checkmyworking.com has always been powered by WordPress, but every now and then it’s fallen victim to annoying hacks that manage to write some spam nonsense at the top of all my PHP files. From what I can tell, WordPress and the few plugins I use are such a labyrinthine mess of code that going through and closing security vulnerabilities would be a sisyphean task.
So, I’ve taken the nuclear option – this site, as served to the wider web, is now entirely made up of static files. Hopefully, that’ll stop the hacks – there’s no PHP to abuse, leaving only any vulnerabillities in Apache or Media Temple’s account management as potential ways of getting in.
The static files are generated by Spress, which seems to be one of the least opinionated static site generators I’ve come across. It was very easy to make it produce pretty much exactly the same pages WordPress does.
I still wanted the nice editing interface WordPress provides, so I’ve made a plugin which exports posts from WordPress to the Spress source directory whenever I update them. I’ve got the WordPress installation hidden somewhere private, behind a very simple login script which stands in the way to make sure that nobody else can run WordPress code. This way, I can write posts in WordPress, and the plugin automatically rebuilds the site for me. The one compromise is that I can’t do comments any more – my current line of thought is that I’ll write a script to add comments to the WordPress database which would be simple enough to satisfy myself that it’s more secure than going through WordPress itself.
For the moment I’ve kept the layout of the site as it was, but it’s looking very old now so I’d like to redo it at some point. I don’t really post here any more, so it’s entirely possible that this’ll still be the top post in a few years’ time.
Next job is to do the same thing to The Aperiodical, which will take a lot more work!