I’m helping a client with their website (it’s manually written using a Dreamweaver template and a ton of quadruple-nested table elements for design. Ouch), and I want to offer them a break from using Dreamweaver to write things.
I was thinking of using WordPress or a similar CMS to do the job, as WordPress is clean, fast, and really easy to design for. I’ve done it a few times, and it’s almost as easy as just coding pure HTML.
My main concern is that the site has been hacked a few times before, even though it was pure HTML with no server-side code whatsoever. I can setup a manual Linux server for them, because the hosting company they use is one that I’ve never heard of.
The site owners are completely technologically impaired, so I don’t want to scare them off by showing them a dynamic CMS with tons of features, as they think pure HTML is so much safer, they have to go out of their way to work with it.
I know this is a ton of writing, but what would be the most appropriate CMS for such a setup (hard-coding or dynamically generating content) for such a setup? I don’t want to keep having the person manually write non-standards compliant quadruple-nested table layouts anymore, but I don’t want to be responsible for having their site hacked…
Thanks!
A solution that allows for local editing, and the uploading of only static HTML files, would be the safest way to go. If it’s a high-risk site, I would consider staying on that track.
If a site containing only static HTML was hacked, then most likely through some problem on web server or even operating system level – I am not aware of any exploits concerning static HTML resources. Problems usually come up when dynamic languages are involved.
Whatever you do, don’t use WordPress. It is bound to be subject of exploits and attacks simply due to its popularity.
If the site is pure HTML, then the insecurity is in the server, or the connection made between the server and the client.
I’d look into how to make the server more secure before making changes to the site, although doing both is a good idea. CMS’s like WordPress use MySQL databases to store posts, etc, so that means client -> server connections. A way to make transfers of data more secure is to use
https://instead of vanillahttp://. You can redirect using a.htaccessfile if need be.To summarise, I’d look at the server side of things for any vulnerabilities.
James
WordPress has become a pretty wonderful CMS. If the site is high-risk, you might want to shy away from it, but I haven’t had a site that I thought was too high-risk for WP myself. The site should keep up with regular updates and regular backups and there are some security tips that you can follow to help keep it more secure and less of a target.
First. Hide WP on the front end
Add this to your functions.php:
That will remove default header info that can be searched for by scripts.
Install wp in a directory that will help obscure its location and obscure the admin URL.
Change the name of wp-contents folder to something else and move it outside of the main wp directory. For instance, you could name it “includes” and put it into the root folder. and then links to template files will not have wp-contents in them.
On top of that, use a secure host, lock down your files (especially on shared hosting), and you can look at something like vaultpress, but it seems like if you use a solid backup plugin and a good host, that is unnecessary. You can also look at some of the security audit plugins, but don’t keep them running after you get feedback.
This code in your wp-config.php file will help to install in a directory and move wp-contents outside of it into an “includes” folder: