If you are an IT-nerd like me, chances are, that you have been looking for a blogging-solution as an outlet
for your geeky/nerdy topics and opinions. In this post I want to share my journey through the vast universe
of blogs and CMS (Content Management Systems) and the quirks of those.
So as everyone who gets involved in the topic blogging, you’ll most likely stumble over Wordpress.
Wordpress is a CMS designed for blogging-applications, with a million different themes already available and just waiting
for you to use them. It supports extending functionality with plugins, can be self-hosted and overall seems to be a nice choice.
That’s what I thought as well. In practice that’s different however.
Before I rant about, why Wordpress is a bad solution, you probably need to get to know me a bit better before, to understand
why Wordpress is a bad solution - at least for me, and if you are an IT-professional with a similar mindset,
then most likely for you as well.
At daytime I’m a .NET Backend Developer, at night I’m a F(L)OSS and Linux enthusiast that cares about privacy and security.
I value craftsmanship in Software-Development, like Clean-Code, Design-Patterns and architectures that are designed with
scalability in mind. So I personally developed a set of requirements a blogging-solution has to fullfill to be accepted
as suitable option.
- Hostable on Linux
- Actively developed upstream project
- Does not contain any kind of frontend-side user-tracking
- Does not rely on any third-party Content Delivery Networks (at all)
- Does not enforce/include privacy-violating technologies (like Cloudflare, Google Ads, etc …)
- Content shall be stored on disk, rather than a Database
- Content shall be stored as re-usable formats (like Markdown, ASCIIdoc, reST/reStructuredText)
- The way the blog is setup and configured should be transparent to the user (if wanted)
- Little to no dynamically generated content, to keep the security impact on Server-side low
- Content (like the Text of Posts) shall be version-controllable
- Content shall be editable by multiple users with traceability who wrote what
So if you know Wordpress (or at least read about the way it works), you might already see that it’s not really suited
to fit these requirements.
Also a quick note on the security implications when running Wordpress: it’s written in PHP, the
language with (by far) the most discovered exploits and vulnerabilities, and that’s partly reflected in Wordpress as well.
In addition to this, Wordpress is commonly used for blogging and is extremly wide-spread on the Internet already,
making it a perfectly profitable target for attacks. And that is something we can easily verify by looking at the
CVEs over time of Wordpress.
It gets even worse considering the plugin-system - once you enable a plugin, you effectively run code from
a third-party that is capable of making the whole blog vulnerable, due to missing permission-restrictions and sandboxing
mechanisms in Wordpress. While Wordpress itself is quite fast solving security-related issues and pushing updates,
plugin-developers are (sometimes) not. A vulnerable plugin undermines the overall security of the whole blog - think about
it as the weakest link in the chain.
What I have descibed in this section was obviously focusing Wordpress, but don’t be fooled, it’s not only Wordpress.
The same is valid for Joomla, Drupal and all the other CMS with a
similar designs and approaches.
I first stumbled over statically-generated sites without even knowing what I am looking at. And if you have visited Github/Gitlab lately,
chances are, that you did as well. I am talking about
Github Pages and
Gitlab Pages. The idea behind these is, that already established
hosters of your Sourcecode, host you website (which is also just HTML, CSS, JS source-code). So instead of Rendering the Sourcecode as
Content in their applications, they just return int RAW on requests and évoila git repository hosters turn into Webhosters. Genious, right?