score reflects the majority self-hosted deployment pattern.

Concrete CMS has an internal PHP application events system (on_page_version_approve, etc.) but no native HTTP webhook delivery layer, and nothing in the 9.4.x/9.5.x release notes adds one. Outbound webhooks require custom development or third-party marketplace add-ons. No HMAC payload signing, retry logic, delivery logs, or per-event filtering documented in core.

Concrete CMS is a traditional coupled CMS with a REST API added as a secondary capability. Rendering is PHP-template based, with Twig templating support newly added in 9.5.0 — a developer-experience improvement, not a channel-agnostic delivery change. Rich text output is raw HTML, not an AST, and there are no official SDKs for JavaScript, Swift, Kotlin, or other non-PHP runtimes. Headless use via REST is possible but secondary to coupled web rendering.

Concrete CMS has a native user group and user attribute system that drives block-level content visibility rules — basic rule-based segmentation for logged-in users. No CDP integration or real-time behavioral segmentation engine exists. Functional for gated/role-based content but well short of modern marketing segmentation.

Block-level show/hide based on user group membership is the extent of native personalization — no content variant system, no in-editor audience preview, and no external decision engine bridge. Adequate for access-controlled content but not for marketing personalization scenarios.

No native A/B testing exists in Concrete CMS core or the current marketplace. A legacy 'Experimenter' block-level A/B add-on exists only for end-of-life concrete5 5.6 and is no longer sold. Any experimentation on v9 requires fully external tooling.

No built-in algorithmic recommendation engine exists in Concrete CMS. Content discovery relies entirely on manual editorial curation (related pages blocks, manual linking). No ML-based or collaborative filtering capability found in core or marketplace.

Concrete CMS ships with full-text search backed by MySQL FULLTEXT indexing, covering page name, description, and text content fields. Faceting, typo tolerance, and advanced relevance tuning are absent. Adequate for small-to-mid sites but lacking enterprise search features.

No official Algolia or Elasticsearch marketplace add-on exists for Concrete CMS. Community Packagist packages for Algolia are minimal and unsupported. Custom webhook-based indexing is possible but requires full custom development with no supported patterns.

The Community Store is a widely adopted, actively maintained free add-on providing a full e-commerce stack (product catalog, cart, checkout, shipping modules, payment integrations) within Concrete CMS. It receives active 2025–2026 development. Not as high as true core commerce because it is add-on dependent, but it is the de facto standard.

Two Shopify integration add-ons exist on the marketplace (eCommerce with Shopify, Hutman Shopify Integration), providing product embed and checkout bridging at the product picker / embed level. No deep bidirectional sync or live product federation. No commercetools, BigCommerce, or SFCC connectors found.

Community Store provides product-specific field patterns (name, description, attributes, images, SKUs) within Concrete CMS's content model. Editorial product management is functional but relies on generic content types repurposed with product structure — not as sophisticated as purpose-built PIM tools.

Concrete CMS provides built-in page-view statistics, download statistics, form results tracking, and featured Matomo integration. 9.4.0 added a Total File Downloads column in the File Manager for asset engagement tracking. Goes beyond operational metrics but lacks deep engagement analytics.

Google Analytics tracking code injection is natively supported via Dashboard → System & Settings → Tracking Codes. Matomo is a featured first-party integration. Extended GA add-on provides OAuth2-based GA data in-CMS. No documented Segment or Amplitude connectors, keeping this below the 65+ tier.

Concrete CMS has a well-established native multi-site architecture where a single installation hosts multiple language/locale site trees with shared components and block types. Dashboard-level management is centralized. Governance tools are basic but multi-site capability is a known platform strength.

Document-level localization via separate page trees per locale with built-in copy-locale functionality and locale associations. RTL language support is native. Field-level localization is not available — content changes require page-level duplication. Solid for mid-market multilingual use cases.

A Translations Manager add-on and translate.concretecms.org exist for UI/interface string translation. No official integrations with enterprise TMS platforms (Phrase, Smartling, Lokalise, Crowdin) were found. Page content translation is primarily manual, placing this at the webhook-only / manual tier.

User group permissions and multi-site trees can approximate brand separation but no dedicated cross-brand governance tools, shared component libraries with policy enforcement, or global style/approval workflow controls exist. Multi-site is present but governance is basic permissions only.

Concrete CMS has a capable file manager with custom metadata attributes (the docs explicitly describe building a DAM system via attributes), folder structure, asset versioning with rollback, usage tracking across pages, per-file permissions, and download statistics (surfaced as a File Manager column since 9.4.0). Missing: rights/expiry management, no built-in CDN on self-hosted, and no AI tagging for self-hosted tier. Solid for a traditional CMS but not a purpose-built DAM.

CDN delivery on self-hosted requires third-party add-ons (Use CDN, Amazon S3, Azure Blob + CDN); built-in CDN only on SaaS tiers. Thumbnail generation with configurable dimensions is native but WebP requires a $20 marketplace add-on and AVIF is unsupported. Basic image crop/resize via built-in editor. Not qualifying for 40+ without native CDN and WebP.

No native video hosting, transcoding, or adaptive bitrate delivery in Concrete CMS. Video files can be stored in the file manager as static assets but there is no thumbnail generation, caption management, or streaming capability. Video presentation relies on embedding external services (YouTube, Vimeo); 9.4.7 only improved YouTube embed iframe rendering.

In-context drag-and-drop editing is the defining identity of Concrete CMS since its concrete5 era. Editors toggle Edit Mode to drag blocks into areas on the live page, seeing exactly what visitors see. Layout blocks support multi-column structures; 9.4.x releases continued refining editing and layout behavior. One of the strongest traditional CMS visual editing experiences.

Two built-in workflow types: Basic (single-step) and Enterprise (multi-step, role-based routing). Enterprise Workflow assigns different decision-makers at each stage, includes email notifications, a full audit trail of approvals/rejections, and a 'Waiting for Me' approval inbox. Approval batches allow bulk section launches. No visual workflow state machine builder — routing follows a sequential model only.

Scheduled publishing with FROM and TO date/time fields is natively supported on pages — content goes live at FROM and auto-unpublishes at TO. Workflows and scheduling can be combined. A Production Mode feature (since 9.2.0) distinguishes dev/staging/live environments. No full editorial content calendar UI; release bundles are not a documented feature.

No real-time simultaneous editing, presence indicators, or inline commenting found in Concrete CMS. Collaboration is entirely workflow-based and asynchronous — editors submit, reviewers approve/comment via the workflow system. Version history with author attribution exists but there is no conflict-free collaborative editing implementation.

Native drag-and-drop form builder supports CAPTCHA (SecurImage + reCAPTCHA), submission storage in DB with CSV export, email notifications, and multiple field types. Conditional field logic is absent natively; multi-step forms require the Form Reform marketplace add-on. Solid basic form builder without progressive profiling.

No native email campaign capability. Only a community Mailchimp add-on (JeRo's) exists, providing a subscribe form block with API v3 integration and Ajax submission — subscriber list sync only, no content push or triggered sends. No HubSpot, Salesforce Marketing Cloud, Brevo, or other ESP connectors found.

No native marketing automation capability exists in Concrete CMS — no behavioral triggers from CMS events, no drip campaign orchestration, no lead scoring. No tight integration with an automation platform found in the marketplace. Concrete CMS is not positioned as a marketing automation platform.

No native CDP capability and no Segment, mParticle, Tealium, or other CDP connectors found in the marketplace. Google Tag Manager can be injected via tracking codes to route events to a CDP indirectly, but this is not a supported integration. CDP integration is fully DIY.

The relaunched market.concretecms.com keeps growing with monthly 2026 additions (HTMX package, AI editor tools from De Webmakers, UI blocks) announced in town hall roundups, plus a 'Try Before You Buy' trial on SaaS hosting. Notable integrations include Shopify, Snipcart, Mailchimp, Stripe, Amazon S3, SAML SSO, and Azure CDN. The catalog remains in the low hundreds — substantially smaller than WordPress or Drupal ecosystems.

No native outgoing webhook system exists in Concrete CMS — no UI to configure endpoints, event triggers, retry logic, or signed payloads. The PHP application event system fires internal events (on_user_add, page events, file events) that developers can hook into with custom code. Outgoing HTTP webhooks require custom development with no supported patterns.

Concrete CMS is fundamentally a coupled CMS — headless delivery is not a positioning. The REST API (OAuth2, covering Pages, Files, Users, etc.) was designed for management operations, not content delivery. Draft versions are viewable by logged-in users with permissions but there are no shareable external preview links. Production Mode (since 9.2.0) distinguishes dev/staging/live environments at the server level.

Concrete CMS has a notably granular permission architecture: custom role creation, group-based assignments, content-level ACL per page/section, time-based permissions, and permission exclusions for individual users. SAML 2.0 SSO is now available via the Macareux SAML Authentication marketplace add-on (multiple IdPs, attribute and group mapping, documented Entra ID setup) — a material improvement over the prior LDAP-only situation. Still no field-level permissions and no SCIM, keeping this below the 65+ tier.

Concrete CMS ships a built-in REST API since 9.2+ with OAuth2 and OpenID Connect authentication; a community API Proposal package (9.1.1+) adds more endpoints documented via Swagger UI. No GraphQL API exists — the 2022 proposal explicitly stated GraphQL work 'has not yet been started' and as of mid-2026 no GraphQL delivery is documented; only a community graphql-websocket package exists. Filtering and sorting depth remains limited compared to headless-first platforms.

Concrete CMS is a self-hosted PHP platform with no built-in CDN or documented API rate limits. CDN integration requires external configuration via CloudFront or Azure CDN tutorials. No published throughput benchmarks or pagination ceiling documentation for the REST API. The official enterprise hosting does not publish CDN-backed API delivery specs.

No official SDKs are published for JavaScript, TypeScript, Python, Ruby, Java, .NET, or mobile. The platform is PHP-native and the PHP application framework is the primary developer surface. Community packages exist on Packagist and the Concrete Marketplace for PHP, but no multi-language official SDK ecosystem has been established and no SDK announcements appeared through the 9.5.x releases.

The Concrete CMS Marketplace (market.concretecms.com) lists thousands of add-ons and themes spanning SEO, forms, e-commerce, analytics, translation, and authentication, with continued 2025–2026 additions (Macareux SAML Authentication, Two-Step Authentication Advanced in March 2026). Breadth is solid for a traditional CMS, though the marketplace skews PHP-commercial and many integrations are narrow single-purpose add-ons rather than platform-grade integrations.

Concrete CMS provides a mature PHP extensibility model: custom block types (UI and rendering), custom packages, custom attribute types, custom single pages, custom themes, and a PHP event/hook system throughout the core. Version 9.5.0 (March 2026) added Twig templating support in block views, page templates, and single pages, modernizing the templating layer. No headless App Framework for cloud-hosted JavaScript extensions exists, but for a self-hosted PHP CMS the extensibility depth is strong.

OAuth2 and OpenID Connect are built into the Concrete CMS REST API core for API token management. SAML 2.0 SSO remains a marketplace add-on (Macareux SAML Authentication) rather than core, and MFA likewise depends on marketplace add-ons (Two-Step Authentication Advanced, March 2026; Two-Factor Login Security). SSO and MFA requiring third-party add-ons rather than core functionality keeps this below the 78+ threshold for mid-tier SSO inclusion.

Concrete CMS has a sophisticated RBAC system: group-based user management, granular page/page-type-level permissions, time-based access control, permission exclusions for rule exceptions, and custom single-page permissions. The 9.5.0 release also shipped permission fixes, indicating active maintenance. This exceeds predefined-roles-only, but no field-level permissions are documented and content-instance access control is not a core GUI feature.

Concrete CMS now publishes a security features page advertising ISO 27001 certification plus SOC 2 and HIPAA compliant hosting for its managed offering — a material improvement over the previously undocumented posture. However, the page does not specify SOC 2 Type 2 vs Type 1, publish audit reports, mention GDPR/EU data residency, or maintain a trust portal, and self-hosted compliance remains entirely operator-owned. Claims exist but verification depth is thin, holding this below the 65+ band.

Concrete CMS operates a HackerOne responsible disclosure program and became a CVE Numbering Authority, with good advisory quality. However, 2026 brought high-severity findings: CVE-2026-8426 (CSRF enabling remote command execution via the marketplace upgrade flow, CVSS 7.5) and CVE-2026-8428 (missing CSRF token validation, High), plus RCE/XSS fixes in 9.4.8, all patched by 9.5.1 (May 2026). Prompt patching and transparent disclosure soften the impact, but the shift from low/medium XSS to CSRF-to-RCE class issues lowers the score from the prior assessment.

Concrete CMS is available as self-hosted open source (PHP/MySQL on any LAMP/LEMP stack) and via official enterprise hosting from PortlandLabs with GitLab deployment, managed PHP/MySQL, and direct core-team support — now backed by ISO 27001/SOC 2/HIPAA compliance claims for the hosted tier. The dual model provides flexibility for regulated industries (self-hosted) and managed convenience. No VPC or private cloud option is documented for the managed offering.

The Standard Hosting SLA page still states that PortlandLabs 'makes no guarantees on uptime availability under this agreement,' caps damages at fees collected, and places backup responsibility on the subscriber. No published uptime percentage or public status page was found for the official hosted offering as of mid-2026. Self-hosted installations carry no vendor SLA by definition. This remains firmly in the no-formal-SLA tier.

Concrete CMS uses a standard PHP/MySQL architecture with no built-in horizontal scaling, auto-scaling, or CDN delivery. Scalability is entirely dependent on the operator's infrastructure choices (load balancers, Redis caching, CDN). PHP 8.4/8.5 readiness in 9.5 keeps the runtime current, but no documented enterprise-scale references or published API throughput benchmarks were found. Adequate for mid-market self-hosted deployments but not enterprise-proven at scale.

The official enterprise hosting includes managed infrastructure, but the Standard Hosting SLA explicitly states backups are provided 'for the courtesy of the subscriber' and that maintaining backups is 'the sole responsibility of the subscriber,' with no RTO/RPO documentation, retention policies, or multi-region failover published. For self-hosted deployments, backup and DR responsibility falls entirely to the operator. Content export via database dump is possible but no built-in export tooling comparable to headless platforms was documented.

Concrete CMS is a PHP application that runs fully on a local LAMP/LEMP/MAMP stack, DDEV, Docker Compose, or any PHP 8.x environment, with 9.5 adding PHP 8.4/8.5 readiness. The GitHub repository is Composer-managed, enabling standard PHP local setup, and the `concrete/bin/concrete5` CLI handles cache clearing, migrations, and other tasks. No official DDEV quickstart comparable to Craft's, but local development is well-supported.

The official enterprise hosting uses GitLab deployment pipelines. Concrete CMS does not have a schema-as-code system comparable to Craft's Project Config — content model configuration is stored in the database, not version-controlled YAML. Environment management (dev/staging/prod) exists in the hosted offering but no branch-per-PR content environment support was documented. Standard PHP deployment patterns (Deployer, Capistrano) apply for self-hosted.

Official developer documentation at documentation.concretecms.org covers the 9.x REST API, block/package/attribute development, permissions, versioning guides, and per-release notes (9.5.1 release notes published May 2026). User guides cover the full editorial experience. Documentation is functional and actively maintained but reflects a PHP-era development style with fewer framework-specific integration guides or interactive playgrounds compared to modern headless CMS documentation.

Concrete CMS is a PHP-native platform with no official TypeScript SDK, no type generation from the content model, and no published npm packages. The REST API returns JSON that consumers can type manually, but there is no official @concretecms npm package, no codegen tooling, and no IDE type integration documented. The 9.5 modernization focused on Twig and PHP 8.5, not JavaScript/TypeScript tooling.

Concrete CMS shipped 12 releases in the past 12 months on a near-monthly cadence, including the 9.5.0 feature release (2026-04-28) adding Twig templating support, followed quickly by 9.5.1 (2026-05-19) and 9.5.2 (2026-06-03). Cadence is consistent and now includes meaningful feature minors, not just patches, but the platform is not shipping major features monthly, which keeps it below the 75+ band.

GitHub release notes are well-structured with New Features / Behavioral Improvements / Bug Fixes sections and per-change contributor attribution (verified on 9.5.0). However, breaking changes are not called out in a dedicated section and migration guides are not linked per-release, keeping it below the 75+ band for enterprise-grade changelogs.

The public roadmap at concretecms.org/roadmap lists Current Focus (bug fixing, marketplace rebuild, CMS-marketplace integration) and Future Focus (Concrete v10, CKEditor replacement evaluation, AI integration for site building), and monthly town halls continued through May 2026. There is still no community voting or prioritization portal (no Canny/GitHub Discussions upvotes), which caps the score at the moderate band.

The 9.x line uses semver-compatible versioning, v8 received a final security patch (8.5.21, 2025-08-05) under a structured LTS wind-down, and v10 is signposted on the public roadmap ahead of release. No automated codemods or formal published deprecation-window policy was found, so transition handling remains present but not enterprise-grade.

The main GitHub repository has 841 stars and 475 forks (verified 2026-06-10), placing it below the 1K-star threshold that maps to sub-45 scoring for an open-source platform. The forum is active but small-scale, and Stack Overflow volume is sparse. The community is real but well below mainstream open-source CMS peers like Drupal or Strapi.

Engagement is genuine and verifiable: 113 PRs opened since 2026-01-01, daily forum activity, monthly town halls through May 2026, named community contributors credited in every release note (mlocati, hissy, ounziw, ccmEnlil), and a dedicated 'Squash Week' core-team bug/security sprint held May 4-7, 2026 with open community participation. Constrained by small absolute community size, so it stays below the 65+ band.

Concrete CMS maintains a formal certified services partner program with a certification test, a partner directory, and a Regional Partner Forum linked from the project site. However, the certified partner list remains small regional agencies with no Tier-1 SIs (Accenture, Deloitte, Valtech), limiting enterprise delivery capacity.

Third-party content exists — agency blog posts, forum tutorials, some YouTube content, and an April 2026 TechRadar editorial review — but there are no notable Udemy or Pluralsight courses and minimal conference talk presence. The content ecosystem supports getting started but does not validate broad market adoption.

Talent supply remains a thin niche pool: only a handful of LinkedIn job postings mention Concrete CMS, there is no certification program tied to major learning platforms, and the platform is absent from Stack Overflow Developer Survey recognition. Freelancers exist on Upwork and the project's own jobs forum, but enterprise hiring at scale would be difficult.

Concrete CMS won its third consecutive SourceForge Leader Award (Spring 2026, following Fall 2025 and Winter 2026), indicating a sustained, actively reviewing user base, and earned a TechRadar top-CMS editorial pick in April 2026. However, no major enterprise logo announcements or fresh case studies were found, so the trajectory reads as stable-with-positive-press rather than growing.

PortlandLabs remains a small, privately held company with no disclosed funding rounds, operating the platform continuously since 2008. Ongoing monthly releases, an active 2026 marketplace-rebuild initiative, and no layoff or distress signals support credible bootstrapped stability, but the absence of growth capital caps long-term velocity.

Concrete CMS holds a clear niche — SMB and government/military sites emphasizing inline editing and granular permissions — and gained an April 2026 TechRadar editorial endorsement as an 'impressive, open-source solution.' It remains absent from Gartner MQ and Forrester Wave and is not strongly differentiated against Drupal or WordPress in broad market perception, so positioning stays defensible but narrow.

G2 rating stands at 4.5/5 but with only ~66 reviews, volume remains well below the 200+ threshold for top-tier scoring, mapping to the 45-60 band per formula and trending toward the top given rating quality. The Spring 2026 SourceForge Leader Award (top 5% of favorably reviewed software) corroborates positive sentiment. Direct G2 re-verification was blocked this cycle, so confidence is MEDIUM.

Concrete CMS publishes managed hosting tiers openly: Starter at $4.99/mo and Business at $19/mo (both billed annually), with limits clearly listed. Enterprise/Custom SLA pricing remains sales-gated. The core software is free and open source (MIT), so the most common deployment path has zero licensing cost. Deducted for annual-billing-only managed plans and sales-gated Enterprise — the industry-norm pattern.

Self-hosted (the primary deployment path) has zero license cost — completely flat and predictable. Managed hosting uses simple flat-fee tiers with clear page-view, storage, and editor-seat limits, with no API metering or bandwidth overage charges. The only friction is the lack of a monthly billing option on managed plans.

All core CMS features are fully available in the free MIT-licensed self-hosted version — no functional capability is paywalled. However, both Starter and Business managed plans explicitly state 'NO ACCESS to source code,' reserving custom code deployment for the sales-gated Custom SLA tier, and marketplace add-ons are sometimes reported as limited in selection and arbitrarily priced. Self-hosting remains a full-featured escape hatch, which limits the impact.

Managed hosting is annual-only with no published monthly option. However, the self-hosted path has no contract or lock-in whatsoever. No evidence of startup discounts, nonprofit pricing, or education programs was found on the pricing page. The annual-only managed billing is a mild friction point offset by the zero-commitment open-source route.

The full CMS software is free forever under the MIT license and can be self-hosted on any PHP host — a genuine, permanent, commercially permissive free path rather than a trial. Users still need to provision their own PHP hosting (from ~$3/mo via partners), so it is not a zero-cost managed free tier. No managed free plan exists.

Concrete CMS runs on standard PHP and installs on shared hosting in minutes with standard tooling; 2026 reviews describe it as working 'out of the box' and 'easy to setup' with rich built-in features reducing plugin hunting. The inline page-editing model lets editors become productive quickly — reviews cite training 'in minutes instead of hours or days.' Slightly more setup than pure SaaS, comparable to Craft CMS or Joomla.

Community reviews consistently describe fast deployments for typical marketing sites — basic setups of 10–20 developer hours and a recurring claim that 'development time and cost is nearly cut in half.' Info-Tech notes 'low cost of deployment.' Complex enterprise builds with custom themes/add-ons can run 100+ hours, but there is no community signal of consistently overrunning timelines.

Concrete CMS is PHP/MySQL-based using mainstream web skills, keeping the specialist premium lower than proprietary Java or .NET DXPs — freelance rates of $50–150/hr align with standard PHP work. However, its talent pool is significantly smaller than WordPress or Drupal, so hiring developers with specific Concrete CMS experience carries a moderate premium. PHP generalists ramp up reasonably quickly.

Self-hosted deployments run on commodity PHP/MySQL hosting from ~$3–15/month, among the cheapest operational options in this dataset. Official managed hosting starts at $4.99/month (Starter) or $19/month (Business) including SSL, backups, and managed upgrades. Enterprise managed deployments add cost for staging, CI/CD, and high availability but the base infrastructure overhead remains low.

Self-hosted deployments require routine PHP server maintenance, CMS core updates, and add-on patching — typical of any traditional CMS. Official managed hosting includes managed upgrades, nightly backups, and security monitoring, substantially reducing ops burden on that path. Since most production deployments are self-hosted, moderate sysadmin overhead is the realistic norm; no platform-engineering team is needed.

As MIT-licensed open source with a standard MySQL database and filesystem assets, Concrete CMS has low exit cost — content and data are exportable with standard tooling, and moving between managed hosting, self-hosting, or other providers is straightforward. Proprietary marketplace add-ons and the lack of source-code access on cheap managed tiers add only minor migration friction since the underlying platform is fully portable.

Concrete CMS retains a substantial proprietary vocabulary: Pages, Areas, Blocks, Stacks, Themes, Express (a bespoke no-code relational data system), Attributes, Single Pages, and Packages. The Page/Area/Block hierarchy and Express data model have no equivalents in mainstream PHP or JS frameworks. User reviews describe the learning curve as manageable for PHP developers, but the concept count is well above the <5 threshold for higher scores.

Official docs at documentation.concretecms.org include a developer guide, user guide, and API reference, plus a certification program at training.concretecms.com. There is still no interactive sandbox, no structured framework-specific learning path, no headless quick-start, and the REST API docs remain thin. The standalone 'How to Learn Concrete CMS' page signals the onboarding journey is not self-evident.

Concrete CMS uses a custom PHP MVC framework — not Symfony or Laravel — with server-rendered PHP templates. No official SDKs exist for JavaScript/TypeScript or any other language, no GraphQL API, and no first-class headless frontend integration path. The REST API (OAuth2, since 9.2+) is functional but not headless-first; 2026 headless CMS roundups for Next.js/React do not mention Concrete at all.

No official Next.js, Nuxt, Astro, or React starter template exists, and no CLI scaffolding tool. The only package boilerplate remains a community-maintained third-party repo (MacareuxDigital/v9_package_boilerplate). Marketplace themes are paid commercial products, not development starting points — a meaningful gap relative to modern headless platforms and even Joomla.

Installation via Composer + interactive CLI or zip upload is straightforward for PHP developers with standard PHP/MySQL requirements, and 9.4.x improved CLI task feedback and added JSON config support in import XML, modestly improving automation. There is still no official Docker dev environment, no environment variable management pattern, and the REST API must be explicitly enabled via the Dashboard UI; production hardening requires a separate best-practices doc.

Content modeling uses Attributes (typed metadata) and Express (a proprietary relational object builder). There is no migration tooling for schema evolution, no TypeScript type generation, and no schema-as-code workflow; Express relationships do not map naturally to REST API output without additional wiring. User reviews also note there is no syncing process between local and remote environments, compounding schema-change risk on live content.

In-context WYSIWYG editing remains a core Concrete CMS strength — editors click directly on page elements in Edit Mode with full draft/version management and built-in workflow approvals, so coupled-architecture preview fidelity is excellent. The penalty: for headless/decoupled setups there is no draft preview API, no native webhook delivery layer, and no Next.js draft mode integration — preview is entirely server-side.

Building custom Blocks requires learning Concrete's proprietary controller/view/form structure, and extending the REST API requires platform-specific service provider and routing patterns. The certification at training.concretecms.com is Concrete-specific, not a portable credential, and the developer talent pool is small (GitHub ~2.6k stars), making staffing harder than for Drupal, WordPress, or modern headless platforms. Standard React or Laravel knowledge does not transfer.

A solo PHP developer can build and deploy a traditional Concrete CMS site; a 2-person team is viable for moderate complexity. Self-hosted deployments require ops capability unless using managed hosting, and reviewers report friction with 3+ developers on one project due to the lack of environment syncing. For headless usage the team expands to include a separate frontend developer since the REST API is not headless-first.

The in-context editing model lets content editors work directly on pages without developer involvement for routine updates; reviews consistently praise editor self-service ('editors catch on quickly with very little need for support'). 30+ built-in block types and built-in approval workflow reduce governance overhead. Penalties: new content types (custom blocks, Express objects) require PHP development, and permissions/ACL configuration needs developer involvement.

Concrete CMS upgrades remain self-hosted with database migrations applied on first page visit after file replacement, and no downgrade path exists — only backup restore. The 9.4→9.5 jump (April 2026) added Twig templating and PHP 8.5 support without major breaking changes per the minor-version policy, but themes, custom code, and third-party packages must all be verified compatible before upgrading. Frequent releases mean regular upgrade events for self-hosters.

Active HackerOne program and monthly patch releases continue, with fast turnaround demonstrated in 2026: 9.5.1 (May 2026) fixed five CVEs — including RCE via insecure deserialization (CVE-2026-8135) and path traversal RCE (CVE-2026-8134) — about three weeks after 9.5.0 shipped. However, patching always means upgrading the full self-hosted installation, and the steady stream of serious CVEs (RCE, CSRF-to-RCE in CVE-2026-8426) puts real urgency on self-hosted admins.

As an open-source platform, Concrete CMS imposes no vendor-controlled forced migrations; teams upgrade on their own schedule. The ESM model provides at least 3 years of critical security updates on the last minor of each major version. The 9.5 Twig templating addition is additive — legacy PHP templates were not deprecated on a forced timeline.

Concrete CMS runs on a standard LAMP stack (PHP 8.x, MySQL/MariaDB, Apache or Nginx) with no mandatory external services — a relatively contained dependency graph, and PHP 8.5 support landed in 9.5. However, transitive dependency risk is real: 9.5.2 (June 2026) specifically patched vulnerabilities in third-party dependencies and PHP object injection issues, so self-hosters must track core releases for dependency fixes.

Concrete CMS provides no native APM, usage dashboards, or built-in status observability. Self-hosted teams must set up all web server, PHP-FPM, database, and application-layer monitoring independently. Documentation covers cron jobs and CLI operations but no monitoring tooling.

Concrete CMS offers a traditional page/block editing model with no documented automated content hygiene tooling — no orphan detection, broken link alerts, or content expiry workflows built into core. Content governance relies on manual editorial discipline, with some marketplace add-ons but no native automation.

Performance is entirely customer-managed for self-hosted deployments: cache configuration, database query tuning, CDN selection, and PHP settings all require explicit setup. The 9.5 release notes cite performance improvements, but there is still no native CDN or managed caching layer. The hosted offering reduces some burden but is not the default mode.

Formal paid support is available primarily through the managed hosting offering; the open-source community edition relies on forums and community channels. 2025–2026 reviews continue to flag that 'development support is limited, making receiving assistance for rare or undocumented difficulties difficult' and that developer documentation lags. Reasonable for an open-source CMS but not SLA-backed for self-hosters.

Concrete CMS maintains an active, passionate community — 2025 reviews note 'there is always someone on the forums to help' and the team publishes regular community round-ups. It remains much smaller than WordPress/Joomla communities, and documentation gaps mean edge-case questions can go without good answers.

2026 demonstrated strong security response velocity: 9.5.1 shipped roughly three weeks after 9.5.0 to fix five CVEs including RCE-class issues, followed by 9.5.2 a few weeks later for dependency vulnerabilities, with transparent advisories via HackerOne and the security page. General non-security bug resolution still follows community contribution cadence, which is slower than a fully staffed vendor — keeping this below the 60+ band.

Concrete CMS has a native drag-and-drop block editor where marketers can add layout columns and drop content blocks without writing code. Page types for ad landing pages can be excluded from navigation. Scores 66 rather than higher because the block-area model is less WYSIWYG than modern page builders like Elementor and requires some setup for custom layouts.

Concrete CMS has scheduled publishing and integrations with Mailchimp, Constant Contact, and Mautic via add-ons, but no native campaign management, content calendar, or multi-channel campaign coordination. Marketers must rely entirely on external tools for campaign lifecycle. Score reflects the typical range for traditional CMS platforms without dedicated campaign tooling.

Concrete CMS includes built-in SEO controls: meta title/description/keywords per page, a Bulk SEO Updater for site-wide meta management, custom URL slugs, automatic XML sitemap generation, and redirect management. The official SEO feature page details these capabilities. Missing Schema.org structured data automation keeps it below 75.

A native form builder (drag-and-drop, no code) is included for lead capture. Integration with external marketing automation (Mailchimp, Mautic) is available but no built-in conversion tracking, UTM parameter management, or CTA analytics. Score reflects solid form handling with minimal native conversion tooling.

Concrete CMS supports user-group-based content visibility — pages and blocks can be shown or hidden based on authenticated user groups — providing basic rule-based targeting. However, there is no native behavioral targeting, geo-targeting, or AI-driven personalization engine. The marketplace does not list a dedicated personalization add-on. This places it in the 15–35 range for limited native personalization with third-party dependency.

No native A/B testing or experimentation capability is present in Concrete CMS core or the current marketplace. A legacy 'Experimenter' add-on (block-level A/B/multivariate testing) exists only on the archived concrete5-era marketplace and is not maintained for v9. Teams would need to integrate VWO or Optimizely via external script injection, with no tight CMS-level integration. Scores at the floor of the scale for this item.

Inline editing directly on the front-end is a core differentiator for Concrete CMS — editors click any block to edit in place without navigating to a dashboard. Page types serve as templates for fast new-page creation. Block library enables drag-and-drop reuse without developer involvement. The 9.4.0 release (May 2025) added dashboard bulk page editing — page type, template, theme, and caching settings can now be changed across many pages at once — strengthening bulk operations alongside the existing Bulk SEO Updater. Scores 64 rather than 70+ because complex multi-region layouts still benefit from developer setup, and there is no AI-assisted content drafting.

Concrete CMS is primarily a web-delivery CMS, but the built-in REST API (shipped in 9.2+, with OAuth2 and OpenID Connect authentication and documented endpoints) now enables genuine API-based content delivery to other channels. However, the API is not headless-first — limited filtering/sorting depth, no GraphQL (the 2022 proposal's GraphQL work never started), and no official SDKs for any language. Content models remain page-tree-based rather than structured for channel renditions, and no email, push, social, or in-app delivery is built in. Score moves to the top of the single-channel band to reflect functional API delivery without multi-channel tooling.

Concrete CMS supports Google Analytics and similar tag-based integrations through the dashboard's tracking code injection and via add-ons in the marketplace. There are no native content performance dashboards or engagement metrics within the CMS itself. The official features page mentions 'consolidated reporting' but this refers to form/data reporting rather than marketing analytics. Score reflects standard tag integration with external analytics tools.

Concrete CMS has a Style Editor that allows administrators to define brand-level typography, colors, and layout tokens applied across the site. Page types and block templates enforce structural consistency. However, there is no hard lock-down mechanism preventing editors from overriding brand tokens on individual blocks, and there is no design token system comparable to modern component libraries. Score reflects component-based consistency without enforcement.

Concrete CMS 9.4.0 added native Open Graph support for social media sharing control, complementing the SEO block's Twitter Card meta management. Social sharing widgets are available as marketplace add-ons. There is no native push-to-social scheduling or UGC embed tooling. Scores in the 30–50 range for OG/card meta tag management plus marketplace-available sharing widgets.

Concrete CMS has a built-in File Manager that handles image uploads, auto-generates thumbnails at configurable sizes, supports file tagging and folder organization, and provides a usage tracker to see where assets are used. This is functional for moderate marketing volumes but lacks rights management, video hosting, advanced image transforms (beyond thumbnail presets), and DAM-grade search. Scores in the 35–55 range for basic media library with some transforms.

Concrete CMS has built-in multilingual support with separate page trees per language, synchronized content relationships, and a dashboard translation interface. This supports generic localization of marketing content including locale-specific page variants. However, there are no marketing-specific transcreation workflows, locale-level campaign scheduling, or regional compliance tools (cookie consent, legal disclaimers) beyond what can be manually built. Score reflects generic localization applied to marketing content.

Concrete CMS has documented integrations with Mailchimp, Constant Contact, and Mautic (email/MAP category) via marketplace add-ons. The marketplace also lists HubSpot and Salesforce integrations. However, these represent shallow embed or form-sync integrations rather than deep API-level event triggers or CDP connectivity. No pre-built ad platform or bidirectional CRM connectors were found. Score reflects some integrations plus generic webhook/API capability.

The Community Store add-on enables basic product content: images, variants (size/color) with distinct pricing, stock tracking, and product grids. However, it is a community-maintained add-on, not a core feature, and is not purpose-built for rich editorial product content at scale. Community Store remains actively maintained (updated April 2026, compatible with v8 and v9) but reviews note limited ecommerce maturity versus dedicated platforms.

Community Store includes basic discount codes and automatic discounts but has no cross-sell/upsell content management, category search merchandising, or promotional content scheduling tools. This is typical for CMS-based community add-ons; Concrete CMS is not a commerce-first platform.

Two Shopify integration add-ons are now on the Concrete CMS Marketplace — 'eCommerce with Shopify' (configurable Shopify storefront embedding) and 'Hutman Shopify Integration' (imports Shopify products into Concrete pages) — and Ecwid also offers a shopping cart add-on. These remain embed/product-import integrations rather than deep API federation or real-time content+product co-authoring. No documented integration with commercetools, SFCC, or BigCommerce.

Concrete CMS pages can embed Community Store product blocks alongside editorial content blocks, enabling basic product-in-context layouts. However, shoppable content, buying guide templates, or lookbook authoring patterns are not first-class features — they require manual assembly from generic blocks. No native inline product reference with purchase CTA tooling. Score reflects product embeds possible but not a purpose-built editorial commerce pattern.

Community Store has a single-page checkout flow (billing, shipping, payment) but this is rendered by the add-on, not the CMS content editor. There is no mechanism to inject CMS-managed trust badges, upsell banners, or post-add modals into the checkout flow without template modification. Scores near the floor as checkout content is fully in the Community Store template.

Community Store supports automatic digital product downloads after purchase, providing a minimal post-purchase CMS content experience. Order confirmation emails are template-based within Community Store, not CMS-managed pages. No delivery tracking pages, loyalty program content, or review solicitation content sequences managed from the CMS. Scores near the floor.

Concrete CMS's granular user-group permissions can gate product documentation or catalog pages to authenticated B2B users, providing basic access-controlled content. However, there are no B2B-specific features: no customer-specific pricing display, no quote-request workflow, no account-based catalog segmentation. Score reflects basic access control applicable to B2B without purpose-built B2B commerce content features.

Concrete CMS has a built-in site search (using PHP/MySQL full-text or Solr integration for larger deployments). Community Store products appear in site search. However, there is no faceted search enrichment, no search landing page tooling, and no blended content-product search result management. Score reflects basic search with minimal content-side enrichment for commerce.

Scheduled publishing in Concrete CMS core allows time-limited promotional banners to be activated and deactivated without developer involvement. Community Store supports discount codes with time limits. However, there are no countdown timers, promo code messaging blocks, or channel-specific promotional targeting natively. Score reflects basic scheduled banners slightly above the floor.

The multi-site architecture can serve multiple storefronts from one installation, each with its own content tree, theme, and user base. Shared block/template components reduce duplication. However, product content between storefronts is not natively federated — each site manages its own product pages via Community Store instances, creating some duplication. Score reflects multi-storefront possible with partial content sharing.

Community Store supports multiple product images with lightbox display. The file manager auto-generates thumbnails. Video embeds via YouTube/Vimeo blocks are possible on product pages. However, there are no 360-degree view capabilities, AR/3D model references, or image hotspot tooling natively. Score reflects basic image galleries and video embeds without advanced visual commerce features.

Community Store is a single-vendor storefront add-on with no multi-vendor marketplace capability. There are no seller profile pages, seller-contributed product descriptions, or content quality moderation at multi-vendor scale in either core Concrete CMS or Community Store. This is beyond the platform's intended scope.

The built-in multilingual system with separate page trees can be applied to product pages managed via Community Store, enabling locale-specific product descriptions. However, there is no currency-aware content block system, no regional regulatory content automation (EU labels, Prop 65), and no market-specific promo calendar. Score reflects generic localization applied to product content without commerce-specific locale tooling.

Google Analytics and GA4 can be integrated via script injection to track commerce events from Community Store checkouts, but this requires manual configuration and analysis happens entirely in GA4. There is no native content-to-revenue attribution within the CMS, no content-assisted conversion tracking dashboard. Score reflects basic analytics integration with conversion data in fully external tools.

Concrete CMS has a well-documented granular permissions system: permissions can be set at page, page type, or area level, inherited by child pages, and scoped to user groups, individual users, or custom roles. SSO integration is supported and used in production (BASF enterprise intranet case study). ISO 27001/SOC 2/HIPAA certification confirms enterprise-grade security posture. Score stops short of 75 because field-level sensitivity is not a native feature.

Concrete CMS supports version history, approval workflows, and content moderation which covers basic knowledge article lifecycle. There is no native knowledge taxonomy, content expiry/review scheduling, or internal search tuning beyond site search defaults. Functional for moderate intranet needs but lacks dedicated knowledge management tooling.

Concrete CMS actively markets HR portal and internal communications solutions with configurable news feeds, team pages, and SSO-backed access — a step above most generic CMS platforms for intranet use. The Army Civilian Senior Leader Management Office (CSLMO) Senior Executive Portal adds to the government portal case study roster. However, it lacks native employee directory integration, social features (likes/comments), or a mobile app, keeping it in the low-50s rather than 60+.

Concrete CMS supports targeted news publishing by user group, enabling department-specific announcements. The HR portal and internal communications solution page highlights news feeds and workflow-backed approvals. However, there are no read receipts, acknowledgment tracking, or mandatory-read workflows in core or the marketplace. Score is in the 30–50 range for basic news publishing with audience targeting.

Concrete CMS has no native employee directory or org chart visualization. User profiles exist in the system but are minimal (name, email, groups). A directory could be custom-built using page types and the member list block, but this requires developer effort and is not a configurable out-of-the-box feature. No HR system integration (Workday, BambooHR) is documented. Score reflects basic directory buildable with custom development.

Concrete CMS provides version history (full page version control), multi-level approval workflows, and content expiration — covering the basics of policy document lifecycle. There is no mandatory acknowledgment tracking, no automated review expiry reminders for policy authors, and no audit trail viewer beyond version history. Score reflects basic document publishing with version control above the floor.

The HR portal application page references onboarding workflows and structured content for new hires, enabled by Concrete CMS's page-type system and access control. However, there are no structured onboarding journeys with progressive disclosure over 30/60/90 days, role-specific content paths, or task checklists that activate automatically from an HR event. What exists is the ability to build onboarding pages rather than a purpose-built onboarding delivery system.

Concrete CMS has built-in site search based on MySQL full-text indexing for smaller deployments, with a Solr/Elasticsearch add-on available for larger installations. Search covers pages, files, and user-submitted content. There is no federated search across external systems (SharePoint, Confluence), no AI-powered relevance ranking, and limited faceted filtering. Score reflects adequate internal search with basic faceting capability.

Concrete CMS front-end themes are responsive and render on mobile browsers. The inline editing interface is available on mobile browsers but is not optimized for touchscreen use. There is no native mobile app, no offline support, no push notifications, and no low-bandwidth mode or kiosk/shared-device configuration. Score reflects responsive web access without native mobile app support.

Concrete CMS can host training content as standard web pages or documents accessible to specific user groups. The HR portal page mentions training materials. However, there is no LMS integration (Cornerstone, Workday Learning), no course assignment, completion tracking, or certification management in core or the marketplace. Score reflects basic learning content hosting without any tracking or LMS connectivity.

Concrete CMS HR portal and intranet marketing reference employee recognition tools and engagement surveys, but evidence for native social features is thin. The Conversation block provides threaded discussion on pages. There are no reactions, polls, community spaces by department/interest, or peer recognition workflows in core. The Conversation block and community forum usage suggest limited social capability rather than a full social layer.

No documented integration with Microsoft 365/Teams, Google Workspace, or Slack was found in the Concrete CMS marketplace or official documentation. SSO can authenticate against Azure AD (Microsoft) or Google via third-party add-ons, but that does not constitute embedded content cards or bot-driven notifications in workplace tools. Score reflects no meaningful workplace tool integration.

Concrete CMS has content expiration dates in core — pages can be set to expire automatically on a future date. Version history enables rollback. Approval workflows provide a structured review cycle. However, there is no automated stale content flagging based on age, no ownership assignment for review reminders, and no formal archival workflow. Score reflects basic content expiry and manual review above the floor.

Concrete CMS HR portal marketing references analytics and reporting for employee engagement. However, no native department-level page view analytics, failed search term dashboards, or intranet adoption dashboards exist in the platform. Analytics relies on GA4 or similar external tools injected via script. Score reflects basic page view analytics available externally without intranet-specific engagement measurement.

Concrete CMS supports multi-site architecture from a single installation with separate content trees, separate user bases, and configurable permission isolation per site. The IMCOM case study (hundreds of garrison websites on one install with compliance controls) validates silo-based isolation at scale. This is not a true multi-tenant SaaS architecture with independent environments, but provides meaningful silo-based separation.

Multi-site installs in Concrete CMS share a single codebase, theme, and block library, allowing centrally maintained templates and blocks to be reused across all sites while permitting local overrides. Branding consistency is a stated feature of the multi-site product. Not a federated content API model but provides shared component infrastructure through the install architecture.

The IMCOM deployment demonstrates centralized compliance and security controls across hundreds of sites, with thousands of individual content managers operating within enforced governance. Concrete CMS provides multi-level approval workflows, page-level and block-level access controls, content expiration, and centralized user management across the multi-site network. Cross-brand approval workflows are limited to within-site workflows rather than a true cross-brand governance console.

Concrete CMS is open source (free community edition), so adding sites does not incur per-brand licensing fees — only infrastructure and managed hosting costs scale. The multi-site architecture runs many sites on one install, reducing server overhead versus separate deployments. Commercial support packages exist but are not required per-site.

Each site in a Concrete CMS multi-site installation can have its own theme, color palette, typography, and style settings via the Style Editor. Per-site theme assignment and style customization are straightforward. However, this is CSS/configuration-level theming rather than a design token system with inheritance from a central brand library. Score reflects basic CSS/config theming per brand with shared component structures.

The multilingual system combined with multi-site architecture allows per-brand, per-locale content trees. Each brand/site can have its own translation workflow via the dashboard. However, there is no governance layer for brand-aware translation approvals, no differentiation between shared vs. isolated translation workflows at the brand level, and no regional legal content governance per brand. Score reflects basic per-brand localization with shared workflows.

No cross-brand analytics dashboard exists in Concrete CMS. Each site's analytics relies on separately configured external tools (GA4, etc.), and there is no aggregated portfolio view of content performance across sites. A multi-site admin can navigate between sites but sees no unified metrics. Score reflects no cross-brand analytics with manual aggregation required.

Approval workflows in Concrete CMS can be configured per page type and per site, giving individual brand sites some control over their publishing workflow stages and approvers. The multi-site admin can see and manage all sites but workflow configuration is per-site. There is no central workflow audit console spanning all brands. Score reflects some workflow variants per brand without central audit trail across brands.

In a multi-site Concrete CMS installation, globally shared blocks, templates, and page types cascade to all sites from the central codebase. However, there is no CMS-level mechanism to push a specific piece of content (e.g., a press release or legal disclaimer) from a corporate parent site to child brand sites with controlled override points. Content syndication requires developer-built solutions. Score reflects basic content sharing through architecture with no native push-syndication workflow.

Concrete CMS has ISO 27001/SOC 2/HIPAA certifications and per-site configuration options allowing compliance settings (cookie consent, legal page content) to be managed per brand. Cookie consent add-ons are available in the marketplace. However, there are no automated publishing guardrails preventing non-compliant content, no per-brand accessibility enforcement, and no data residency configuration per tenant. Score reflects basic compliance settings available per brand without automated guardrails.

The shared codebase in a Concrete CMS multi-site installation provides a centrally maintained block and template library that all sites inherit. Individual sites can override theme styles. However, there is no formal design system versioning, no component versioning with update propagation, and no brand-level extension model beyond CSS overrides. Score reflects shared components with some brand override but no formal design system management.

In a Concrete CMS multi-site installation, a super-admin can manage users, groups, and permissions across all sites from the main dashboard. SSO via SAML is supported and can span all sites. Individual brand teams can be granted autonomous admin rights within their site. This provides meaningful central oversight with brand team autonomy, though there is no SCIM provisioning or true cross-brand contributor role that spans sites without super-admin privileges.

All sites in a Concrete CMS multi-site installation share the same block types and page type templates from the central codebase. Per-brand content type extensions require code changes rather than configuration, meaning adding brand-specific fields involves developer work and risks diverging the codebase. There is no interface for per-brand content model extension without forking. Score reflects basic shared types with limited no-code customization per brand.

There is no executive portfolio reporting dashboard across the Concrete CMS multi-site network. A super-admin navigates to individual sites and views their own content/form reports. Content freshness, publishing SLA adherence, and capacity metrics across the portfolio are not aggregated anywhere in the platform. Manual aggregation from external analytics tools would be required. Score reflects no portfolio reporting capability.

The privacy policy still references the invalidated EU-US Privacy Shield framework (struck down 2020) with no mention of SCCs or the EU-US Data Privacy Framework. No DPA is listed in the legal index, no sub-processor list is published, and EU data residency options are not documented. The policy explicitly redirects GDPR/CCPA questions for sites built on Concrete CMS elsewhere, and the hosting privacy policy page returns 404.

PortlandLabs hosting undergoes external HIPAA/HITECH audit validation: 'Our external audits also provide independent proof that PortlandLabs hosting meet HIPAA and HITECH controls.' However, no BAA is published or advertised as available, and there is no healthcare-specific documentation for the open-source project. HIPAA alignment exists for managed hosting customers but without confirmed BAA availability the score stays mid-range.

PortlandLabs hosting meets FedRAMP Moderate controls at DoD Impact Level 2 with continuous monitoring and offers a FedRAMP-specific hosting environment with a customer responsibility matrix — a significant differentiator at this tier. HIPAA/HITECH and PCI-DSS are validated through external audits. The privacy policy states CCPA does not apply to Concrete's own business, and UK GDPR, LGPD, PIPEDA, IRAP, and C5 are not addressed.

SOC 2 Type 2 is confirmed covering Security and Availability Trust Service Criteria, with the report available on request, and the scope explicitly includes development of the open-source Concrete CMS as well as hosting. Supply-chain SOC 2 reports (AWS, Atlassian, Google Cloud, New Relic carve-outs) are reviewed. Confidentiality, Processing Integrity, and Privacy TSCs are not covered, and audit cadence is not stated, keeping this below the 85+ band.

PortlandLabs holds ISO 27001 certification — 'This certification proves that Portlandlabs has a robust security and risk management program' — with the certificate available on request. No ISO 27018 (cloud PII processing) is mentioned anywhere. The certification covers PortlandLabs' hosting and development operations, not the open-source software package independently, so it falls in the infrastructure/operations band.

Beyond SOC 2 and ISO 27001, PortlandLabs meets FedRAMP Moderate (DoD IL2) controls with continuous monitoring and has PCI-DSS and HIPAA/HITECH external audit validation, plus US Army PIV authentication licensing. The open-source core runs a HackerOne vulnerability disclosure program with monthly patches and CVE tracking on NIST, and infrastructure access uses FIPS 140-2 MFA. This is an unusually strong portfolio for a tier-4 traditional CMS; no CSA STAR, Cyber Essentials Plus, IRAP, or C5.

Hosting infrastructure is AWS US-based and the FedRAMP environment is inherently US-only. No EU or APAC data residency options or contractual residency guarantees are documented on any hosting page. Self-hosted deployments can choose any region, but without vendor contractual guarantees that does not earn residency credit — a significant gap for EU-based customers.

A 'Personal Information Deletion' document is listed in the legal index, indicating some deletion-request process exists, but the page itself still returns 404 (re-verified), as does the hosting privacy policy. For the open-source platform, full database export is inherently available, but no self-service export portal for hosted customers and no post-termination retention periods are published.

Concrete CMS lists 'Audit Trail' as a security feature alongside login history, email logging, and error logging, and the framework documentation supports auditive logging for operations like page deletion and email sends. However, no SIEM integration, configurable log retention, or log export APIs are documented. Present but basic — not enterprise compliance-reporting grade.

No formal WCAG 2.1 AA conformance documentation for the Concrete CMS authoring interface exists; accessibility URL patterns on both concretecms.com and concretecms.org return 404. No ATAG 2.0 commitment is documented. Use by US government agencies (US Army employee portal licensing) implies Section 508 attention in practice, but no formal conformance statement is published.

No VPAT or ACR was found on concretecms.com, concretecms.org, or in the legal index, and no Section 508 formal conformance statement is published. Given federal usage (US Army portal), a VPAT may exist internally or on request, but it is not publicly accessible for procurement purposes, which is what this item measures.

The 'AI Integration - GPT 4 Turbo' marketplace add-on (updated Jan 2026, requires v9.3.0+) delivers GPT-4 Turbo content generation with WYSIWYG editor integration. Core remains AI-free: the May 2026 town hall confirmed no AI features were added to core and none are on the roadmap. No brand voice controls, prompt templates, or native assistance — capped at the third-party-plugin band.

The Brand Central DAM add-on uses AI to auto-tag uploaded media files with relevant metadata, improving searchability. No smart focal crop, no native auto alt-text generation, and no AI image generation are documented in core or marketplace through the 9.4.x/9.5.0 releases. Auto-tagging remains the only confirmed AI media feature.

No native machine translation in Concrete CMS core through 9.5.0. Linguise (third-party SaaS) can integrate via script injection and API key, using Google Cloud Neural MT and a proprietary LLM model, but this is a fully external cloud service. No core changelog or marketplace entries reference MT features.

The 'AI Integration - GPT 4 Turbo' add-on generates SEO meta titles/descriptions and now confirms bulk SEO updates across pages (marketplace listing, Jan 2026). The 'Large Language Models Generator' add-on generates an /llms.txt AI-discoverable site inventory. Both are third-party marketplace add-ons, not core — no on-page SEO scoring or native automation.

AI-powered metadata auto-tagging on media upload (Brand Central DAM) plus bulk SEO updates via the AI Integration add-on are the only confirmed AI ops assists, both outside core. Official blog posts describe AI scheduling and content lifecycle automation aspirationally; the May 2026 town hall confirmed no AI features shipped in core.

No agentic products exist in the Concrete CMS ecosystem as of mid-2026. The May 2026 town hall explicitly noted no AI-powered features in core and no AI roadmap items; the project's AI activity is a contributor AI-use policy and community 'skills files' for external coding assistants — not autonomous content automation. No named agent suite or multi-step pipeline products.

No content intelligence features exist. The blog post mentions AI could 'identify stale, duplicated, or outdated pages' but frames this as general guidance for external tools, not as a Concrete CMS feature. No marketplace add-on delivers content gap analysis, topic clustering, or AI editorial recommendations as of mid-2026.

No AI auditing tool exists in core or marketplace through 9.5.0. The 'Smart Ways to Integrate AI' blog post lists editorial QA and tone checking as recommended external AI use cases, but no Concrete CMS add-on implements these. A third-party accessibility widget (Skynet Technologies) is rule-based, not AI-driven.

Concrete CMS uses standard full-text search with no vector or semantic search capability through 9.5.0. No marketplace add-on or core feature provides AI-enhanced relevance ranking, embedding generation, or RAG-ready content indexing. Custom external integration would require substantial developer work from scratch.

No native ML personalization engine. The 'Poper Widgets Popups Embeds Powered by AI' marketplace add-on is an external SaaS JavaScript embed that adapts CTAs based on visitor context, but it operates outside the CMS layer. No predictive audience segmentation, no behavioral ML, no native A/B testing with AI as of mid-2026.

The community-built TypeScript concretecms-mcp-server (MacareuxDigital) remains the only MCP option: it wraps the REST API with OAuth2 auth and supports system info, content read/write, file upload, and user access. As of June 2026 it has 4 stars, 12 commits, and no formal releases published — functional but minimal adoption and not officially endorsed by Concrete CMS, keeping it below the well-supported-community band.

BYOK is now confirmed: the 'AI Integration - GPT 4 Turbo' add-on (free, Jan 2026) requires users to supply their own OpenAI API key, configured via the dashboard's AI Integration settings page. However, it is a third-party marketplace add-on limited to a single provider (OpenAI) — no official Concrete CMS BYOM framework, no Anthropic/Azure/Gemini support, no model switcher.

Concrete CMS is open-source (MIT, PHP) with a REST API usable for AI consumption, as demonstrated by the community MCP server. No official AI SDK, no LangChain/LlamaIndex connectors, and no LLM-friendly content API. The community 'skills files' initiative (structured Markdown docs to help coding LLMs work with Concrete) remained a proposal as of the May 2026 town hall — AI tooling is still developer-DIY.

Concrete CMS has mature general-purpose governance — approval workflows requiring human review before publish, comprehensive audit trail, ISO 27001, SOC 2, HIPAA compliance, and role-based permissions — serving as de facto AI safety layers. The first official AI policy (May 2026) governs contributor AI use in the open-source project, not AI output in the product. No AI-specific output logging, decision audit trail, or prompt governance exists.

No AI usage dashboards, token consumption tracking, model performance monitoring, or AI observability tooling exists in Concrete CMS core or marketplace. AI usage through the BYOK AI Integration add-on is entirely opaque to CMS administrators — cost and usage monitoring relies on the user's own OpenAI dashboard.