Caching your WordPress instance does absolutely nothing in helping with security.

I refuse to set up a new WordPress instance for any client unless they are also paying me a monthly retainer to keep it updated and secure.

If you're lucky enough to install well-written (or self-written) plugins which withstand major version updates, you can set `WP_AUTO_UPDATE_CORE` to `true` in your wp-config and it will auto-update to any latest version. There's an added risk of plugins not working, but you'll stay up to date.

WP auto update is sort of nice in that you stay updated (but who the heck knows what will happen if you have one MySQL server and multiple www servers), except it means that your webroot is writable by PHP, which is not a great thing, because someone who finds an arbitrary file write issue before it's patched (or before auto update triggers) will be able to add their own files to your webroot -- weather that's defacement, malware installers, warez drops, bitcoin mining, shells for later; it's all pretty nasty.

WP auto update is nice...until a WP update breaks the functionality! Lol. https://www.wordfence.com/blog/2018/02/broken-auto-update/

There are risks with all security protocols and you called out valid ones with auto update.

Do you have ideas for superior methods? A bit upthread someone mentioned clients paying him a monthly security retainer to monitor and update. This might be good, but pretty expensive so would price out lots of users.

Static generators are clearly superior from a security point of view -- the webserver doesn't have to execute any code. But, assuming wordpress exists; it would be best if the code ran in the a user context that could not write anything to the filesystem; and the code was installed with another user, which could do auto-upgrade via a crontab. An exploit could certainly leave persistent data in the database, but not on the filesystem at least. It would also be great if the database had separate credentials for the user facing site (mostly read only) and the admin facing site.

On the other hand, I don't know how possible that would be to setup for inexperienced site admins on commodity hosting.

We created Strattic to allow anyone to use WordPress (and eventually other CMSs) as static site generators. It's the best of both worlds. We're in private beta but you can check it out here: https://www.strattic.com.

I agree on the security superiority. I use Wordpress because my wife can maintain and update it almost entirely herself.

I’m searching for a plug-in that generates static based on the edits in Wordpress, but haven’t found any that work cleanly.

I think that Wordpress is good for its users who will never use build processes for deployment unless automated well.

> I refuse to set up a new WordPress instance for any client unless they are also paying me a monthly retainer to keep it updated and secure.

Similar, or insist a hosted solution is used.

My argument was with "why does content have to be in a DB?" CMSs exist for a reason. We moved away from static HTML for a reason. Hell, SSI has been around forever to help fix the problem of static HTML. In the end, he's talking about a CMS that generates cached output, and doesn't "run" on every page load, as opposed to an always-on CMS.

Anyone mixing content and styles/structure is doing it wrong. Making it right is literallt the sole reason static site generators exist.

I'll take HTML5/CSS and a filesystem and a few custom markup and commands any day before touching a single line of the unholy mess that is dealing with WordPress.

And not even mentioning simple hosting, secure by definition, etc...

As long as you don't need the WP admin, theme builder, or any of the functionality the various plugins provide. Static site generators are not really competition for WP. Are there sites which don't need to be on WP? Sure, but there are plenty that do make use of the administration, themes and plugins.