concretecms
Concrete CMS is an open-source PHP content management system maintained by a distributed community. It provides a web-based interface for building and managing content-driven sites without requiring extensive coding.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | concretecms/concretecms |
| Owner | concretecms |
| Primary language | PHP |
| License | MIT — OSI-approved |
| Stars | 847 |
| Forks | 479 |
| Open issues | 509 |
| Latest release | 9.5.2 (2026-06-03) |
| Last updated | 2026-06-15 |
| Source | https://github.com/concretecms/concretecms |
What concretecms is
PHP-based CMS built on a modular framework architecture with Composer dependency management. Actively developed with v9.5.2 as the latest release; legacy branches (8.5.x, 5.7.x) available for older versions.
Get the concretecms source
Clone the repository and explore it locally.
git clone https://github.com/concretecms/concretecms.gitcd concretecms# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires PHP runtime (version not specified in README; check documentation.concretecms.org for requirements).
- Installation via Composer; dependency management standard but vendor lock-in typical for PHP ecosystems.
- Active development branch (9.x) with legacy branches (8.5.x, 5.7.x) still available; plan upgrade path before deployment.
- 509 open issues suggest active feature requests and bug backlog; assess priority of unresolved items.
- Community-driven maintenance model; response times and patch priority may vary vs. commercial CMS vendors.
When to avoid it — and what to weigh
- High security audit requirements — Organizations subject to strict security compliance (HIPAA, PCI-DSS) should conduct independent security review before deployment; no audited security posture stated.
- Headless or API-first architecture required — Limited information on REST/GraphQL API maturity; traditional CMS architecture may not align with modern decoupled frontend needs.
- Large-scale distributed deployments — Enterprise scale-out patterns (caching, clustering, CDN integration) not documented; primarily targets single-instance deployments.
- No PHP hosting available — Requires PHP runtime; not portable to Node.js, Python, or JVM-only infrastructure without significant rearchitecture.
License & commercial use
MIT License (OSI-approved, permissive). Permits commercial and proprietary use, modification, and distribution with minimal restrictions.
MIT license explicitly allows commercial use without royalty or attribution requirements. However, use of third-party PHP libraries bundled via Composer may have their own licenses; audit composer.lock and DEPENDENCIES to confirm compliance for your use case. No commercial support or SLA offered by the open-source project; consider commercial support vendors if needed.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
No security audit, CVE tracking, or formal security policy documented in provided data. Community-driven model means security patches depend on volunteer effort and community reporting. Recommend: (1) audit composer.lock for upstream vulnerabilities, (2) review closed security issues on GitHub, (3) implement standard PHP security practices (input validation, prepared statements), (4) keep dependencies updated.
Alternatives to consider
WordPress
Larger ecosystem, more plugins, better commercial support, but heavier and less code-transparent; similar PHP foundation.
Statamic
Modern PHP CMS with Laravel foundation, better modern developer experience, but smaller community; similar licensing model.
Strapi (Node.js)
Headless CMS, JavaScript-native, better for decoupled frontends; requires Node.js instead of PHP.
Build on concretecms with DEV.co software developers
Review system requirements, security posture, and integration needs at documentation.concretecms.org. Contact us for guidance on deployment, support, or custom development.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
concretecms FAQ
Is Concrete CMS suitable for large enterprise deployments?
What PHP version is required?
Can I use Concrete CMS in a commercial product?
What database backend is supported?
Software development & web development with DEV.co
Need help beyond evaluating concretecms? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source cms integrations — and maintain them long-term.
Evaluate Concrete CMS for Your Project
Review system requirements, security posture, and integration needs at documentation.concretecms.org. Contact us for guidance on deployment, support, or custom development.