I heard a lot about various CMS software, like Wordpress, Joomla and so on.
My goal is to set up both a blog and a static website, meaning that a blog will be one of the elements of the site. Is Wordpress OK for that? Or I should use a static content genrator like Nikola and link it to Wordpress somehow?
Static site generators can also be used to create a blog. Most of them have Markdown to HTML converters where you write your posts in markdown and they are automatically converted to static pages when they are built. I'm using Jekyll for my blog, hosted on GitHub Pages for free.
Yeah, I'd pass on WordPress. Nikola does blogs, as do the rest of them. Often the primary thing they do is blogs, and it's a struggle to get them to do much else. But setting WordPress up and maintaining it is a nightmare, and if you don't then you've got a giant rootkit on your server because WordPress security is abysmal and they have new exploits every month or so. By far easier to just generate the site and upload the files, you won't even have to configure PHP.
Oh I understand. I heard many bad things about Wordpress security, but when I have a server dedicated for my blog/website, that isn't such a dealbreaker anymore, as I keep my content on my HDD anyway. I must try Yekyl, many of my chinese friends recommended it to me.
It's a big deal when someone hacks you, puts you in a botnet, and then you get banned from your VPS provider. Almost a true story in my case, but fortunately we stopped short of the banning (and then I left anyway because they didn't have cloud-level firewalls, but eh). If your provider also has an API and your server has access to that API (which is sometimes the default) then they can issue API requests to buy more servers on your credit card, and install whatever they want to them. Them getting as far as your personal machine isn't the concern.
You can scan the entire IPV4 address space in about 4 hours with automated vulnerability finding tools, which since IPV6 isn't widespread yet means you can scan the entire internet in about 4 hours with automated vulnerability finding tools. People do do this, looking for things like WordPress installations, open SSH ports, databases without passwords, etc. A full analysis of the internet will take more than 4 hours, but it's still quite a regular thing to have your server get hit by something automated poking around looking for something new to bring into someone else's DDOS botnet,
And WordPress is PHP plus a database plus a bunch of other things, all of which are potential security holes on their own, then Wordpress itself, which becomes a security hole once a month on average, and you probably don't know how to configure any of this for maximum security either. SO basically you're doing the equivalent of waving a giant neon sign labeled hack me, or taking a bloody chunk of meat out in the ocean where there's sharks, or something. Once you're in a botnet the server is usually a lost cause, because once a hacker gets in a little they'll use that to get themselves in so tightly that you think you removed them but haha not really.
By contrast, just Nginx without PHP even installed is pretty secure, especially if whatever VPS provider you're using has firewalling functionality and you can block off everything but port 80 and port 443 on their side (trying to do firewalling on Linux itself is often less secure since you want to leave SSH open if you want to be able to turn it off, and very much harder to get right). There's very little surface area when the server can *literally* only serve files, whereas with WordPress the server figuratively only serves files but in the process you gave it 20 other capabilities because Wordpress is a giant PHP monster that's been hacked on by anyone and everyone who wants it to maybe do a thing for 20 years.
Yeah. Jekyll is a good static site generator.
And yes there are security vulnerabilities, but if you're putting up a simple low-traffic website, I actually don't mind using Wordpress. I have a couple of instances with Markdown editors instead of the block editing. Placing down widgets is also pretty accessible.
I take some precautions to increase some default security. Definitely not ideal, but the content is being served.
#8 (edited by kaigoku 2020-05-18 20:55:34)
@7, I believe you. I mean, people can easily check to see if you have a wordpress installation if you visit certain routes just as an example.
@8 there is possible to change those roots.
but regarding wordpress itself, it was made of a bullshit system called b2cafelog which wasn't secure, was buggy and was CPU intensive.
although those were fixed, but as wordpress is popular these days, people tend to find security wholes through it, specially with buggy themes and plugins.
Wordpress is a lot better than it used to be.
You do need to secure it though.
That means loading a lot of extra modules some payed some not some harder than others but it can be done.
If you do get wordpress on your site, I'd strongly recommend to also rout everything through something like cloudflare so you can get security at a dns level.
Jet pack, captchabooster and zero spam come to mind to.
For me jetpack means I can put my pie into a lot of search engines and get reports without going nuts.
I have social programs able to sign in to pinterest, twitter, and facebook as well as others and all I need is an account on each platform, but never need to interact as such.
A lot of things can be automated to.
I know Jetpack, I also use a plugin that can hide common routers like wp-admin, and of course Updraft Plus.
I use wordpress for my other sites. Its not that secure, but I take precautions. I won't recommend it to someone who is new to site development and web servers in general though as it is confusing and a nightmare to configure.
If you found this post helpful, amusing or funny, please thumb it up!
To get in touch, please email me using the email link below this post. If you prefer, you can also send me a friend request on discord. I'm thetechguy#6929. Please do not send me a PM on here as I don't check those often.
#13 (edited by Chris 2020-05-19 21:09:50)
Just saying, route probing is not the only security flaw. There is even a lot of info on rendered HTML source code. It was just an example.
But yes, there are some precautions to take. Like I said, probably good for low-traffic sites with some security plugins installed, but not ideal for production websites.
So I decided to go with Jekyll. Everything works neatly but there's one problem. Whenevr I make a change to my site and someone enters it, in order to notice the change they need to refresh the page with F5, which was not the case with Wordpress. What shall I do?
Are you hosting it on a VPS? WordPress isn't the issue, you're probably just getting lucky with your WordPress config.
Look up the HTTp cache-control header. You need to set that to not cache. If you can't, find out what it's currently being set to with curl -v and decide if that's too high. It is actually both normal and desirable to require f5 to see immediate changes, believe it or not; usually cache-control will be set to a few minutes or so and whenever someone goes away and comes back tomorrow they'll see the change. This keeps you from wasting a bunch of bandwidth if you get a lot of readers.
I am hosting it on a VPS. I have tried using the mod_expires module and my Virtual Host code is below:
ExpiresDefault "access plus 2 minutes"
ExpiresByType text/html "access plus 2 minutes"
I will set it to somethingl ike half an hour but I made it so I could see the changes almost in real time.
I can't help with your specific config because I don't know Apache and think Apache is a giant complicated mess. Good luck with it, but you'll have to get specific input from someone else as to whether it's right or not.
There's nothing wrong with turning cache-control off for development but you can override it with ctrl+f5 in at least Firefox and I believe also Chrome.