CMS detection

DomainCare runs a passive HTTP fingerprint when you add a domain (and on demand via the Re-detect button on the per-domain page). The detected CMS surfaces as a small badge above the status hero. CMS detection is metadata, not a recurring check — it doesn't run on a schedule and doesn't fire alerts.

Why this exists

Operators often inherit sites without knowing what CMS the previous contractor set up. CMS metadata makes that invisible footprint visible — and pairs with the security headers and open ports checks to surface where the next vulnerability is most likely to land.

CVE / plugin-version lookup is not part of this release — see the project roadmap.

What we look for

Two layers, in order:

1. Response headers — cheap and unambiguous.
   • X-Powered-By: WordPress
   • X-Generator: Drupal
   • X-Ghost-Cache-Status (any value) — Ghost
   • X-ShopId (any value) — Shopify
   • X-Webflow-Page (any value) — Webflow
2. HTML body signals (max 256KB read).
   • /wp-login, /wp-content, /wp-includes paths — WordPress
   • <meta name="generator" content="Drupal"> — Drupal
   • <meta name="generator" content="Joomla"> — Joomla
   • <meta name="generator" content="Ghost"> — Ghost
   • cdn.shopify.com asset URL — Shopify
   • static.squarespace.com asset URL — Squarespace
   • assets.webflow.com asset URL — Webflow

The first match wins. If no signal matches, the badge is hidden.

Re-detecting

The Re-detect button on the per-domain page re-runs the fingerprint and updates the badge. Use it after a CMS migration so the dashboard reflects reality. Failure of the re-detect (network error, site down) clears the badge.

Privacy

Detection is passive — DomainCare only reads what your site already returns publicly. No login, no exploitation, no parameter probing.

Related

• Security headers check
• Open ports check