Have a look at this recent thread and especially the suggestions for static site generators like Jekyll and Pelican.
posted by Monsieur Caution at 5:43 PM on November 9, 2013

I'm using Pelican. You do need to be comfortable working on the command lone, even if you mostly cut and paste commands without really understanding them. There is no database or app to hack as its a
all flat files.
posted by COD at 7:33 PM on November 9, 2013

I've always been partial to Textpattern, but I can't speak for how secure it is these days. I used it for eight years and don't recall having too many issues with it.
posted by Redfield at 7:49 PM on November 9, 2013 [1 favorite]

I used to host a site that would get hacked left and right. I didn't feel like giving up the features and rebuilding, but I had zero interest in continuing to get hacked.

So, I downloaded a complete copy of my site and renamed all of the important system files into absurd things like "superman.php" and "meringue.php" and did a batch find and replace on all mentions of these within the files. I then reuploaded and never had an issue again. The hackers would run their scripts trying to damage my settings.php or access my mySQL via database.php and they'd get bupkis, because those files didn't exist. Whenever I did decide to do future updates, I had to do the same find and replace, but it was worth it to make my site the one or two steps harder to hack than lazy hacker kids running scripts and exploits thought it was worth. And anyway, they weren't really necessary after that. No one was hacking me anymore.

Sure, it was still possible for them to run the same exploits rewritten with the same find and replace, once they'd figured out what I renamed my "settings.php" etc. But if there's one thing you can be sure of about asshole hackers running generic defacing of popular CMS systems, they're just in it for quick lulz. They're not going to spend the time. They'll just move to an easier target. They'd have to have it in for you personally to spend the time.

By the way, they're almost certainly targeting you based on searches for "Powered by WordPress" or from metadata identifying you as a WordPress site. I haven't checked the terms of use for WordPress in a while so I'm not sure if it's kosher with them, but if you can eliminate those things, you'll be much less of a target.
posted by DirtyOldTown at 8:09 PM on November 9, 2013 [6 favorites]

DirtyOldTown brings up a good point. I used to look through my LOG files obsessively (I don't know why) and noticed that every bot that tried to access my WordPress and forum files had gotten there via a search engine. Something as simple and just changing the directory you keep those files in could help, though, I'd probably either not allow search engines to index the site or remove the Powered by WordPress text (if you plan on keeping the same URL, then it might take a long while for any remnant results that contain mention of WordPress to finally disappear). I think there are even plugins you can install that will remove all mentions of WordPress, which I think is the route I went the last time I decided to use WordPress.
posted by Redfield at 9:11 PM on November 9, 2013

Another vote for Pelican [if your stuff translates well to being on a static site]
posted by xqwzts at 9:17 AM on November 10, 2013

Just in case you are willing to give WP one more try (keeping WP up to date is important), you could install version 3.7.1 that has an auto-update feature, as well as a security plug-in (I use 'Better WP Security' that automates a lot of the processes, including renaming files).
posted by scooterdog at 5:30 PM on November 10, 2013 [1 favorite]

As an interim solution: Install WP Super Cache, Bad Behavior, Limit Login Attempts, Akismet. This has been the mix I think has done right by me. Longtime WP user (currently 24 installed instances): 1 hack in 11 years across those sites. And yes, 3.7.1 has automated security apps.
posted by artlung at 6:48 PM on November 10, 2013 [2 favorites]

Going to third the suggestion: if security is your primary concern and there aren't any other aspects of WordPress that interfere with your site publishing goals, you should try the latest version of WP and try (individually) the security plugins mentioned above.

As of the most recent version, WordPress updates itself, and you will avoid being left vulnerable to published hacks to existing versions.

What you cannot do much about in any scenario:
- Unpublished exploit techniques
- Host insecurity (where your hosting company has a security issue with its platform)

The latter issue has bitten me with client sites a few times. I've had clients who WEREN'T on WordPress get their sites hacked simply because the hackers got into the web hosting platform, had access to every customer's files, and then targeted files called "header.php" for a malware injection. I'm sure they thought they were mainly targeting WordPress, but that worked pretty well to bust up a run-of-the-mill PHP site that just happened to have an include file by that name! That kind of issue will affect you on any self-hosted solution.

This is a very long way of saying that WordPress is the dominant platform for people who want simple and user-friendly nowadays, so it might be worth the trouble to take a few small steps to tighten it up.

There are some small self-hosted software issues that still have the hack-into issues, but might be a little less targeted than WordPress. There are also online services like Tumblr that take the hosting off your hands but also don't give you a whole lot of control over data or site building - but with their templating and daily ease-of-use, it might be enough.

Finally... have you considered using WordPress.com? It has all of the great ease-of-use of the WP dashboard, with none of the hosting or hacking pains. There are tradeoffs with restrictions on plugins and customization limitations, but you may find it has all that you need.
posted by brianvan at 9:53 PM on November 10, 2013 [1 favorite]

Shepherd, I have seen folks use .htaccess to limit access to wp-admin/ and wp-login.php pathways in exactly that way. They use the capabilities of htaccess to simply disallow access altogether, then when you need to make edits you comment the relevant lines in htaccess out. You can also limit access to those paths by IP address, which would be rather hard to spoof.

You are correct in assessing that each new third party software, and the themes are possible vectors for attack. As to why the security measures provided in the recommended third party plugins are not default, there are tradeoffs made with ease of use, and there's a quite natural tension between those needs that WordPress as a larger organization makes regularly. Have a look at Bad Behavior and see how it works to get a sense of what enhanced suspiciousness looks like from a program. One thing I've seen that do is disable a legitimate bot's access to the site because it operated too quickly. There are negative side effects to locking down security that can be undesirable. That tension is security practice, generally.
posted by artlung at 10:27 AM on November 11, 2013

This thread is closed to new comments.