[billmalarky]

Is everyone shying away from wordpress for security reasons? I like the simplicity of wordpress, but in the back of my mind I am concerned that one day I'll visit my site and it will have viagra ads all over it. It would be less of a concern if I blogged daily, but I go to it rarely enough that it could be hosting malware (and making me look like an idiot) for quite a while before I realized it.

[Binky_Bob]

Wordpress has some downsides: * The hosted version doesn't let you put ads in.

* If you host yourself it is a lot of maintenance to keep wordpress patched, spam cleared, etc.

* It is dynamic, so each page needs to be built based on a query to the mysql database. For a handful of users this is no big deal. If you hit the HN front page your site will be overloaded.

On the other hand, Wordpress is good if you blog on the go and want to use the ipad app or whatever to post/maintain your blog. It might also be good if you have multiple contributors, or update your blog so frequently (minutes) that rebuilding the site to deploy it is an impediment.

Octopress / Jekyll is a good alternative:

* Content is pre-formatted HTML files, no database to get in the way or slow things down.

* Tons of people use it, so it is well known.

* Lots of publishing options -- github, heroku, s3 + cloudfront, etc.

* "Features" like discussion forums can be linked in from disqus or other purpose-built services.

* Publishing is easy via running a script, although that means lugging your laptop around or using an ssh client on your tablet.

* With static HTML the attack surface is substantially less compared to a PHP site with a back-end database, so security should be significantly better and easier to deal with.

[shiftpgdn]

To counter your downsides:

* Wordpress now auto-updates, so you don't have to worry about patches.

* WPSuperCache is a Wordpress plugin that serves up static content. Only logged in users see a dynamic page.

[SheepSlapper]

I like WordPress for the basic use case, and if you're self hosting it's super easy to get up and running.

The downside is that it's popular (thus a target), and left unpatched or unprotected it's easy to mess something up and become part of those Viagra ad rings ;) I've hosted, set up, or fixed dozens of WordPress blogs, and a few have been compromised for one reason or another (you find lots of PHP shells in upload directories).

Not to mention the fact that once you get outside the basic use case (blogging), and/or you start using plugins, things get convoluted FAST. There're a million plugins for WP, and if you're lucky the one you pick will do exactly what you want. But chances are it won't, and you'll spend hours digging through spaghetti code to get it to work for you.

[billmalarky]

Yeah I've actually had several wordpress sites I've been involved with in years past get hacked before. One was the guy I built the site for refusing to keep it updated (this was before auto-update). The other if I recall correctly wasn't the fault of our site but some other site got compromised on the shared server and the attacker was able to hit all the sites on the server. You can see why I'm always a bit wary of WP even if it is irrational.

[x3sphere]

Never had any security issues with WordPress, and I run it on a fairly popular site. The auto updating feature is actually great for a site you won't be working on daily.

Also I think the WP core is well secured. It's when you start adding plugins into the mix things can get dicey.

For spam, Akismet is pretty effective and comes with WP by default, just have to enable it. I consider WP very frictionless for publishing content so it's a good choice in my book.

[TezzellEnt]

Typically these advertisements find their way onto a site through vulnerable plugins. To minimize this, you can install the Wordfence Plugin and it will email you when to update. Another good plugin is rename-wp-login.php which will move the site.com/wp-login/ to site.com/somethingDifficultToGuess and have Wordfence not cache and robots not index that page.

[billmalarky]

I have basic auth protecting login and no plugins installed because I know they are usually the source of vulnerabilities.

[pc86]

You should visit it at least often enough to keep the core and plugins updated, in which case you should be fine.

[billmalarky]

No plugins right now and I believe I have it set up to auto-update the core.