I've worked with WordPress for over 9 years and set up probably over 100 sites, but can't wait for it to die.
It's easy to setup and the ecosystem is great, but the security issues are massive and there's really no reason for content to be stored in a database for the majority of sites.
I hope a static site generator comes along with an intuitive UI for non-technical people to easily update their own content.
There are dozens of static generators, and frankly I don't think they're a great alternative. Put a cache in front of WP And you're done. Then when you want to do a redesign, you don't have to futz with dozens of static pages.
What's that? You've stored your content separately so that you can just regenerate the pages when changing site designs? It's a system for letting you manage your content separately from the rest of the mechanics or the site? The content files are stored on a journaled file system like EXT4 or NTFS? That's fantastic. It's just like a DB backed CMS that stores flat files for cache.
I'm not saying static page generators aren't useful, but I am saying that the difference between that and a cached wordpress install is virtually nil.
If you're lucky enough to install well-written (or self-written) plugins which withstand major version updates, you can set `WP_AUTO_UPDATE_CORE` to `true` in your wp-config and it will auto-update to any latest version. There's an added risk of plugins not working, but you'll stay up to date.
WP auto update is sort of nice in that you stay updated (but who the heck knows what will happen if you have one MySQL server and multiple www servers), except it means that your webroot is writable by PHP, which is not a great thing, because someone who finds an arbitrary file write issue before it's patched (or before auto update triggers) will be able to add their own files to your webroot -- weather that's defacement, malware installers, warez drops, bitcoin mining, shells for later; it's all pretty nasty.
There are risks with all security protocols and you called out valid ones with auto update.
Do you have ideas for superior methods? A bit upthread someone mentioned clients paying him a monthly security retainer to monitor and update. This might be good, but pretty expensive so would price out lots of users.
Static generators are clearly superior from a security point of view -- the webserver doesn't have to execute any code. But, assuming wordpress exists; it would be best if the code ran in the a user context that could not write anything to the filesystem; and the code was installed with another user, which could do auto-upgrade via a crontab. An exploit could certainly leave persistent data in the database, but not on the filesystem at least. It would also be great if the database had separate credentials for the user facing site (mostly read only) and the admin facing site.
On the other hand, I don't know how possible that would be to setup for inexperienced site admins on commodity hosting.
We created Strattic to allow anyone to use WordPress (and eventually other CMSs) as static site generators. It's the best of both worlds. We're in private beta but you can check it out here: https://www.strattic.com.
My argument was with "why does content have to be in a DB?" CMSs exist for a reason. We moved away from static HTML for a reason. Hell, SSI has been around forever to help fix the problem of static HTML. In the end, he's talking about a CMS that generates cached output, and doesn't "run" on every page load, as opposed to an always-on CMS.
Anyone mixing content and styles/structure is doing it wrong. Making it right is literallt the sole reason static site generators exist.
I'll take HTML5/CSS and a filesystem and a few custom markup and commands any day before touching a single line of the unholy mess that is dealing with WordPress.
And not even mentioning simple hosting, secure by definition, etc...
As long as you don't need the WP admin, theme builder, or any of the functionality the various plugins provide. Static site generators are not really competition for WP. Are there sites which don't need to be on WP? Sure, but there are plenty that do make use of the administration, themes and plugins.
>I hope a static site generator comes along with an intuitive UI for non-technical people to easily update their own content.
Those people are already served well by things like Wix and Squarespace. WordPress is essentially a point and click application development tool at this point, with integrations for anything imaginable. Yes it is insanely insecure, slow, poorly designed, and bloated. But the depth of offerings from the plugin marketplace will keep WP relevant for a long time to come with people who can't afford custom development.
Wix seems to generate the slowest loading sites on the internet. Especially loading images long after page load is done. WordPress is positively supersonic by comparison.
Does Wix optimize its images between upload and delivery?
I'd be inclined to believe that this is a side effect of Wix's target market not being aware of how to optimally compress their images for web delivery.
> If you minimize your reliance on plugins, enable automatic updates, and harden your installation, it's pretty secure. At least I haven't had issues.
My guess is that it was long too easy to not do any of those things, so it gained a reputation for being insecure. They might have mitigated a lot of the problems, but bad reputations die hard.
Static site generators, at least how they exist today, are unfortunately massively impractical for the vast majority of Wordpress users. Heck, I am a pretty technical user and even I regret moving my blog to a static generator.
Thank goodness I have found two static page generators in the wp plugin repo that actually work - I have now converted about 20 wordpress sites into static html pages and pulled the php files all down.
I could do more, but some of these sites depend on contact forms - which I know can be made outside wp - but it's extra work I can't jump into at the moment.
This has cut down the hacking on more than 20 sites - and I am doing some more as I run into them.
Tons to love with wordpress, but lots of reasons to turn it static and avoid the non-stop brute forcing of it.
Yep. I don’t understand this trend. I would never use a static blog myself unless they would offer an online administration. And it would be weird to have such a thing for something that claims to be static.
I haven't looked into this for over a decade, but that's exactly how Movable Type used to work. The blog is generated as static files by the admin interface, which is web based but can be completely isolated from the publicly facing site.
> I hope a static site generator comes along with an intuitive UI for non-technical people to easily update their own content.
This. (Although it seems a lot of people aren't in agreement) I think there used to be an app called Cactus for Mac that had a GUI and let you generate your own site. This sort of solution could work for people 1) not technical enough to run command line site generators, but 2) technical enough to buy some hosting space to drag their static site onto. If I were a hosting company, maybe I'd explore making an intuitive site generator available for free, in the hopes it could sell some light hosting plans.
Having used both Jekyll and WordPress the learning curve wasn't even close to WordPress for getting started with your first blog entry. WordPress is an hour project, Jekyll is a weekend project.
Jekyll is a weekend project if you want to set it up from scratch. If you have 100 or so wordpress posts you want to migrate, it's a pretty long and tedious and joyless project.
I'm not OP, but I've worked with Wordpress quite a bit in my day. To answer your question, it's a bit of column A and a bit of column B.
Over the last few years, Wordpress core had gotten quite a bit better (to the point that I have gone back to Wordpress for my personal site). But previously, the core was victim to some embarrassing security issues. In Wordpress' defence, I can't think of a single PHP application as old or as large as Wordpress that did not suffer from similar problems.
Plugins are often an unmitigated security clusterfuck. I've seen things in popular Wordpress extensions that have made me want to trade in my laptop for an abacus and go full luddite. (I've also seen some really wonderful code.) The big problem I see is that a plugin has to be extremely popular before anyone with much of a background in writing relatively secure code will ever read the code. And by that time, it's so popular that it keeps getting hundreds of installs no matter what kind of flaw you find. Some plugin developers/maintainers are incredibly diligent and helpful, but I've also been threatened with legal action (more than once) when I've disclosed some really amateur security issues.
But, due to how the GP seemed to conflate Wordpress, and "everything else" I wondered what was the basis for his comment. I'm pretty clear on the security of WP itself.
> Some plugin developers/maintainers are incredibly diligent and helpful, but I've also been threatened with legal action (more than once) when I've disclosed some really amateur security issues.
Most WP plugins are terrible from a security perspective, and I've found the quickest method to resolution is to send a patch to the devs, solving the problem for them and me.
Not great if you are looking for a DIY solution, however in the SAAS space I run the Engineering team at a company that is doing essentially this, https://www.pagecloud.com . Blog (If thats what you are looking for) and some other goodies on the rapid site construction side, coming very soon.
What’s funny is that Blogger used to have a static site generator and a decent authoring front-end. I don’t remember when they killed this feature, but it was around 2009.
They also supported some dynamic elements like comments and admin.
It's easy to setup and the ecosystem is great, but the security issues are massive and there's really no reason for content to be stored in a database for the majority of sites.
I hope a static site generator comes along with an intuitive UI for non-technical people to easily update their own content.