I love WordPress and use it every day. But one of the issues with it is that you can’t just leave a WordPress site untendered for months or years without expecting security problems. It’s important to keep your version of WordPress and your site’s Themes and Plugins up-to-date in order to keep them safe from hackers and malware.
WordPress is so popular because it’s user-friendly and also really powerful and has a great community of people supporting it. But there are literally millions of outdated and unmaintained WordPress sites on the internet that have become infected with malware.
If you’ve got some WordPress sites that were built for events/campaigns in the past and that you’re keeping on the web for posterity (and possible SEO reasons) then it might be a good idea to convert them to ‘static sites’ instead. Especially if they worked fine on an old version of WordPress (and a now outdated version of PHP) but every new version of WordPress needs testing to ensure that the site still looks and works like it did do.
What is a ‘static site’ ?
The way a static site generator plugin works is that it basically severs the connection between all that backend server stuff – from the ‘front-end’ pages that the users see.
So with a WordPress site your installation has loads of files that power the CMS and its plugins, you’ve got a database full of sometimes sensitive user data, and you’ve got a server that is capable of executing PHP code. But, that’s quite a big surface area to mount an attack on.
In a perfect world it would just be your code that it would execute, but it’s that power to inject and run code on your site that makes it a target for hackers and malware with their own nefarious code to run. They try to do this. Sometimes they try a lot. That’s why WordPress security good practices are so important.
The static site server on the other hand, just delivers the HTML, CSS and JS files that make up the web pages. You can’t hack into it because there’s no foothold for your malicious code to grab on to.
A static site generator/plugin will basically go through your WordPress site and generate a snapshot of all the pages in it. You can then take these files and upload them as a set of static files.
Limitations of this approach:
No logging in.
You can’t login to the site to edit it. That requires the PHP and database that we’ve just cut our ties from. If you need to change any of the content or functionality then you’d need to login to the proper WordPress version, change it there, and then regenerate the static site.
These won’t work out-of-the-box like they do on the WordPress version of the site because they rely on using PHP. You can however tweak them to make them work in a different way, especially if you used the Contact Form 7 plugin.
Again, the default search mechanism relies on the database and PHP to work. If you really want to keep a search facility then you could swap it for something that works on static sites – like Algolia or Google internal search.
If that sounds like a lot of pain for not much gain, then consider some of the upsides…
Benefits of this approach:
This is arguably the biggest reason to do it. If it’s a limitation that you can’t login, bear in mind that no hackers can log in because there’s nothing to log in to. You can deploy your static site and then never have to worry about it again.
Once the static version of your site is generated, it will never need updating.
It’s completely possible to host a static website for free. Because you don’t need the PHP bit or the databases, the cost of somewhere to store and serve your ‘static’ HTML/CSS/JS assets is pretty close to nothing. For a popular service like Netlify, the cost is nothing.
What do you do with the original ‘source’ WordPress site that the static version is generated from?
You might still need somewhere to host the original/source website so that you can make changes to it and regenerate the static version again if you need to. In which case you would need some cheap WordPress hosting (34SP has free hosting for charities). Here though you would host the ‘source’ site on an obscure/hidden domain name (or a subdomain) and put the whole thing behind a password – so it’s WAY less likely that hackers will find it or be able to corrupt it.
Or you might keep the source WP installation on a computer/laptop using something like Local or Desktopserver.
Or you just just backup/zip it and keep that somewhere safe if you don’t think you would ever would need to update the site – but you want a backup just in case.
This is less of an issue because most of the sites we’re talking about here are unlikely to be bombarded with traffic or need to work at absolute lightning speed. But a static server can handle traffic spikes way better than a WordPress/PHP one can because the WP one is querying a database then generating each page every time someone requests it.
There are plenty of good ‘caching’ plugins and solutions to take some of that load/effort off your webserver, but they can be a pain to setup and manage. The static site has of course already got that generated version of the page ready.
It depends on the price and spec of your WordPress hosting, but a spike in traffic that would knock over many small WordPress sites, would be no problem at all for a static site hosted somewhere like Netlify or Amazon S3.
Want an example?
This site is one.
The ‘source’ WordPress site just lives on my computer at home so. I create/edit content then use WP2Static plugin to re-generate the static version and then push that up to Netlify where it is hosted for free. The contact forms used to be powered by GravityForms on the old ‘public’ version of the site, but it was easy to switch them over to using Netlify forms instead.