On this page

Website and CMS

Content management systems provide the infrastructure for creating, editing, storing, and publishing website content. CMS platforms enable non-technical users to maintain websites without writing code, while providing developers with frameworks for building custom functionality. The platform selection affects content workflow, site performance, security posture, hosting requirements, and long-term maintenance costs.

This page covers systems designed primarily for public-facing organisational websites: informational sites, blogs, news publications, and marketing pages. The scope includes traditional coupled CMS (where content management and presentation are integrated), headless CMS (API-first content repositories), and visual site builders with CMS capabilities. E-commerce platforms, learning management systems, and internal knowledge bases are covered in separate benchmark pages. Programme management systems with public reporting features (such as donor portals) are addressed under Programme and Humanitarian Systems.

Assessment methodology

Tool assessments are based on official vendor documentation, published API references, release notes, and technical specifications as of 2026-01-23. Feature availability varies by product tier, deployment model, and region. Verify current capabilities directly with vendors during procurement. Community-reported information is excluded; only documented features are assessed.

Requirements taxonomy

This taxonomy defines evaluation criteria for website and CMS tools. Requirements are organised by functional area and weighted by typical priority for mission-driven organisations. Adjust weights based on your specific operational context.

Functional requirements

Core capabilities that define what the CMS must do.

Content authoring and editing

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
F1.1	Visual content editor	WYSIWYG or block-based editor enabling content creation without HTML knowledge. Editor must show approximate rendered output during composition.	Full: real-time visual preview, drag-drop blocks, inline formatting. Partial: visual editor with limited block types. Minimal: Markdown-only or code-based editing.	Test editor during trial; compare preview to published output	Essential
F1.2	Rich media embedding	Ability to embed images, videos, audio, documents, and third-party content (maps, social posts) within content.	Full: native support for major media types plus oEmbed/iframe for third-party. Partial: images and videos only. Minimal: images only with manual HTML for other types.	Review media handling documentation; test embedding workflow	Essential
F1.3	Content scheduling	Ability to set future publication and expiration dates for content without manual intervention.	Full: publish date, expiry date, time zone support, scheduling queue visibility. Partial: publish date only. None: manual publish only.	Review scheduling documentation; verify timezone handling	Important
F1.4	Revision history	Automatic versioning of content changes with ability to view and restore previous versions.	Full: unlimited versions, diff comparison, named versions, restore capability. Partial: limited version count or no diff view. Minimal: single previous version.	Test revision workflow; verify restoration preserves all content	Essential
F1.5	Autosave and draft recovery	Automatic saving of work-in-progress to prevent data loss from browser crashes or session timeouts.	Full: continuous autosave (under 60 seconds), recoverable drafts, conflict detection. Partial: periodic autosave, basic recovery. None: manual save only.	Test by closing browser mid-edit; verify recovery	Important
F1.6	Content preview	Ability to preview unpublished content as it will appear on the live site, including responsive views.	Full: authenticated preview across devices, preview URLs for sharing, preview of scheduled content. Partial: single-device preview. None: no preview before publish.	Test preview across desktop, tablet, mobile viewports	Essential
F1.7	In-context editing	Ability to edit content directly on the rendered page rather than in a separate admin interface.	Full: click-to-edit on live site with all editing capabilities. Partial: limited editing on live view. None: admin panel only.	Test editing workflow on published pages	Desirable

Content organisation and structure

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
F2.1	Hierarchical content structure	Support for parent-child relationships between content, enabling logical site architecture with nested pages.	Full: unlimited nesting depth, breadcrumb generation, URL inheritance. Partial: limited nesting levels. None: flat content only.	Create nested page structure; verify URL and navigation generation	Essential
F2.2	Taxonomy and categorisation	Ability to classify content using tags, categories, or custom taxonomies with multiple values per content item.	Full: custom taxonomies, hierarchical terms, multiple assignments, term management. Partial: single taxonomy or limited terms.	Review taxonomy documentation; test multi-taxonomy assignment	Important
F2.3	Content types and custom fields	Ability to define structured content types beyond basic pages, with custom fields matching content model needs.	Full: unlimited content types, custom field types (text, number, date, relation, media, structured), conditional fields. Partial: limited field types or content types.	Create custom content type matching real use case; verify field behaviour	Essential
F2.4	Content relationships	Ability to link content items together (related posts, author profiles, topic hubs) with bidirectional navigation.	Full: many-to-many relationships, relationship fields, bidirectional queries. Partial: one-way references only. None: no structured relationships.	Configure content relationship; verify querying from both directions	Important
F2.5	Reusable content blocks	Ability to create content fragments that appear across multiple pages with single-source updates.	Full: global blocks, partial templates, content references updating everywhere. Partial: copy-paste blocks with manual sync. None: duplicate content required.	Create shared block; update once; verify propagation	Important
F2.6	Menu and navigation management	Interface for creating and organising site navigation structures independent of content hierarchy.	Full: multiple menus, drag-drop ordering, nested items, custom links, menu locations. Partial: single menu or limited nesting.	Build multi-level navigation; test reordering	Essential

Multi-language and localisation

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
F3.1	Multi-language content management	Ability to create and manage content in multiple languages with translation workflow support.	Full: unlimited languages, per-field translation, translation status tracking, language switcher. Partial: limited languages or full-page translation only. None: single language.	Configure three languages; test translation workflow	Context-dependent
F3.2	Language fallback behaviour	Configurable behaviour when content is not translated, including fallback to default language or 404.	Full: per-content-type fallback rules, mixed-language pages, translator notes. Partial: global fallback setting only. None: no fallback (404 for missing).	Test access to untranslated content in alternate language	Context-dependent
F3.3	Right-to-left language support	Proper rendering and editing support for RTL languages (Arabic, Hebrew, Farsi).	Full: automatic RTL detection, bidirectional text, RTL-aware admin interface. Partial: RTL rendering but LTR admin. None: no RTL support.	Switch admin to Arabic; test content creation and rendering	Context-dependent
F3.4	Date, number, and currency formatting	Locale-aware formatting for dates, numbers, and currencies matching visitor or content language.	Full: automatic locale formatting, format customisation, timezone handling. Partial: manual format specification. None: single format.	Configure content with dates and numbers; verify localised display	Important

Workflow and collaboration

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
F4.1	Editorial workflow stages	Configurable content states (draft, review, approved, published) with transition rules.	Full: custom workflow stages, transition permissions, stage-specific actions. Partial: fixed workflow stages. Minimal: draft/published only.	Configure custom workflow; test stage transitions	Important
F4.2	Content approval process	Requirement for designated approvers before content publication with notification and audit trail.	Full: multi-step approval, approval groups, approval deadlines, delegation. Partial: single approver only. None: no approval required.	Configure approval workflow; test notification and rejection	Important
F4.3	Collaborative editing	Support for multiple users working on content simultaneously or sequentially with conflict prevention.	Full: real-time co-editing, presence indicators, cursor tracking. Partial: lock-based editing with conflict detection. Minimal: last-save-wins.	Have two users edit same content; verify conflict handling	Desirable
F4.4	Comments and annotations	Ability to add internal comments on content for editorial discussion without affecting published output.	Full: threaded comments, resolved/open status, comment notifications, page-region annotations. Partial: simple comments only. None: no internal commenting.	Add comments to draft; verify exclusion from published content	Desirable
F4.5	Assigned tasks and responsibilities	Ability to assign content items to specific users with due dates and tracking.	Full: task assignment, due dates, reminder notifications, task dashboards. Partial: owner field only. None: no assignment tracking.	Assign content to user; verify notifications and tracking	Desirable

Design and theming

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
F5.1	Theme/template customisation	Ability to modify site appearance through theme files, style settings, or visual editors.	Full: template access, CSS customisation, theme settings UI, child themes. Partial: limited customisation options. Minimal: preset themes only.	Modify theme element; verify deployment process	Essential
F5.2	Responsive design support	Built-in handling for different screen sizes with responsive templates and preview capabilities.	Full: responsive themes, device preview, breakpoint customisation. Partial: responsive but no preview. None: fixed-width only.	Preview same content across viewports; verify layout adaptation	Essential
F5.3	Component/block library	Pre-built content components (accordions, tabs, cards, galleries) available for content assembly.	Full: extensive component library, component customisation, custom component creation. Partial: limited components. Minimal: basic text and media only.	Review available components; test customisation depth	Important
F5.4	Visual page builder	Drag-and-drop interface for page layout construction without code or template editing.	Full: visual grid system, component placement, responsive controls, style customisation. Partial: limited layout options. None: template-based only.	Build complex page layout using visual tools	Desirable
F5.5	Brand asset management	Central management of logos, colours, typography, and brand guidelines with site-wide application.	Full: global brand settings, colour palettes, typography system, asset library. Partial: manual brand application. None: per-page styling.	Update brand colour; verify site-wide propagation	Important

SEO and metadata

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
F6.1	SEO metadata management	Interface for managing page titles, meta descriptions, and Open Graph data per content item.	Full: per-page SEO fields, character count, preview, default templates. Partial: title and description only. None: no SEO fields.	Configure SEO fields; verify rendered HTML meta tags	Essential
F6.2	URL/permalink control	Ability to customise URL slugs and structure with automatic generation from titles.	Full: manual slug editing, URL structure templates, redirect on change. Partial: auto-generated with manual override. None: system-generated only.	Change content URL; verify redirect and SEO preservation	Essential
F6.3	XML sitemap generation	Automatic generation of XML sitemaps for search engine indexing with configuration options.	Full: auto-generated, priority settings, change frequency, search console submission. Partial: basic auto-generation. None: manual creation required.	Verify sitemap.xml generation; check configuration options	Important
F6.4	Canonical URL management	Ability to specify canonical URLs to prevent duplicate content issues, with automatic handling.	Full: automatic canonicals, manual override, cross-domain canonical support. Partial: manual specification only. None: no canonical handling.	Check canonical tag generation on paginated/filtered content	Important
F6.5	Structured data support	Ability to add schema.org markup for rich search results (articles, events, organisations).	Full: automatic schema generation, schema customisation, multiple schema types. Partial: basic schema only. None: manual JSON-LD required.	Verify structured data output using testing tool	Important
F6.6	robots.txt and indexing control	Per-page control over search engine indexing with robots.txt management.	Full: per-page noindex, robots.txt editor, crawler management. Partial: site-wide robots.txt only. None: no indexing control.	Set noindex on page; verify robots meta tag	Important

Technical requirements

Infrastructure, architecture, and deployment considerations.

Deployment and hosting

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
T1.1	Self-hosted deployment option	Ability to deploy on organisation-controlled infrastructure for data sovereignty, compliance, or cost reasons.	Full: complete feature parity with hosted version, documented deployment process. Partial: self-hosted available but with feature limitations. None: SaaS only.	Review deployment documentation; compare feature matrix across deployment modes	Important
T1.2	Managed cloud deployment	Availability of vendor-managed or third-party managed hosting with regional options.	Full: multiple regions including EU, documented data residency. Partial: limited regions. None: single region or undisclosed.	Review hosting documentation; verify regional availability	Important
T1.3	Container deployment	Support for containerised deployment (Docker, Kubernetes) enabling modern orchestration.	Full: official images, Helm charts, documented orchestration. Partial: community images only. None: no container support.	Check Docker Hub, artifact registries, deployment docs	Desirable
T1.4	Static site generation	Ability to generate static HTML files for performance, security, and simplified hosting.	Full: static export, incremental builds, CDN-ready output. Partial: full export but no incremental. None: dynamic-only.	Generate static site; verify completeness of output	Context-dependent
T1.5	Database options	Supported database systems and configuration flexibility.	Document supported databases: PostgreSQL, MySQL, MariaDB, SQLite, MongoDB, embedded. Note production vs development options.	Review database documentation; verify production recommendations	Important

Scalability and performance

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
T2.1	Built-in caching	Native caching mechanisms for page output, database queries, and API responses.	Full: page cache, query cache, object cache, configurable TTL, cache invalidation. Partial: basic page caching only. None: no built-in caching.	Review caching documentation; test cache behaviour	Essential
T2.2	CDN integration	Support for content delivery network integration for static assets and potentially full pages.	Full: native CDN support, cache headers, purge API, edge caching. Partial: static asset CDN only. Minimal: manual configuration required.	Configure CDN; verify cache headers and purge capability	Important
T2.3	Image optimisation	Automatic image processing for responsive images, format conversion, and compression.	Full: automatic resizing, WebP/AVIF conversion, lazy loading, srcset generation. Partial: manual image sizes. None: original images only.	Upload large image; verify generated variations and lazy loading	Important
T2.4	Load time performance	Documented performance characteristics and optimisation features.	Review: published benchmarks, performance best practices, performance monitoring. Assess: TTFB, LCP, CLS metrics on demo sites.	Test demo site with Lighthouse; review performance documentation	Important

API and headless capabilities

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
T3.1	REST API availability	Programmatic access via REST API for content retrieval and management.	Full: comprehensive API covering all content types and operations, versioned, documented. Partial: read-only or limited coverage. None: no REST API.	Review API documentation completeness; compare to admin features	Important
T3.2	GraphQL API availability	GraphQL endpoint for flexible content queries with schema introspection.	Full: complete GraphQL schema, query and mutation support, documentation. Partial: read-only queries. None: no GraphQL.	Test GraphQL queries; verify schema coverage	Desirable
T3.3	Headless/decoupled operation	Ability to use CMS as content repository only, delivering via API to separate frontend.	Full: documented headless architecture, preview in decoupled mode, all content via API. Partial: API available but not all features. None: coupled only.	Review headless documentation; verify API completeness for decoupled use	Context-dependent
T3.4	Webhook support	Ability to trigger external actions when content events occur.	Full: configurable webhooks for all events, retry logic, payload customisation. Partial: limited events. None: polling only.	Configure webhook; verify payload and delivery	Important
T3.5	API authentication methods	Supported methods for securing API access.	Document supported methods: API keys, OAuth 2.0, OIDC, JWT, service accounts.	Review API security documentation	Important

Security requirements

Security controls and data protection capabilities.

Authentication and access control

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
S1.1	Multi-factor authentication	Support for MFA on user accounts to prevent credential compromise.	Full: multiple MFA methods (TOTP, WebAuthn, push), enforced by policy. Partial: single MFA method. None: password only.	Review authentication documentation; test MFA configuration	Essential
S1.2	Single sign-on integration	Support for federated identity via SSO protocols.	Full: SAML 2.0 and OIDC support, multiple IdP. Partial: single protocol or IdP. None: local auth only.	Review SSO documentation; check supported protocols and IdPs	Essential
S1.3	Role-based access control	Granular permission management based on roles.	Full: custom roles, granular permissions (per content type, per action, per content item), inheritance. Partial: fixed roles only. Limited: basic user/admin.	Review RBAC documentation; test custom role creation	Essential
S1.4	Per-content permissions	Ability to restrict access to specific content items or sections by role or user.	Full: per-item permissions, section-based access, permission inheritance. Partial: section-level only. None: role-based only.	Configure restricted content; verify access control	Important
S1.5	Audit logging	Logging of user actions for security monitoring and compliance.	Full: comprehensive action logging, user attribution, log export, retention configuration. Partial: basic access logs. None: no audit logging.	Review audit log capabilities; verify log completeness	Essential

Data protection

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
S2.1	Encryption at rest	Data encrypted when stored.	Full: AES-256 or equivalent, documented key management. Partial: encryption available but not default. None: unencrypted storage.	Review encryption documentation; verify algorithm and key management	Essential
S2.2	Encryption in transit	Data encrypted during transmission.	Full: TLS 1.2+ enforced, certificate management, HSTS support. Partial: TLS available but not enforced.	Review transport security documentation; test with SSL analyser	Essential
S2.3	Data residency controls	Ability to specify and enforce data storage location.	Full: selectable regions, documented data flows, residency guarantees. Partial: limited regions. None: undisclosed location.	Review data residency documentation; verify contractually	Essential
S2.4	Backup and recovery	Ability to back up site content and configuration with tested recovery procedures.	Full: automated backups, point-in-time recovery, admin-initiated restore. Partial: manual backup only.	Review backup documentation; test restoration procedure	Essential

Security certifications and compliance

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
S3.1	Security update process	Process for receiving and applying security patches.	Full: security notifications, regular updates, LTS options, CVE tracking. Partial: updates without notification. None: irregular updates.	Review security update history; check notification mechanisms	Essential
S3.2	Vulnerability disclosure programme	Process for reporting and addressing security issues.	Full: public disclosure policy, CVE tracking, timely patches. Partial: informal process. None: no programme.	Review security policy; check CVE database for history	Important
S3.3	SOC 2 certification	Independent audit of security controls (for hosted platforms).	Full: current SOC 2 Type II, report available. Partial: SOC 2 Type I only. None: no SOC certification.	Request SOC 2 report; verify audit date	Important for SaaS
S3.4	GDPR compliance documentation	Documented compliance with EU data protection regulation.	Full: DPA available, processing records, DPIA support. Partial: general privacy policy only.	Review GDPR documentation; assess DPA terms	Essential

Operational requirements

Day-to-day administration and management considerations.

Administration and configuration

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
O1.1	Administrative interface	Quality and capability of admin tools.	Full: comprehensive web UI, role-specific views, bulk operations. Partial: limited admin UI.	Review admin documentation; assess during trial	Important
O1.2	Configuration export/import	Ability to export and import site configuration for migration or environment synchronisation.	Full: complete configuration export, import with conflict handling, environment promotion. Partial: limited configuration scope. None: manual recreation required.	Export configuration; import to new environment; verify completeness	Important
O1.3	Multi-site management	Ability to manage multiple websites from single installation or dashboard.	Full: centralised management, shared users, per-site customisation, network features. Partial: separate installations with shared login. None: single site only.	Review multi-site documentation; verify management capabilities	Context-dependent
O1.4	Environment management	Support for development, staging, and production environments with content synchronisation.	Full: environment cloning, configuration promotion, content sync, branch deployments. Partial: manual environment setup.	Review environment documentation; test promotion workflow	Important

Monitoring and observability

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
O2.1	Health monitoring	Built-in or integrated health check capabilities.	Full: health endpoints, uptime monitoring, error alerting. Partial: basic status indicators. None: no monitoring.	Review monitoring documentation; test health endpoints	Important
O2.2	Analytics integration	Ability to integrate web analytics for visitor tracking.	Full: native analytics or documented integration with major platforms, privacy-compliant options. Partial: single analytics option. None: manual code insertion.	Review analytics documentation; verify GDPR-compliant options	Important
O2.3	Error reporting	Capture and reporting of site errors for debugging.	Full: error logging, stack traces, error notifications, integration with error tracking services. Partial: basic error logs. None: no error capture.	Review error handling documentation; test error capture	Important

Support and maintenance

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
O3.1	Documentation quality	Completeness and accuracy of technical documentation.	Full: comprehensive, current, searchable, versioned, tutorials and references. Partial: incomplete or outdated. Poor: minimal documentation.	Assess documentation during evaluation; check update frequency	Essential
O3.2	Community health (FOSS)	Vitality of open source community for FOSS options.	Metrics: contributors, commit frequency, issue response time, governance model, forum activity.	Review GitHub/GitLab statistics; assess governance	Important for FOSS
O3.3	Commercial support availability	Options for paid professional support.	Full: official support tiers, SLA options, professional services. Partial: third-party support only. None: community support only.	Review support options; check SLA terms	Important
O3.4	Release cadence and stability	Frequency and predictability of updates.	Full: published roadmap, regular releases, LTS options, semantic versioning. Partial: irregular releases.	Review release history; check for roadmap visibility	Important
O3.5	Extension/plugin ecosystem	Availability of add-ons extending core functionality.	Full: official marketplace, quality review process, active development. Partial: community plugins without curation. Limited: few extensions available.	Browse extension marketplace; assess quality and maintenance	Important

Data management requirements

Data handling, portability, and lifecycle management.

Data import and migration

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
D1.1	Content import tools	Ability to import content from files or other systems.	Full: import from major CMS platforms, bulk import, data mapping, validation. Partial: generic import only. None: manual creation required.	Review import documentation; test with sample data	Important
D1.2	Migration path from common CMS	Documented migration from major platforms (WordPress, Drupal, etc.).	Full: migration plugins/tools, field mapping, media migration, redirect generation. Partial: manual migration guidance. None: no migration path.	Review migration documentation for your source platform	Context-dependent
D1.3	Media import and management	Bulk import and organisation of media files.	Full: bulk upload, folder organisation, metadata preservation, duplicate detection. Partial: individual upload only.	Test bulk media upload; verify organisation capabilities	Important

Data export and portability

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
D2.1	Complete content export	Ability to export all content in usable format.	Full: complete export including content, media, metadata, relationships in open formats. Partial: limited to certain content types.	Review export documentation; verify completeness	Essential
D2.2	Export formats	Available formats for exported data.	List supported formats; note if open standards (XML, JSON, Markdown, HTML) or proprietary.	Review export format documentation	Essential
D2.3	Media export	Ability to export media files with associated metadata.	Full: bulk media export, metadata preservation, original files. Partial: individual download only.	Test media export; verify metadata preservation	Important
D2.4	Database access	Direct access to underlying database for backup or analysis.	Full: documented schema, direct access, standard database tools. Partial: API access only. None: no direct access (SaaS).	Review database documentation; verify access method	Important for self-hosted

Commercial and contractual requirements

Licensing, pricing, and vendor relationship considerations.

Pricing and licensing

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
C1.1	Pricing model transparency	Clarity of pricing structure.	Full: published pricing, calculator available, no hidden fees. Partial: pricing on request. Poor: opaque pricing.	Review pricing documentation; request detailed quote	Important
C1.2	Nonprofit pricing availability	Discounted or donated licences for qualifying organisations.	Full: established programme, clear eligibility, significant discount (50%+). Partial: ad-hoc discounts. None: standard pricing only.	Research nonprofit programme; verify eligibility and terms	Important
C1.3	Open source licence terms	For FOSS: licence type and implications.	Document licence (MIT, GPL, AGPL, Apache, BSD); note obligations (attribution, source disclosure, copyleft).	Review licence file; understand obligations	Important for FOSS
C1.4	Vendor lock-in assessment	Degree to which switching away is constrained.	Assess: data portability, standard formats, API openness, theme portability, plugin dependencies.	Review export capabilities; assess proprietary dependencies	Important

Vendor assessment

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
C2.1	Vendor stability	Business viability and longevity indicators.	Assess: funding status, revenue model, customer base, years in operation, acquisition risk.	Research company background; review financial indicators	Important for commercial
C2.2	Data jurisdiction	Legal jurisdiction governing data and vendor.	Document: headquarters location, data processing locations, applicable law, CLOUD Act exposure.	Review terms of service; verify processing locations	Important
C2.3	Exit strategy viability	Ability to migrate away if needed.	Full: documented export, open formats, no data hostage. Partial: export with limitations. Poor: significant lock-in.	Review export capabilities; assess migration complexity	Essential

Accessibility requirements

Compliance with accessibility standards.

ID	Requirement	Description	Assessment criteria	Verification method	Typical priority
A1.1	Admin interface accessibility	Accessibility of content management interface.	Full: WCAG 2.1 AA compliance documented, tested with assistive technology. Partial: some accessibility features. None: not addressed.	Test admin with screen reader; review accessibility documentation	Essential
A1.2	Accessible output generation	Ability to produce WCAG-compliant public content.	Full: accessible default themes, accessibility checking, heading structure enforcement. Partial: accessible themes available. None: accessibility not addressed.	Audit default theme; review accessibility tooling	Essential
A1.3	Accessibility documentation	Published accessibility information.	Full: VPAT available, accessibility statement, testing methodology. Partial: general statement only.	Request VPAT; review accessibility documentation	Important
A1.4	Alternative text enforcement	Ability to require alt text for images.	Full: required field with validation, alt text editing in context. Partial: optional but prompted. None: no alt text handling.	Test image upload workflow; verify alt text enforcement options	Important

Assessment methodology

Tools are assessed against each requirement using the following scale:

Rating	Symbol	Definition
Full support	●	Requirement fully met with documented, production-ready capability
Partial support	◐	Requirement partially met; limitations documented in notes
Minimal support	○	Basic capability exists but significant gaps
Not supported	✗	Capability not available
Not applicable	-	Requirement not relevant to this tool
Not assessed	?	Insufficient documentation to assess

Additional notation:

$ indicates feature requires paid tier or add-on
E indicates feature available in enterprise tier only
P indicates feature requires plugin or extension

Functional capability comparison

Content authoring and editing

Req ID	Requirement	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
F1.1	Visual content editor	●	●P	●	◐	●	●	◐	●
F1.2	Rich media embedding	●	●	●	●	●	●	●	●
F1.3	Content scheduling	●	●P	●	●$	●	●	●$	●
F1.4	Revision history	●	●	●	●$	●	●	●	◐
F1.5	Autosave and draft recovery	●	●	●	●	●	●	●	●
F1.6	Content preview	●	●	●	●$	●	●	●	●
F1.7	In-context editing	◐	◐	○	✗	✗	○	✗	●

Assessment notes:

Strapi F1.1: Admin panel provides JSON-based content editing; visual editing requires frontend implementation or third-party editor integration
Contentful F1.1: Rich text editor available but not WYSIWYG for final rendered output; requires preview integration
Ghost F1.7: Editor shows formatted preview but not actual site template rendering
Strapi F1.3: Scheduled publishing available in Pro/Enterprise plans only
Webflow F1.4: Revision history available but limited compared to dedicated CMS; backup-based rather than per-field

Content organisation and structure

Req ID	Requirement	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
F2.1	Hierarchical content	●	●	●	◐	○	●	◐	●
F2.2	Taxonomy and categorisation	●	●	●	●	●	●	●	◐
F2.3	Content types and custom fields	●	●	●	●	◐	●P	●	●
F2.4	Content relationships	●P	●	●	●	◐	●P	●	●
F2.5	Reusable content blocks	●	●	●	●	○	●	●	●
F2.6	Menu and navigation management	●	●	●	✗	◐	●	✗	●

Assessment notes:

Strapi F2.1: Relations support parent-child but no built-in hierarchical URL generation; requires custom implementation
Ghost F2.1: Pages are flat; hierarchy through navigation menus only
Ghost F2.3: Limited to posts and pages with tags/authors; custom fields via code injection only
Strapi/Contentful F2.6: Headless CMS; menu structure must be implemented in frontend
Webflow F2.2: Reference fields provide tagging; hierarchical taxonomies require workarounds

Multi-language and localisation

Req ID	Requirement	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
F3.1	Multi-language content	●P	●	●	●	◐	●	●	●$
F3.2	Language fallback	●P	●	●	●	✗	●	●	◐
F3.3	RTL language support	●P	●	●	●	◐	●	●	●
F3.4	Date/number formatting	●P	●	●	◐	◐	●	●	◐

Assessment notes:

WordPress F3.1-F3.4: Requires plugin (WPML or Polylang) for full multi-language support; not core functionality
Ghost F3.1: Publication settings support multiple languages but require separate Ghost installations or custom routing
Webflow F3.1: Localisation available on CMS plan and above with site-wide language variants

Workflow and collaboration

Req ID	Requirement	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
F4.1	Editorial workflow stages	●P	●	●	●$	○	●P	●$	○
F4.2	Content approval process	●P	●	●	●$	✗	●P	●$	○
F4.3	Collaborative editing	◐	◐	◐	✗	◐	○	◐	●
F4.4	Comments and annotations	●P	●P	●	✗	✗	○	●$	●
F4.5	Assigned tasks	●P	●P	●	✗	✗	○	✗	○

Assessment notes:

Strapi F4.1-F4.2: Review workflows available in Pro and Enterprise plans only
Contentful F4.1-F4.2: Workflows available on Team plan and above
Ghost F4.1: Draft and published states only; no custom workflow stages
Webflow F4.3: Real-time collaborative design; content editing collaboration more limited

Design and theming

Req ID	Requirement	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
F5.1	Theme customisation	●	●	●	-	●	●	-	●
F5.2	Responsive design	●	●	●	-	●	●	-	●
F5.3	Component library	●	●	●	-	◐	●	-	●
F5.4	Visual page builder	●P	●P	○	-	○	●P	-	●
F5.5	Brand asset management	◐	◐	●	●	◐	◐	●	●

Assessment notes:

Strapi/Contentful F5.1-F5.4: Headless CMS; presentation layer implemented separately
WordPress F5.4: Block editor provides some visual building; dedicated page builders (Elementor, Divi) as plugins
Wagtail F5.4: StreamField provides structured content blocks but not drag-drop visual layout
Webflow F5.4: Visual builder is core functionality with full layout control

SEO and metadata

Req ID	Requirement	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
F6.1	SEO metadata management	●P	●P	●	◐	●	●P	◐	●
F6.2	URL control	●	●	●	◐	●	●	-	●
F6.3	XML sitemap	●P	●P	●P	-	●	●P	-	●
F6.4	Canonical URLs	●P	●P	●	-	●	●P	-	●
F6.5	Structured data	●P	●P	◐	-	●	●P	-	●
F6.6	Indexing control	●P	●P	●	-	●	●P	-	●

Assessment notes:

WordPress/Drupal/Joomla F6.x: Core provides basic capabilities; SEO plugins (Yoast, RankMath, SEO module) provide full feature set
Strapi/Contentful F6.x: SEO implementation responsibility of frontend; content model can include SEO fields
Wagtail F6.1: Built-in promote tab with SEO fields; SEO plugins available for additional features

Technical capability comparison

Deployment and hosting

Req ID	Requirement	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
T1.1	Self-hosted deployment	●	●	●	●	●	●	✗	✗
T1.2	Managed cloud deployment	●	●	●	●	●	●	●	●
T1.3	Container deployment	●	●	●	●	●	◐	-	-
T1.4	Static site generation	●P	●P	●P	●	●P	✗	●	●
T1.5	Database options	MySQL, MariaDB	MySQL, MariaDB, PostgreSQL, SQLite	PostgreSQL, MySQL, SQLite	PostgreSQL, MySQL, MariaDB, SQLite	MySQL	MySQL, PostgreSQL	-	-

Deployment requirements:

Tool	Self-hosted requirements	Minimum resources	Managed hosting options
WordPress	PHP 7.4+, MySQL 5.7+ or MariaDB 10.4+	1 CPU, 512MB RAM, 1GB storage	WordPress.com, WP Engine, Kinsta, Pressable, many others
Drupal	PHP 8.1+, MySQL 8.0+, MariaDB 10.6+, or PostgreSQL 14+	2 CPU, 2GB RAM, 2GB storage	Acquia, Pantheon, Platform.sh
Wagtail	Python 3.10+, Django 4.2+, PostgreSQL 12+ (recommended)	2 CPU, 2GB RAM, 5GB storage	Divio, Platform.sh, various Django hosts
Strapi	Node.js 18+, npm 6+, PostgreSQL 14+ (recommended)	2 CPU, 2GB RAM, 1GB storage	Strapi Cloud, Platform.sh, Railway, Render
Ghost	Node.js 18+, MySQL 8.0+	1 CPU, 1GB RAM, 1GB storage	Ghost(Pro), DigitalOcean marketplace, various
Joomla	PHP 8.1+, MySQL 8.0.13+ or PostgreSQL 12+	1 CPU, 512MB RAM, 1GB storage	CloudAccess, SiteGround, various
Contentful	SaaS only	-	Contentful Cloud (US, EU regions)
Webflow	SaaS only	-	Webflow hosting (AWS-backed, multiple regions)

API and headless capabilities

Req ID	Requirement	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
T3.1	REST API	●	●	●	●	●	●	●	●
T3.2	GraphQL API	●P	●P	●P	●	✗	✗	●	✗
T3.3	Headless operation	●	●	●	●	●	◐	●	◐
T3.4	Webhook support	●P	●	●	●	●	●P	●	●
T3.5	API authentication	OAuth 2.0, Application passwords	OAuth 2.0, API keys, JWT	API keys, session	API keys, JWT	API keys	API keys	OAuth 2.0, API keys	OAuth 2.0, API keys

API details:

Tool	API documentation	Rate limits	GraphQL support
WordPress	developer.wordpress.org/rest-api	No default limits (plugin-configurable)	Via WPGraphQL plugin
Drupal	drupal.org/docs/drupal-apis	No default limits (module-configurable)	Via GraphQL module
Wagtail	docs.wagtail.org/en/stable/reference/api	No default limits (configurable)	Via wagtail-grapple package
Strapi	docs.strapi.io/dev-docs/api/rest	Configurable (default: none)	Native GraphQL plugin
Ghost	ghost.org/docs/content-api	Configurable per site	Not available
Joomla	api.joomla.org	No documented limits	Not available
Contentful	contentful.com/developers/docs	78 requests/second (CDA), 10 requests/second (CMA)	Native GraphQL API
Webflow	developers.webflow.com	60 requests/minute (general), 120/minute (bulk)	Not available

Security capability comparison

Authentication and access control

Req ID	Requirement	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
S1.1	Multi-factor authentication	●P	●P	●P	●P	●$	●P	●	●
S1.2	SSO integration	●P	●	●P	●$	●$	●P	●	●$
S1.3	Role-based access control	●	●	●	●	◐	●	●	◐
S1.4	Per-content permissions	●P	●	●	●$	○	●P	◐	○
S1.5	Audit logging	●P	●	●	●$	○	●P	●	◐

MFA methods supported:

Tool	TOTP	WebAuthn/FIDO2	Email	SMS
WordPress (with plugin)	●	●P	●P	●P
Drupal (with module)	●	●P	●P	●P
Wagtail (with package)	●	●P	✗	✗
Strapi (with plugin)	●	✗	✗	✗
Ghost (Staff)	●	✗	✗	✗
Joomla (with plugin)	●	●P	✗	✗
Contentful	●	●	✗	✗
Webflow	●	✗	●	✗

Data protection

Req ID	Requirement	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
S2.1	Encryption at rest	Host-dependent	Host-dependent	Host-dependent	Host-dependent	Host-dependent	Host-dependent	● AES-256	● AES-256
S2.2	Encryption in transit	● TLS 1.2+	● TLS 1.2+	● TLS 1.2+	● TLS 1.2+	● TLS 1.2+	● TLS 1.2+	● TLS 1.2+	● TLS 1.2+
S2.3	Data residency controls	Host-dependent	Host-dependent	Host-dependent	Host-dependent	Host-dependent	Host-dependent	● US, EU	◐ Limited
S2.4	Backup and recovery	●P	●	Host-dependent	Host-dependent	●	●	●	●

Security certifications (managed hosting/SaaS)

Certification	WordPress.com	Acquia	Ghost(Pro)	Strapi Cloud	Contentful	Webflow
SOC 2 Type II	●	●	●	●	●	●
ISO 27001	●	●	✗	✗	●	●
GDPR compliance	●	●	●	●	●	●
HIPAA eligibility	●E	●E	✗	✗	●E	✗

Operational capability comparison

Administration

Req ID	Requirement	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
O1.1	Admin interface quality	●	◐	●	●	●	◐	●	●
O1.2	Configuration export	●P	●	●	●	◐	◐	●	◐
O1.3	Multi-site management	●	●	●	●	◐	○	●	●
O1.4	Environment management	●P	●	Host-dependent	●	●$	○	●	●$

Localisation support:

Tool	Admin languages	Content languages	RTL admin support
WordPress	70+	Unlimited (with plugin)	●
Drupal	100+	Unlimited	●
Wagtail	40+	Unlimited	●
Strapi	20+	Unlimited	●
Ghost	50+	Unlimited	◐
Joomla	70+	Unlimited	●
Contentful	8	Unlimited	●
Webflow	1 (English)	Unlimited	◐

Support comparison

Aspect	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
Documentation quality	Excellent	Excellent	Excellent	Good	Good	Good	Excellent	Good
Community forum	● Active	● Active	● Active	● Active	● Active	● Active	● Moderated	● Active
Commercial support	Via hosts	Acquia, third-party	Third-party	●$	●$	Third-party	●	●
Enterprise support	Via hosts	Acquia Enterprise	Third-party	●E	●E	Third-party	●E	●E
Typical response (paid)	Varies	4 hours (Acquia)	Varies	24 hours	24 hours	Varies	4 hours	24 hours

Data management comparison

Import and export

Req ID	Requirement	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla	Contentful	Webflow
D1.1	Content import	●	●	◐	◐	●	●	●	◐
D1.2	Migration from major CMS	●	●	◐	◐	●	●	◐	◐
D2.1	Complete content export	●	●	●	●	●	●	●	●
D2.2	Export formats	XML, JSON	XML, JSON, CSV	JSON	JSON	JSON	XML, SQL	JSON	JSON, CSV
D2.3	Media export	●	●	●	●	●	●	●	●

Migration paths:

To →	WordPress	Drupal	Wagtail	Strapi	Ghost	Joomla
From WordPress	-	● Native	◐ Scripts	◐ Scripts	● Native	● Native
From Drupal	● Plugin	-	◐ Scripts	◐ Scripts	◐ Scripts	● Plugin
From Joomla	● Plugin	● Module	◐ Scripts	◐ Scripts	◐ Scripts	-
From Ghost	● Plugin	◐ Scripts	◐ Scripts	◐ Scripts	-	◐ Scripts

Commercial comparison

Pricing models

Tool	Type	Model	Free tier	Nonprofit programme
WordPress	Open source	Free (self-hosted) or SaaS tiers	● Full product	WordPress.com: 501(c)(3) discounts
Drupal	Open source	Free (self-hosted)	● Full product	N/A (free)
Wagtail	Open source	Free (self-hosted)	● Full product	N/A (free)
Strapi	Open core	Free Community or paid plans	● Community edition	Strapi for Good programme
Ghost	Open source	Free (self-hosted) or Ghost(Pro)	● Full product (self-hosted)	Ghost for Nonprofits: free Starter plan
Joomla	Open source	Free (self-hosted)	● Full product	N/A (free)
Contentful	Commercial	SaaS subscription	● 5 users, 25k records	Contentful for Nonprofits: 50% discount
Webflow	Commercial	SaaS subscription	● 2 pages, Webflow branding	Webflow for Nonprofits: 50% discount

Cost comparison (illustrative, monthly):

Tool	Small org (self-hosted)	Small org (managed)	Medium org (managed)
WordPress	£5-20 (VPS)	£15-50 (WordPress.com)	£100-400 (WP Engine)
Drupal	£20-50 (VPS)	£150-500 (Acquia)	£500-2000 (Acquia)
Wagtail	£20-50 (VPS)	£30-100 (Divio)	£100-500 (Platform.sh)
Strapi	£20-50 (VPS)	£99+ (Strapi Cloud)	£499+ (Strapi Cloud)
Ghost	£5-20 (VPS)	£11-31 (Ghost(Pro))	£249+ (Ghost(Pro))
Joomla	£5-20 (VPS)	£10-50 (shared hosting)	£50-200 (managed)
Contentful	N/A	Free-£300	£489+
Webflow	N/A	£14-39 (site plan)	£39-212 (site plan)

Notes:

Self-hosted costs exclude staff time for maintenance
“Small org” assumes under 50 content editors, under 100k monthly visitors
“Medium org” assumes 50-500 editors, 100k-1M monthly visitors
Nonprofit discounts not reflected in ranges above

Vendor details

Tool	Organisation	Founded	HQ location	Business model
WordPress	Automattic (WordPress.com); WordPress Foundation (software)	2003	US (San Francisco)	Open source + hosted services
Drupal	Drupal Association (software); Acquia (services)	2001	US (Belgium origin)	Open source + enterprise services
Wagtail	Torchbox (original); Wagtail community	2014	UK	Open source + agency services
Strapi	Strapi, Inc.	2015	France/US	Open core + SaaS
Ghost	Ghost Foundation	2013	Singapore (non-profit)	Open source + hosted services
Joomla	Open Source Matters, Inc.	2005	US (non-profit)	Open source
Contentful	Contentful GmbH	2013	Germany/US	SaaS subscription
Webflow	Webflow, Inc.	2013	US (San Francisco)	SaaS subscription

Jurisdictional considerations:

WordPress (Automattic), Strapi, Contentful, Webflow: US-headquartered companies subject to CLOUD Act for hosted services; self-hosted deployments avoid this
Ghost: Singapore-registered non-profit foundation; Ghost(Pro) servers in multiple regions
Drupal, Wagtail, Joomla: Open source software with no vendor jurisdiction concerns when self-hosted

Detailed tool assessments

WordPress

Type: Open source
Licence: GPL-2.0-or-later
Current version: 6.9 “Gene” (released December 2025)
Deployment options: Self-hosted (PHP/MySQL), managed hosting (numerous providers), WordPress.com SaaS
Source repository: github.com/WordPress/WordPress
Documentation: developer.wordpress.org

Overview

WordPress powers approximately 43% of websites globally, making it the dominant content management system. Originally launched as blogging software in 2003, WordPress evolved into a full CMS with the introduction of custom post types, the REST API, and the block editor (Gutenberg). The platform combines a PHP-based core with a MySQL database and templating system.

The block editor, introduced in WordPress 5.0 and continuously enhanced, provides visual content creation using modular blocks. Full Site Editing capabilities allow theme customisation through the same block interface. WordPress operates through an extensive plugin ecosystem with over 60,000 plugins in the official directory, enabling functionality from e-commerce to membership sites.

WordPress follows a predictable release schedule with major versions every 4-6 months and security updates as needed. The project is governed by the WordPress Foundation with significant contributions from Automattic (the company behind WordPress.com).

Capability assessment for website and CMS

WordPress excels at traditional website use cases where content editors need independence from developers. The block editor provides substantial visual control without code, and the mature theme ecosystem offers designs for every sector. The plugin architecture allows extending functionality without core modifications.

For mission-driven organisations, WordPress offers low technical barriers, extensive documentation, and broad hosting availability. The large user base means finding WordPress-skilled staff or contractors is straightforward. However, the plugin dependency model requires ongoing maintenance attention, and security hardening is essential given WordPress’s popularity as an attack target.

WordPress can operate headlessly through its REST API, though this was a later addition rather than core architecture. The API is comprehensive but adds complexity compared to purpose-built headless CMS platforms.

Key strengths:

Largest ecosystem of themes, plugins, and developers globally
Block editor provides visual editing without technical knowledge
Extensive documentation and community support resources
Low-cost hosting available; scales to enterprise with appropriate infrastructure
Mature REST API for headless or hybrid deployments

Key limitations:

Security requires ongoing attention due to platform popularity and plugin vulnerabilities
Performance optimisation requires caching plugins and careful configuration
Multi-language requires third-party plugins (WPML, Polylang) adding cost and complexity
Editorial workflows require plugins; not native to core
Plugin quality varies significantly; abandoned plugins create technical debt

Deployment and operations

Self-hosted requirements:

PHP: 7.4+ (8.2+ recommended)
Database: MySQL 5.7+ or MariaDB 10.4+
Web server: Apache with mod_rewrite or Nginx
Memory: 256MB minimum, 512MB+ recommended
Storage: 1GB minimum

Deployment complexity: Low. WordPress is designed for shared hosting environments; installation takes under 10 minutes on compatible hosting.

Operational overhead: Medium. Requires regular updates (core, themes, plugins), security monitoring, and backup management. Automated update capabilities reduce burden.

Upgrade path: Minor updates apply automatically by default. Major version updates require testing but typically have high backward compatibility. Plugin compatibility is the primary upgrade consideration.

Integration capabilities

API coverage: REST API covers posts, pages, users, media, taxonomies, comments, settings. Custom endpoints via plugins or custom code.

Authentication: Application passwords (native), OAuth 2.0 (plugin), JWT (plugin).

Key integrations:

Integration	Type	Status	Documentation
WooCommerce (e-commerce)	Plugin	Production	woocommerce.com/documentation
Yoast SEO	Plugin	Production	yoast.com/help
Gravity Forms	Plugin	Production	docs.gravityforms.com
Mailchimp	Plugin	Production	mailchimp.com/help
Zapier	Native	Production	zapier.com/apps/wordpress

Security assessment

Authentication: Username/password by default; MFA via plugins (Wordfence, Google Authenticator); SSO via plugins (SAML, OAuth providers).

Authorisation: Five default roles (Administrator, Editor, Author, Contributor, Subscriber) with capability system. Custom roles via plugins.

Data protection: Database encryption depends on hosting configuration. HTTPS enforced via configuration or plugin. Audit logging via plugins (WP Activity Log, Simple History).

Security track record: Frequent target due to market share. Core security is actively maintained; plugin vulnerabilities are primary attack vector. Regular security releases address disclosed vulnerabilities.

Cost analysis

Direct costs:

Software: Free
Plugins: Free to £200+/year per premium plugin
Themes: Free to £50-200 one-time

Infrastructure costs (self-hosted):

Scale	Infrastructure estimate	Notes
Small (<10k monthly visitors)	£5-20/month	Shared or basic VPS hosting
Medium (10-100k visitors)	£30-100/month	Managed WordPress or dedicated VPS
Large (100k+ visitors)	£200-1000+/month	Enterprise managed hosting with CDN

Hidden costs to consider:

Premium plugin renewals (often annual)
Security monitoring services
Development time for customisation
Ongoing maintenance labour

Organisational fit

Best suited for:

Organisations needing marketing-led website updates without developer dependency
Small IT teams or no dedicated IT where managed WordPress hosting reduces burden
Sites requiring extensive plugin functionality (membership, e-commerce, events)
Organisations where WordPress skills are already present

Less suitable for:

Highly structured content requiring strict governance (consider Drupal)
API-first projects prioritising developer experience (consider headless CMS)
Organisations unable to maintain regular update schedule

Migration considerations:

Migrating to WordPress: Importers available for most major platforms
Migrating from WordPress: Complete export via WXR format; media requires separate handling

Drupal

Type: Open source
Licence: GPL-2.0-or-later
Current version: 11.3 (released January 2026); Drupal CMS 1.x distribution also available
Deployment options: Self-hosted (PHP), managed hosting (Acquia, Pantheon, Platform.sh)
Source repository: git.drupalcode.org/project/drupal
Documentation: drupal.org/docs

Overview

Drupal is an enterprise-grade CMS known for structured content, sophisticated permissions, and multi-site capabilities. Founded in 2001, Drupal powers complex websites for governments, universities, media organisations, and large NGOs. The platform emphasises content architecture, workflow governance, and developer extensibility.

Drupal 11, released in 2024, brought modernised architecture with Symfony 7 and PHP 8.3 requirements. The January 2025 release of “Drupal CMS” (formerly Starshot) provides a more accessible distribution with pre-configured functionality for non-technical users, while core Drupal remains available for custom implementations.

Drupal’s architecture separates content, configuration, and presentation more rigorously than WordPress. Content types, views, and workflows are core concepts with granular configuration. The module ecosystem, while smaller than WordPress’s plugin directory, tends toward higher complexity and enterprise use cases.

Capability assessment for website and CMS

Drupal excels where content structure, governance, and scalability are priorities. Its content type system allows precise modelling of organisational information architecture. Workflow modules (Workspaces, Content Moderation) provide staging and approval processes suitable for regulated environments.

For multi-site deployments, Drupal’s architecture supports shared codebases with per-site configuration, valuable for organisations with federated structures. The taxonomy system handles complex categorisation schemes across large content libraries.

The tradeoff is complexity. Drupal requires more technical skill to implement and maintain than WordPress or Webflow. Theme development assumes Twig templating knowledge. While Drupal CMS aims to lower the barrier, substantial customisation still demands developer involvement.

Key strengths:

Sophisticated content modelling with custom content types, fields, and relationships
Granular permissions system supporting complex organisational structures
Multi-language handling native to core without third-party modules
Workspaces module enables content staging environments
Strong multi-site and platform capabilities

Key limitations:

Steeper learning curve for editors and administrators
Smaller pool of available developers compared to WordPress
Theme development requires Twig templating knowledge
Upgrade path between major versions historically complex (improved in recent versions)
Fewer turnkey solutions; more custom development expected

Deployment and operations

Self-hosted requirements:

PHP: 8.1+ (8.3 recommended)
Database: MySQL 8.0+, MariaDB 10.6+, or PostgreSQL 14+
Web server: Apache or Nginx
Memory: 128MB minimum, 512MB+ recommended
Storage: 100MB minimum for core; grows with content
Composer: Required for dependency management

Deployment complexity: Medium-High. Composer-based workflow requires command-line familiarity. Acquia and Pantheon provide simplified deployment for managed hosting.

Operational overhead: Medium-High. Configuration management via YAML files enables version control but adds process complexity. Regular security updates required.

Upgrade path: Minor versions (11.1, 11.2) are designed for seamless update. Major version upgrades (10 to 11) require deprecation cleanup but are simpler than historical Drupal upgrades.

Cost analysis

Direct costs:

Software: Free
Enterprise modules: Some commercial modules available (£100-500/year)

Infrastructure costs (self-hosted):

Scale	Infrastructure estimate	Notes
Small (<10k monthly visitors)	£20-50/month	VPS with Composer support
Medium (10-100k visitors)	£100-300/month	Managed Drupal hosting
Large (100k+ visitors)	£500-2000+/month	Acquia or Pantheon enterprise

Hidden costs to consider:

Developer time (Drupal expertise premium)
Module compatibility testing during upgrades
Configuration management process overhead

Organisational fit

Best suited for:

Large organisations requiring complex content governance
Multi-site or multi-language deployments
Government and higher education with accessibility compliance requirements
Organisations with existing Drupal expertise

Less suitable for:

Small organisations without developer access
Simple brochure websites
Projects requiring rapid deployment with minimal customisation

Wagtail

Type: Open source
Licence: BSD 3-Clause
Current version: 7.0 LTS (released May 2025); 7.2 stable
Deployment options: Self-hosted (Django/Python), managed hosting (Divio, Platform.sh)
Source repository: github.com/wagtail/wagtail
Documentation: docs.wagtail.org

Overview

Wagtail is a Django-based CMS that combines developer-friendly architecture with an elegant editor interface. Originally developed by UK agency Torchbox, Wagtail is used by NASA, Google, Mozilla, and numerous non-profit organisations. The platform emphasises structured content, clean code, and accessibility.

Built on Django, Wagtail inherits Python’s ecosystem advantages: clear code organisation, strong testing frameworks, and extensive libraries. The admin interface prioritises editor experience with a clean design and logical navigation. StreamField, Wagtail’s block-based content system, allows flexible page composition without sacrificing content structure.

Wagtail follows Django’s LTS model, with Long Term Support releases receiving 18 months of security updates. The project maintains active development with quarterly feature releases.

Capability assessment for website and CMS

Wagtail bridges the gap between developer-focused frameworks and editor-focused CMS platforms. Developers get clean Django code with sensible conventions; editors get an intuitive admin interface that doesn’t require technical knowledge.

StreamField deserves particular note: it provides structured content blocks that can be reordered and nested while maintaining content model integrity. This differs from WordPress’s block editor (which stores blocks as serialised HTML) or basic text fields with WYSIWYG editors.

For mission-driven organisations, Wagtail’s accessibility focus is significant. The project maintains WCAG compliance for the admin interface and provides tooling for accessible front-end development. The strong Python/Django community offers resources for organisations with Python expertise.

Key strengths:

Clean, accessible admin interface designed around editor workflows
StreamField provides structured yet flexible content composition
Django foundation offers clear architecture and testing capabilities
Strong accessibility commitment (admin and output)
BSD licence permits any use including proprietary modifications

Key limitations:

Requires Django/Python development skills for implementation
Smaller ecosystem than WordPress or Drupal; fewer pre-built solutions
Visual page builder capabilities less developed than proprietary alternatives
Hosting options more limited; fewer one-click deployments available

Deployment and operations

Self-hosted requirements:

Python: 3.10+
Django: 4.2+ (5.0+ recommended)
Database: PostgreSQL 12+ (recommended), MySQL 8+, SQLite
Web server: Nginx + Gunicorn or equivalent
Memory: 512MB minimum, 2GB+ recommended

Deployment complexity: Medium. Django deployment knowledge required. Platform.sh and Divio provide streamlined deployment.

Operational overhead: Low-Medium. Django’s clear architecture simplifies maintenance. Regular updates are smaller and more predictable than WordPress.

Cost analysis

Infrastructure costs (self-hosted):

Scale	Infrastructure estimate	Notes
Small	£20-40/month	VPS with Python support
Medium	£50-150/month	Managed Django hosting
Large	£200-500+/month	Scaled infrastructure

Organisational fit

Best suited for:

Organisations with Python/Django development capability
Projects requiring clean content architecture with editorial flexibility
Accessibility-focused deployments
Organisations wanting to avoid PHP-based CMS platforms

Less suitable for:

Teams without Python development resources
Projects requiring extensive pre-built plugins
Rapid prototyping with turnkey themes

Strapi

Type: Open source (Community Edition)
Licence: MIT (Community Edition)
Current version: 5.x (released September 2024)
Deployment options: Self-hosted (Node.js), Strapi Cloud, various PaaS platforms
Source repository: github.com/strapi/strapi
Documentation: docs.strapi.io

Overview

Strapi is an open source headless CMS providing a Node.js-based content repository with REST and GraphQL APIs. The platform enables developers to define content types through an admin interface or code, then consume content via APIs in any frontend technology. Strapi v5, released in late 2024, brought TypeScript support, improved performance, and enhanced content versioning.

As a headless CMS, Strapi separates content management from presentation entirely. Content editors work in Strapi’s admin panel; developers build frontends using any framework (React, Vue, Next.js, mobile apps, etc.) that consume Strapi’s APIs. This architecture suits omnichannel content delivery and JavaScript-focused development teams.

Strapi operates on an open-core model: the Community Edition is MIT-licensed and includes core CMS functionality, while paid tiers (Pro, Enterprise) add features like review workflows, SSO, and enhanced support.

Capability assessment for website and CMS

Strapi excels when development teams need a flexible content backend without frontend constraints. The content type builder allows rapid modelling through the admin UI, generating both database schemas and API endpoints automatically. For JavaScript/TypeScript teams, Strapi integrates naturally with modern frontend tooling.

For mission-driven organisations, Strapi works well when: the organisation has frontend development capability, content will be delivered to multiple channels (web, mobile, digital signage), or there’s a desire to avoid WordPress/PHP legacy. The self-hosted option provides data control without SaaS dependency.

The primary tradeoff is that Strapi doesn’t include frontend presentation. Organisations must build or commission frontend development, adding project scope compared to traditional CMS platforms with themes.

Key strengths:

Flexible content modelling through visual admin or code
REST and GraphQL APIs generated automatically
MIT licence for Community Edition with no usage restrictions
Node.js/TypeScript architecture aligns with modern JavaScript development
Strong self-hosted option for data sovereignty

Key limitations:

No frontend presentation; requires separate frontend development
Editorial workflow features require paid plans
Smaller ecosystem than WordPress; fewer integrations
Admin interface not designed for complex content workflows
Breaking changes between major versions require migration effort

Deployment and operations

Self-hosted requirements:

Node.js: 18+ or 20+
Database: PostgreSQL 14+ (recommended), MySQL 8+, MariaDB, SQLite
Memory: 2GB minimum
Storage: 1GB minimum

Deployment complexity: Low-Medium. Standard Node.js deployment; Strapi Cloud provides managed option.

Operational overhead: Medium. Regular updates required; v4 to v5 migration required code changes.

Cost analysis

Direct costs:

Community Edition: Free
Pro: From £99/month
Enterprise: Custom pricing

Infrastructure costs:

Scale	Infrastructure estimate	Notes
Small	£15-40/month	VPS or Strapi Cloud Starter
Medium	£100-300/month	Strapi Cloud Pro or scaled infrastructure
Large	£500+/month	Strapi Cloud Enterprise or custom infrastructure

Organisational fit

Best suited for:

JavaScript/TypeScript development teams
Multi-channel content delivery projects
Organisations wanting API-first architecture
Projects where frontend is built by separate team

Less suitable for:

Organisations without frontend development capability
Simple websites where traditional CMS suffices
Content-heavy editorial workflows without paid tier

Ghost

Type: Open source
Licence: MIT
Current version: 6.x (6.12 as of January 2026)
Deployment options: Self-hosted (Node.js), Ghost(Pro) managed service
Source repository: github.com/TryGhost/Ghost
Documentation: ghost.org/docs

Overview

Ghost is a publishing platform focused on professional blogs, newsletters, and membership sites. Originally launched in 2013 as a WordPress alternative for writers, Ghost has evolved into a complete publishing ecosystem with native membership, newsletter, and monetisation features. The Ghost Foundation operates as a non-profit organisation.

Ghost’s architecture centres on publishing workflows: writing, scheduling, sending newsletters, managing subscribers, and processing payments. The editor provides distraction-free writing with keyboard shortcuts and Markdown support. Unlike WordPress’s extensible plugin architecture, Ghost focuses on core publishing features with limited but high-quality integrations.

The platform can operate as a traditional CMS (Handlebars-based themes render content) or headlessly via the Content API. Ghost(Pro) managed hosting provides a turnkey solution; self-hosting is free but requires Node.js infrastructure.

Capability assessment for website and CMS

Ghost excels specifically for publishing: blogs, newsletters, and membership publications. The writing experience is polished, and native newsletter integration eliminates the need for separate email platforms. For organisations whose primary digital presence is content publishing, Ghost provides focused functionality without CMS complexity.

For mission-driven organisations, Ghost’s nonprofit status and transparent governance align with sector values. Ghost for Nonprofits provides free hosting for qualifying organisations. The platform’s simplicity reduces maintenance burden compared to extensible CMS platforms.

Ghost’s limitations are scope-related. It’s designed for posts and pages, not complex content types. There’s no plugin system; functionality not in core requires custom theme development or external integration. Sites needing events, job boards, or complex taxonomies will find Ghost insufficient.

Key strengths:

Excellent writing and publishing experience
Native membership and newsletter functionality
Clean, focused feature set without complexity
Non-profit governance with transparent development
Low operational overhead compared to extensible CMS

Key limitations:

Limited to posts, pages, and tags; no custom content types
No plugin architecture; extensibility through themes and integrations only
Multi-language requires separate Ghost installations
Fewer themes and customisation options than WordPress
SEO customisation less extensive than dedicated plugins

Cost analysis

Direct costs:

Self-hosted: Free
Ghost(Pro) Starter: £11/month
Ghost(Pro) Creator: £31/month
Ghost(Pro) Team: £63/month
Ghost(Pro) Business: £249+/month
Ghost for Nonprofits: Free Starter plan for qualifying organisations

Organisational fit

Best suited for:

Blog-focused or newsletter-focused communications
Organisations wanting integrated membership/subscription
Teams prioritising writing experience over site-building flexibility
Nonprofits eligible for Ghost for Nonprofits programme

Less suitable for:

Complex websites with multiple content types
Sites requiring extensive customisation or plugins
Multi-language publications (without separate installations)

Joomla

Type: Open source
Licence: GPL-2.0-or-later
Current version: 6.0.2 (released January 2026); 5.4.2 LTS also supported
Deployment options: Self-hosted (PHP/MySQL), managed hosting (various providers)
Source repository: github.com/joomla/joomla-cms
Documentation: docs.joomla.org

Overview

Joomla is an open source CMS that occupies the middle ground between WordPress’s accessibility and Drupal’s complexity. Launched in 2005 as a fork of Mambo, Joomla is governed by Open Source Matters, Inc., a non-profit organisation. The platform powers approximately 2% of websites globally.

Joomla provides more built-in functionality than WordPress out of the box, including multi-language support, access control levels, and article versioning as core features. The extension ecosystem offers components, modules, and plugins, though the directory is smaller than WordPress’s. Joomla 5 and 6 brought modernised architecture with PHP 8 support and improved upgrade paths.

Capability assessment for website and CMS

Joomla suits organisations wanting more structure than WordPress without Drupal’s complexity. Native access control levels (viewing, editing, publishing) provide content governance without plugins. Multi-language support is built-in rather than requiring commercial plugins as with WordPress.

For mission-driven organisations, Joomla’s non-profit governance and mature feature set provide a stable foundation. The smaller community compared to WordPress means fewer resources and developers, but also less noise and more focused support.

Joomla’s market position has declined relative to WordPress, resulting in fewer new themes and extensions. Organisations should consider long-term ecosystem viability when selecting Joomla.

Key strengths:

Native multi-language support without commercial plugins
Granular access control built into core
Non-profit governance structure
More structured than WordPress; less complex than Drupal
Large installed base with long-term support track record

Key limitations:

Smaller community and ecosystem than WordPress
Fewer modern themes and contemporary designs
Finding Joomla developers can be challenging
Market share decline raises long-term considerations
Admin interface less polished than competitors

Organisational fit

Best suited for:

Multi-language sites where WordPress plugin costs are prohibitive
Organisations with existing Joomla expertise
Sites requiring content access control without premium plugins
Community or membership sites using built-in ACL

Less suitable for:

New projects without specific Joomla requirements
Teams needing access to large developer talent pool
Projects requiring modern visual building capabilities

Contentful

Type: Commercial SaaS
Licence: Proprietary
Current version: SaaS (continuous updates)
Deployment options: SaaS only (US and EU data centres)
Source repository: N/A (proprietary)
Documentation: contentful.com/developers/docs

Overview

Contentful is an enterprise-grade headless CMS that provides content infrastructure via APIs. Founded in Berlin in 2013, Contentful has become a leading player in the enterprise headless CMS market, with customers including Spotify, Vodafone, and the British Red Cross. The platform operates entirely as SaaS with no self-hosted option.

Contentful’s architecture separates content modelling (defining content types and fields) from content delivery (APIs serving content to applications). The platform provides REST, GraphQL, and Image APIs, with SDKs for major programming languages. Content is delivered through a global CDN for performance.

The platform operates on tiered pricing: a Community tier provides limited free usage, while Team and Enterprise tiers add collaboration features, higher limits, and compliance certifications.

Capability assessment for website and CMS

Contentful excels as enterprise content infrastructure for multi-channel delivery. The content modelling capabilities are sophisticated, allowing complex relationships and localisation. The API performance (backed by CDN) suits high-traffic applications. For organisations with development resources needing robust content APIs, Contentful provides a polished solution.

For mission-driven organisations, considerations include cost (subscription fees exceed self-hosted alternatives at scale), vendor dependency (no self-hosting escape route), and jurisdiction (US-headquartered company, though EU data centres available).

Key strengths:

Sophisticated content modelling with relationships and localisation
High-performance API delivery via global CDN
Polished admin interface with strong editor experience
Extensive app marketplace for integrations
EU data residency option available

Key limitations:

No self-hosted option; complete vendor dependency
Significant cost at scale; consumption-based pricing can be unpredictable
US-headquartered company subject to CLOUD Act
Requires frontend development; no presentation layer
Community tier limitations (5 users, 25k records)

Cost analysis

Direct costs:

Community: Free (5 users, 25k records, 1 space)
Team: From £300/month (20 users)
Enterprise: Custom pricing
Contentful for Nonprofits: 50% discount on paid plans

Organisational fit

Best suited for:

Enterprise organisations with frontend development capability
Multi-channel content delivery requirements
Projects requiring high-availability content APIs
Organisations with budget for SaaS CMS investment

Less suitable for:

Organisations requiring data sovereignty or self-hosting
Small organisations or limited budgets
Projects where traditional CMS would suffice

Webflow

Type: Commercial SaaS
Licence: Proprietary
Current version: SaaS (continuous updates)
Deployment options: SaaS only (AWS-backed hosting)
Source repository: N/A (proprietary)
Documentation: developers.webflow.com

Overview

Webflow combines visual web design tools with CMS and hosting capabilities. The platform enables designers to build responsive websites visually while generating clean HTML, CSS, and JavaScript. Launched in 2013, Webflow has grown significantly among agencies and marketing teams who want design control without traditional development workflows.

Unlike headless CMS platforms, Webflow provides integrated design and CMS capabilities. The visual Designer allows pixel-level control over layout, styling, and interactions. The CMS Collections feature enables dynamic content with a visual content modelling interface. Sites are hosted on Webflow’s AWS-backed infrastructure with global CDN.

Capability assessment for website and CMS

Webflow suits organisations prioritising design control over content structure. Marketing teams and designers can create sophisticated websites without developer involvement. The visual interface produces actual CSS (not an abstraction layer), so the output code is standards-compliant and exportable.

For mission-driven organisations, Webflow reduces dependency on developers for website updates, potentially lowering costs. The learning curve for the visual designer is substantial but results in significant team capability. Webflow for Nonprofits provides discounted pricing.

Limitations include the SaaS-only model, limited CMS capabilities compared to dedicated platforms, and the learning curve for the visual editor. Sites with complex content structures may outgrow Webflow’s CMS limitations.

Key strengths:

Visual design control producing real CSS
Integrated hosting with global CDN
CMS enables dynamic content within visual design
Interactions and animations without code
Export option for static sites (design, not CMS)

Key limitations:

SaaS-only; no self-hosting option
CMS capabilities limited compared to dedicated platforms
Significant learning curve for visual designer
API limitations for complex integrations
E-commerce capabilities less mature than dedicated platforms

Cost analysis

Direct costs:

Site Plans:
- Starter: Free (2 pages, Webflow branding)
- Basic: £14/month (custom domain)
- CMS: £23/month (up to 2,000 CMS items)
- Business: £39/month (10,000 CMS items)
- Enterprise: Custom pricing
Webflow for Nonprofits: 50% discount

Organisational fit

Best suited for:

Marketing-led website development without developers
Design agencies building client sites
Organisations wanting integrated design, CMS, and hosting
Landing pages and marketing sites with moderate dynamic content

Less suitable for:

Complex content management requirements
Organisations requiring self-hosting or data sovereignty
Sites with thousands of pages or complex relationships
Developer-led projects preferring code control

Selection guidance

Decision framework

Use this framework to narrow options based on your constraints:

                                    START
                                      |
                                      v
                     +--------------------------------+
                     | Must data remain in your      |
                     | direct control (not SaaS)?    |
                     +---------------+----------------+
                                     |
                     +---------------+---------------+
                     |                               |
                     v                               v
                    YES                             NO
                     |                               |
                     v                               v
          +------------------+           +----------------------+
          | Self-hosted      |           | Do you have frontend |
          | options only:    |           | development capacity?|
          | WordPress        |           +----------+-----------+
          | Drupal           |                      |
          | Wagtail          |            +---------+---------+
          | Strapi           |            |                   |
          | Ghost            |            v                   v
          | Joomla           |           YES                 NO
          +------------------+            |                   |
                                          v                   v
                               +------------------+ +------------------+
                               | Consider all,    | | Traditional CMS  |
                               | including:       | | with themes:     |
                               | Strapi           | | WordPress        |
                               | Contentful       | | Ghost (Pro)      |
                               | Wagtail          | | Webflow          |
                               +------------------+ +------------------+

Figure 1: Initial filtering based on deployment and capability requirements

Recommendations by organisational context

For organisations with minimal IT capacity

Primary recommendation: WordPress with managed hosting

WordPress provides the lowest barrier to entry, largest ecosystem of pre-built solutions, and most available support options. Managed hosting (WordPress.com, WP Engine, or similar) reduces operational burden. The block editor enables content creation without technical skills, and thousands of themes provide turnkey designs.

Alternative: Webflow if design control is priority and CMS needs are moderate. Ghost if focus is publishing/newsletter and eligible for Ghost for Nonprofits.

Avoid: Self-hosted Drupal, Wagtail, or Strapi without development resources.

For organisations with established IT capacity

Primary recommendation: Depends on technical stack and requirements

Python/Django expertise: Wagtail provides clean architecture with excellent editor experience
JavaScript/Node.js expertise: Strapi offers flexible headless content management
PHP expertise with complex governance needs: Drupal provides sophisticated content structures
Multi-channel content delivery: Strapi or Contentful for API-first architecture

Alternative: WordPress remains viable with Enterprise-grade managed hosting (Acquia, WP VIP, Pantheon) providing the operational support.

For organisations with specific constraints

Strict data sovereignty requirements:

Self-hosted options only: WordPress, Drupal, Wagtail, Strapi, Ghost, Joomla
Avoid: Contentful, Webflow (no self-hosting option)

Multi-language without commercial plugins:

Primary: Drupal (native multi-language), Joomla (native multi-language)
Alternative: Wagtail, Strapi (native internationalisation)

Minimal budget:

Primary: WordPress self-hosted, Ghost self-hosted, Joomla
Consider: Ghost for Nonprofits (free Starter), Webflow for Nonprofits (50% discount)

Publishing and newsletter focus:

Primary: Ghost
Alternative: WordPress with newsletter plugin

Migration paths

From	To	Complexity	Typical approach	Timeline
WordPress	Drupal	High	Migrate module, content mapping, theme rebuild	2-6 months
WordPress	Wagtail	High	Custom migration scripts, content restructuring	2-4 months
WordPress	Ghost	Medium	Ghost importer for posts/pages, theme adaptation	1-2 months
Drupal	WordPress	Medium	FG Drupal plugin, field mapping, theme selection	1-3 months
Joomla	WordPress	Medium	FG Joomla plugin, category mapping, theme	1-2 months
Any	Headless (Strapi/Contentful)	High	Content model design, API migration, frontend build	3-6 months

External resources

Official documentation

Open source projects

Tool	Documentation	Repository	Community
WordPress	developer.wordpress.org	github.com/WordPress/WordPress	wordpress.org/support
Drupal	drupal.org/docs	git.drupalcode.org/project/drupal	drupal.org/community
Wagtail	docs.wagtail.org	github.com/wagtail/wagtail	wagtail.org/slack
Strapi	docs.strapi.io	github.com/strapi/strapi	discord.strapi.io
Ghost	ghost.org/docs	github.com/TryGhost/Ghost	forum.ghost.org
Joomla	docs.joomla.org	github.com/joomla/joomla-cms	forum.joomla.org

Commercial products

Tool	Documentation	API reference	Nonprofit programme	Security
Contentful	contentful.com/developers/docs	contentful.com/developers/docs/references	contentful.com/nonprofit	contentful.com/security
Webflow	developers.webflow.com	developers.webflow.com/data/reference	webflow.com/for/nonprofits	webflow.com/security

Relevant standards

Standard	Description	URL
WCAG 2.1	Web Content Accessibility Guidelines	w3.org/WAI/WCAG21
Schema.org	Structured data vocabulary	schema.org
Open Graph Protocol	Social sharing metadata	ogp.me
RSS/Atom	Syndication formats	validator.w3.org/feed