I have used Wordpress for many years. If you don’t know, it’s a popular system (a content management system or cms) that lives on a web server and makes publishing a web site (especially a blog) much easier. There’s a “back end” you can log into, which shows you pages that allow you to set up the site and its appearance and which let you create content. It’s a bit like using a word processor until you hit the “publish” key. At that point, what you have written will appear on the “front end” of the site, which is what normal visitors to the site see. The system organises the content (by date, category and tag) and ensures that all of your content fits into a “theme” of colours, images etc. to give your site an identity. There’s much more to it than that, but that’s it in a nutshell and most of the complicated stuff is hidden away so you do not have to worry about it unless you want to.
I have always “self-hosted” Wordpress. I rent a small web server from the excellent net-hosted so that I can build various projects and experiments, sometimes for clients and sometimes for my own interest. It made sense to install Wordpress to run several sites on the server and generally it has worked very well. Wordpress is “open source” which means it is free to install and use because it is built and maintained by a community of people who use it. Some people make money by offering services (e.g. training or hosting) but the software itself is free, and you are free to adapt it. When I first used Wordpress I made a few contributions (I wrote modules which were available to all Wordpress users to extend what it could do).
Incidentally, the alternative to “self-hosting” is to sign up with wordpress.com. This is probably the easiest way to create your own web site, with the hosting and technicalities done for you, but with you having control. Plans start from free.
Wordpress became a problem for me
Wordpress has worked very well for me, until the last eighteen months or so. There have always been some security issues. A popular piece of software, that is “visible” to the internet will always attract hackers who will try to exploit it for their own purposes. For example, if someone can find a way to use Wordpress to create their own log in, they can put their own content on your site. This can be hidden, so a place to put viruses or other nasty software that will attack computers that view the site, or other sites. Most servers have a mail server as well, so if someone can take some control, they can send out spam. There are several ways in which hackers can attack Wordpress. The system allows comments, so if they can put some code into a comment that breaks Wordpress, they can get access to it. They could even simply try passwords until they can log in to the back end. They will always try default passwords and this works surprisingly often where people have not changed them.
For most of the time I have used Wordpress, avoiding hackers has been mainly about keeping Wordpress up to date. This has been particularly easy for the last several versions as it updates automatically. The Wordpress community has been good at spotting new threats and updating the system so they no longer work. There have been add-ons to prevent people making spam or comments that might contain hacks.
I have worked in IT for decades and I am pretty security conscious. Despite this, my Wordpress site has been hacked several times in recent months, despite being kept up to date. Thankfully the great people at net-hosted have spotted problems and alerted me quickly each time. The most recent hack resulted from me trying what looked like a perfectly legitimate theme, downloaded from a legitimate source, which installed modules to allow a hacker access and to both create their own logins and to steal passwords. There was no way that I could spot this until the techs at net-hosted detected dangerous files on the server.
Wordpress and its community has become huge. Something like a third of all web sites use it. Tracing how my Wordpress site has been hacked, fixing it and making sure that it is defended against new threats requires a lot of knowledge and a great deal of reading in lots of different places. I don’t have time for this, and it defeats the objective of running a simple personal web site. Frankly, it’s not worth the hassle. It would be much safer to use dedicated Wordpress hosting, where the techs know and watch for the latest threats, but again, it’s not worth it for me.
In a nutshell, I decided to move on from Wordpress when I relaunched this blog after moving house.
Static Web Sites
I am (more than) old enough to remember creating web sites page by page by coding html. The web server takes the code pages and sends them to people who want to view them. Their browser displays the code it receives from the server. Creating the pages almost by hand is complex and can be tedious but there is nothing on the server for a hacker to hijack (the server simply sends pages to the viewer and will not accept commands or logins). The server does much less work too, as it sends static, ready-made pages instead of creating them by pulling content out of a database and creating pages “on the fly”.
There has been a lot of interest in “static” web sites, but the old-fashioned hand-coding of each page (e.g. changing the navigation bar and site map every time you make a new page) is simply not able to deal with the needs of modern web sites. It is much better, for lots of reasons, to create the “raw content” (the text in this case) and apply layout, styling and navigation to it automatically. Systems like Wordpress do that every time someone asks to see a page. The content is fetched from a database, fitted into a template and a page produced. That can be slow unless you have a powerful web and database server. You also have to have the means (the back end) to create the content and store it in the database and index it.
Someone had the bright idea that all this could be done once on a computer, creating the whole site as a collection of static files which can be uploaded to the server. One drawback is that it has to be done every time any of the content changes, but most web sites leave most of their pages in place when they create new ones. New static files could be created, rather than the whole site. On the other hand, creating content on a computer (as files stored in a folder or directory somewhere) is easy and can use all the tools available, rather than the back end of a web site.
Static sites are faster, demand less of the server and are much more robust and much less vulnerable than systems like Wordpress. You need a static web site generator, which will take the content files (pages) on your computer, apply themes and styles to them, organise them and put them in a new folder ready to be uploaded to the web server. This seemed to me the right way to go.
This new blog
I will write a future article about my experiences trying to find a way to do this. For now, I’ll simply say that I tried several of the popular ones, but have adopted the generator called Hugo. This site is now created by Hugo from a collection of simple text files that live in a folder on my computers. As I use macs, the files sync automatically, so I can write on any machine and then re-generate the site whenever there is something new. So far, it is working very well. There are things I want to do with the template, though I like the styling, and I have much more to learn, but it is running.
All static site generators are much less “friendly” than something like Wordpress, but Hugo was manageable and now it’s operating, it’s fairly easy to use.