Statically Generated Websites - A Better Way

Published on

Photo by on Unsplash

I've been running some version of this blog/website since I was in college when I first bought the domain name. I recently changed how I host it, so it is probably closer in structure to its original conception than for most of its life to this point.

How It Started

When I was starting out, I was just learning how to program. The hosting site I used (and continue to use) supported PHP and MySQL. I didn't know anything about databases and relational data structures at the time, but I was just starting to really get the whole coding/scripting thing. So I designed a crude blog system. It was a PHP landing page that would read a list of *.txt files from a specific directory to make a list of links, then another PHP page that took the file name as an argument, loaded the text, and formatted it. New blog entries were made by dropping a new text document in the folder via FTP. I thought I was brilliant, and it worked well enough. It was ugly, as this was around 15 years ago, but it was functional and lightning quick.

How It Went

Unfortunately, that site got erased when there was a hack of the shared server environment and I had been too dumb to do a local backup. I then moved to the new (to me) and shiny solution. WordPress. I was quite happy with it.

For a while.

Then it started to be a chore to maintain. I'm not really a prolific writer, as evidenced by the once-per-year or less schedule I've currently got going on with my post history. WordPress has a huge install base, and a large attack surface. Over the course of its life, I received tens of thousands of spam comments on every post I made filled with scam links. And multiple times exploits were used in WordPress to insert spammy content into the directory structure. What a pain to clean up just for a blog that I don't even update all that often.

How It's Going

Which brings us to this website's current (as of April 2021) iteration. I've switched to using Publii. If you check it out, you'll find that's it looks a lot other content management systems you might be used to. If you like WordPress, you'll feel right at home with Publii. You can even import your old WordPress site content, which I did. The difference between Publii and WordPress is that WordPress saves its content to a database and will dynamically generate pages based on a myriad of conditions such as whether or not you're logged in, what theme you have installed, and permissions the current user has on your site, and on and on and on. Publii saves that data locally on your computer, then uses all the site's and content's metadata to generate simple HTML, CSS, and Javascript ahead of time.

This means that the attack surface on your site drops dramatically. Unless someone can access your file transfer credentials, there is nothing dynamically generated by the server when pages are loaded and thus no opportunity for an adversary to insert garbage into a database or write to the file system. Hard to hack a read-only system, which plain HTML is.

The other benefit of statically generating your site is speed. When the server doesn't have to execute code and make database calls, you're shaving a lot off your load times.

This set up works wonderfully for a site like this, where I don't really need user interactivity. Give it a try. I think you'll like it quite a bit more than babysitting comment spam filters and updating WordPress every week.