PicoCMS is flat and fast for small Web sites

Submitted by peter on Fri, 02/21/2020 - 11:40

PicoCMS is a light weight CMS, Content Management System, for a small amount of content with limited formatting. PicoCMS is the opposite of Drupal. There is a range of plugins and you will need some of the plugins for almost every Web site.

The PicoCMS Web site is http://picocms.org/. They should be using HTTPS. The version I downloaded is 2.1.1. You can download from the PicoCMS Web site or get a development version from Github, https://github.com/picocms.

The default theme is included in the download from picocms.org. Github has the default theme as a separate download. The github theme download has instructions for creating your own theme by copying then modifying the default theme.

The Github site has a Composer install for those who insist on uncontrolled automated installs of unknown code. I manually install any additional components and test the components before use.

PHP version

Pico requires PHP 5.3.6+ and the PHP extensions dom and mbstring to be enabled.

The first thing you check, before using code, is the supported version. PicoCMS supports the old PHP 5.3. PHP code should require, as a minimum, PHP 5.5 as PHP 5.5 is the start of PHP 7 compatibility. You really should be on PHP 7.1 or later.

I test with the widely used PHP 7.3. PHP 7.4 is the current release and will be the default in the next major update to most operating systems.


PicoCMS provides the following .htaccess configuration file for Apache but not Nginx. There are a few problems with the configuration as it is set up purely for really cheap Web hosting with no real security. A better configuration is to use Web hosting where you can access the directory outside of the public Web hosting directory then move sensitive files outside the Web directory.

<IfModule mod_rewrite.c>
    RewriteEngine On
    # May be required to access sub directories
    #RewriteBase /

    # Deny access to internal dirs and files by passing the URL to Pico
    RewriteRule ^(config|content|vendor|CHANGELOG\.md|composer\.(json|lock|phar))(/|$) index.php [L]
    RewriteRule (^\.|/\.)(?!well-known(/|$)) index.php [L]

    # Enable URL rewriting
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ index.php [L]

    <IfModule mod_env.c>
        # Let Pico know about available URL rewriting

# Prevent file browsing
Options -Indexes -MultiViews

Delete unwanted files

The rewrite rule to block access to the config file and others, RewriteRule ^(config|, should be removed. Delete the files or move the files to a safe location outside the public Web root directory.

Read then delete the files CHANGELOG.md, CONTRIBUTING.md, LICENSE, and README.md.

A developer might use Git to manage code. For everyone else, you can search for and delete every .gitignore file.

The composer.json and composer.lock files can be deleted because nobody sensible will let Composer install unknown code on their Web server.

You can search for and delete the .htaccess files when you are using Nginx. I found one Web site host that uses Nginx but only as a front end cache to Apache. Check with your Web host before configuring for Nginx.

Block access

You can move the directories config, plugins, themes, and vendor out of the public Web root with some minor code changes. Open index.php in an editor then change the following three lines.

    'config/',  // config dir
    'plugins/', // plugins dir
    'themes/', // themes dir

I used the following code.

//    'config/',  // config dir
    realpath ('../config/'),  // config dir
//    'plugins/', // plugins dir
    realpath ('../plugins/'), // plugins dir
//    'themes/', // themes dir
    realpath ('../themes/'), // themes dir

Creating content

When you first run PicoCMS, the instructions for creating content are in the home page. The home page content is in directory vendor/picocms/pico/content-sample and can be browsed in a text editor at any time.

Your content goes in the content directory as a Markdown file, .md, and is presented as HTML. Due to the limitations of Markdown, PicoCMS also lets you use Markdown Extra. Due to the limitations of Markdown Extra, PicoCMS also lets you use Twig and HTML. Twig is used extensively in Themes.

Markdown has one big problem. Markdown uses spaces as a formatting character. Some of the markdown is difficult if your text editor does not display spaces as a visible character. Look for an editor that highlights spaces with a colour different to the empty background.


You can creator your own theme by copying and modifying the default theme. You need to learn the Twig templating language added on top of PHP. Twig is slow on first use for a page but Twig caches the templates to make the next pages faster. If PicoCMS is set up to use Twig caching effectively, PicoCMS pages should be fast after first use and should automatically clear the theme template cache when a theme template is changed.


The code has a mix of old thinking and fashion statements that could be improved. The class loader is one of those monster Composer things that wastes lots of resources just loading multiple lass loaders.

Names are CamelCase with the first character not upper case, camelCase. Brackets, {}, are used in a weird mixture of the worst types of indentation. Straight code is mixed with classes. Some things are specified in code while others are specified in JSON files.

The code could be made cleaner and simpler by removing Composer. The code could be made consistent instead of mixed. The code could be updated to more readable standards. Unfortunately the current fashion is the opposite, an attempt to make PHP as bad as Java.


There are plenty of plugins for PicoCMS. Some are old code from Pico version 1 and require a big compatibility plugin that is included with the download of PicoCMS 2.

Unfortunately the PicoCMS Wiki does not tell you which version works with PicoCMS without the compatibility layer. If the difference was highlighted, you could plan a PicoCMS 2 installation without the compatibility layer.

When you select individual plugins, they mention compatibility. Some of the "must have" modules, including the Sitemap module, are version 1 modules. You are stuck with the overhead of the compatibility layer for most Web sites.

Some of the plugins do not make sense. There is a plugin to compress the Web page output but your Web server should do that automatically.

Some of the plugins are incomplete. The Pico Cache module provides a cache for generated HTML but not the basic options for cache use. There is no "no cache" option for dynamic pages, something that could be set in a page heading. There is no automatic removal of cached pages when the content is changed. It needs some other cache management features if used on a site with a large number of pages.

The Pico Cache module could simple use the Twig page cache option and let Twig do all the work. Pico Cache would then be just a cache management module.


PicoCMS is a CMS to look at for a small site with very simple page content. PicoCMS would not handle my content without extra plugins and major work on some exiting plugins. I do not feel like contributing to PicoCMS if it is to continue the current direction of development.