Insecure at any speed
July 14, 2012 1:08 AM   Subscribe

IANADev, but one thought is Ruby on Rails, perhaps hosted by something like Heroku, which greatly simplifies deployment. (Deployment is one of the most challenging parts of using RoR.)

Another option would be to go with a paid, fully hosted CMS like SquareSpace, where you can just worry about the design and content, and not have to worry about the technology at all.
posted by maxim0512 at 4:55 AM on July 14, 2012

Jekyll/Octopress, perhaps. My one caveat is that you'll need to stay on top of updates for the best security. This is true with WordPress too, of course. WordPress makes updating easy, but I'm not sure how the others handle things.

SquareSpace or Wordpress.com handle the updates themselves, so they could be good alternatives.
posted by backwards guitar at 5:04 AM on July 14, 2012

One possible alternative is to build your own with a PHP-based MVC framework like CodeIgniter or CakePHP. Obviously in any MVC setup you have separation of views and logic. There are also various CMSs like Fuel, Pyro or Croogo that are built on top of these frameworks, though I've no experience with them.
posted by Magnakai at 5:07 AM on July 14, 2012

I don't think you should so easily give up WordPress. I had the same problems and then followed advice for hardening WordPress. WordPress itself has advice but if you Google "hardening WordPress", you will get a lot more. If you rigorously follow this advice, you should, as I did, see few or no attacks. In particular, change your username to something very unobvious, remove all themes that you do not use (the backdoor of badly written themes is a key source of attack), remove all the crap from your site that you do not need (many of the advice sites will tell you what to look for) and install Sucuri. It worked for me. I was getting two or three attacks a week and now none for several months. The Russian bots are after sites that are easy to enter. They are not going to get into or even bother trying to get into those that are proeprly hardened.
posted by TheRaven at 5:42 AM on July 14, 2012 [5 favorites]

I've been where you are.

My experience with WP being hacked.

My story of what else I did, which includes links to what another MeFier went through.

Besides everything that TheRaven mentioned, I now use Bulletproof Security and Website Defender which (among other things) help you set the correct file and folder permissions and setup .htaccess files. Those are both issues which are common across any web application and just the sort of thing that gets overlooked.

I also use Bad Behavior, which is useful on any PHP-based site. It's primarily used to detect and stop spambots but since they're often also probing for other weaknesses, it can discourage anything less then the most persistent.

Security requires work, unfortunately, but it is possible to keep one step ahead no matter what platform you're on.
posted by tommasz at 6:40 AM on July 14, 2012 [7 favorites]

Squarespace sounds like an alternative to check out. Seriously, they're awesome.
posted by helios410 at 11:06 AM on July 14, 2012

The massive advantage of a CMS (or Blog CMS in the case of WordPress) is cost and time of development, particularly for common things like galleries, content pages, blogs and articles, etc.

So when a client comes to us with those simple needs we always go with a PHP open source solution because of cost.

For custom enterprise solutions we go with either what we consider a more advanced PHP solution (MODX Revolution Content Management Framework or something like Yii) or we use Ruby on Rails.

Now Rails is loved by our senior programmer because it's not the mess that is PHP, but some of the common things that we get in MODX have to be built from the ground up, or from the foundation up if you like in ROR, which means an increase in budget, which means it's only for specific clients (those who have the budget and the need to justify the budget obviously).

It's interesting in that there are a lot of PHP programmers but we find it hard to fine a good PHP programmer (i.e. code discipline and efficiency, thinks of how the application will be used by a user rather than a programmer, coding as abstract and scalable as possible, etc.) whereas with Rails there aren't as many programmers but they tend to understand what programming is all about much more than a lot do from the PHP pool. We like to work with technology that does not rely on very specific people under our employ should they leave but that said, we love very specific people because of what they bring to the table.

We find we have to step around WordPress to much for a lot of the small custom features in a regular site as well, but all that said, in regards to framework, it is largely a preference as well, and that preference can be very strong. Our senior programmers work with PHP but they don't like it as a language, but it is the best solution for many things (in terms of time, budget, support). They are overjoyed personally when they can use ROR. Our preference for MODX is largely because of how templating works, its flexibility, scalability, and abstract structure. Others despise it because of the same reasons, in that there is a login add on that does registration, login, password recovery, profile, etc. but you have to configure it to your needs for a project). The way templating works and the flexibility of design is also why we use LemonStand for ecommerce sites.

As for security, as others have said, hardening practices are great to employ. WordPress is a large target obviously and I've heard you have to be careful with the extensions you use.

You have a lot of options, we all do, and like many of us, you'll probably take some time finding one you favour and are comfortable with.
posted by juiceCake at 12:28 PM on July 14, 2012

egypturnash: "My primary uses are a couple of image galleries and a couple of webcomics. Some kind of commerce would be nice too - I've always vaguely wanted to let folks be able to order prints of my art, as well as a small comics press that may be happening in the future. Plus the usual stuff like a blog, some static pages, rss feeds for everything, tagging, search."

Most of my website is generated statically. There's no DB to hack, as comments are hosted by Disqus. There's no PHP to hack, as my website is all HTML. Autogenerated RSS feeds, and tagging support is enabled. Search can be handled by Google, or perhaps one of the comic search engines like oh no robot. Since there's no dependencies, it can easily fit into most cheap shared hosting environments.

Another alternative, is to find a comicpress hosting specialist who can keep up with upgrades and best security practices. I know a guy, but he's interviewing with Valve soon and I would expect he'd dump his clients if he gets the job.
posted by pwnguin at 1:31 PM on July 14, 2012

FWIW, many of the bugs that periodically surface in Ruby On Rails (such as this one) are a result of a prioritization of ease over correctness in the framework. There are valid reasons to use Rails, but paranoid input sanitization is not one of them.

Pwnguin has a great approach, and you’re not describing much that would actually need a database and CMS. Why not just run from static files, with a thin layer of PHP to run them through your template and convert to RSS/etc.? You’d leave the selling to some external billing or fulfillment service in this case, like Paypal or Amazon, and stick to minimalist technology.

Another option for you is to keep using Wordpress just as you are, but modify the database user permissions to exclude writing. REVOKE ALL … GRANT SELECT if you’re using MySQL, and keep a separate WP install someplace else with its own high-permissions user account for editing. There’s no reason for WP vulnerabilities to have a negative effect on your content.
posted by migurski at 10:21 PM on July 15, 2012