WonderCMS features

Security features

  • WonderCMS supports HTTPS out of the box. Check how to turn on better security mode .
  • All CSS and JS libraries include Subresource Integrity (SRI) tags. This prevents any unauthorized changes to the libraries being loaded.
  • WonderCMS encourages you to pick a good custom login URL (in Settings -> Security), as it prevents brute force attacks. Search engines don't index/find your login URL, as it always returns a 404 status.
  • The admin password is hashed using PHP's password_hash and password_verify functions.
  • WonderCMS includes CSRF verification tokens + hash_equals function to prevent timing attacks.
  • Your website is completely independent and detached from WonderCMS servers. All updates are pushed through GitHub.
  • GDPR compliant: WonderCMS uses only 1 session state cookie, which defines a state between a logged in and a logged out user.

no setup - unzip and upload

inline click and edit functionality

1 click update (screenshot)

open source & free

clean URLs

developed since 2008

no link back required (no "powered by" link)

can be used as a skeleton for a web app/website


1 click backup

file uploader

theme and plugin installer

easy to theme


clean URLs

highlighted current page in menu

lightweight - runs on 5 files

simple page deleting/creating

custom login URL

custom homepage

optional - functions.php automatically includes itself when created in any theme folder

SEO - custom title, keywords and description for each page

works by default on Apache (NGINX and IIS require editing one server file)

custom 404 page

Demo playground
Download WonderCMS 2.7.0 14kb