Ask HN: Most Sites Don't Use a CMS Like Wordpress – What Non-CMS Do You Use?
Just noticed that about 57% of websites don't use a CMS like Wordpress/Drupal/etc. [1] If you don't use a CMS, what do you use exactly? I use github to host static sites, and things like Heroku for web apps.
[1]: https://w3techs.com/
73 comments
[ 3.0 ms ] story [ 147 ms ] threadI think the difference between Processwire and Wordpress has been in the developer experience. The former (Processwire) is better organized, direct, and addresses the most common things you would want to do in the CMS. Wordpress docs just feel like an afterthought and more of an index of things.
yeah, i'm a big fan.
Both next to impossible with escaped markdown.
I guess markdown keeps the syntax clean for a WYSIWYG editor too, but the real benefit always was that you could write it in plain text with any editor you want.
I started out as a WordPress developer, so once I moved to more advanced programming I kept using WordPress, but it was so annoying to have to keep up with the updates that I decided to try Jekyll because of their static site nature.
Static sites are awesome because they're wicked fast, and they work in perpetuity. I'm a huge fan. If you can handle a little coding I think it's much preferable to a CMS.
I love static sites. They load incredibly fast, they're extremely cheap to run, the security hassles go way down and, as another commenter mentioned, they work for the long-term. And these days there are plenty of solutions for reader feedback that don't require you to run a Wordpress instance.
I could switch to something newer and better, but why bother?
Since it's not maintained, personally I'd be tempted to try transitioning to something that is (with minimal change to content and structure/configuration required) to save dealing with it when you're just trying to publish new content and suddenly run up against some bug.
And for any given static site generator, there's a pretty high risk it will be more or less unmaintained two years from now...
Interested if/how this could be exploited
Nanoblogger is a bash script in my home directory. To add an entry, I ssh into the web server, give it the text of the post, and it generates a bunch of HTML and writes it to /srv. It is only run to create a new post. It doesn't listen on a port, or talk to the outside world at all.
An attacker could theoretically edit the bash script to do something nefarious... but if they had write access to my home directory they would just edit .bashrc. An attacker could leverage some kind of hole in nginx, (plus a permission elevation vuln, since www-user can't do much) but by then you already own the box, and don't need to bother with nanoblogger. You could ssh in as me, then do something tricky with the script... but if you're logged in as me you own the box. Etc etc etc.
Nanoblogger has about as much attack surface as a rock.
You just don't know the weird ways things can be exploited. And if an exploit is discovered you'll be just as happy as everybody else if you don't need to implement a fix yourself but can rely on others implementing, testing and reviewing fixes that they provide to you as an update.
Sure we have, and they have nothing to do with the static site generator. You're talking about compromising the web server in general. Totally unrelated.
And you don't even need a web server with an SSG. I use a one locally and upload to S3. Maybe I "just don't know the weird ways things can be exploited", but I simply can't think of any conceivable angles on that.
References to mysterious unknowable hacking superpowers aren't really useful. Paranoia is to be encouraged in security, but sometimes it really is just plain secure!
It uses the Micropub protocol for posting/editing/deleting (I also made a frontend editor app for Micropub: https://github.com/myfreeweb/micro-panel), Webmention for talking to other websites, Git+JSON to store content.
I don't like the PHP/MySQL CMS world at all, but I use that at work. We use MODX Revolution (with some sites still on Evolution).
Second, have you looked at clckwrks[0]? It aims to specifically dethrone wordpress by making plugins that are provably safe. I think this is a viable way to attack wordpresses stronghold, though I think being able to do things like write plugins based in javascript or other popular languages when an existing provably safe plugin doesn't exist will also be necessary.
Last time I tried clckwrks it was a bit hard to get setup (this was pre-stack) so I don't blame you for rolling your own solution.
I do wonder what you think of clckwrks and the idea of exploiting Haskell to make provably safe plugins so you can create a large ecosystem without the security issues that wordpress plugins have.
Setup wasn't the problem, Cabal sandboxes weren't much harder to use than stack… The actual benefit of stack is sharing compiled packages across all sandboxes instead of rebuilding everything every time.
Plugins in Haskell, or any compiled language, are kinda awkward to work with honestly. If you have to recompile the app, it's not very pluginy :D What are the other options? Dynamically loading shared libraries or using standalone RPC processes, neither of which feels good for a web app.
Embedded interpreters like duktape are pretty safe already. In terms of security model (you only expose what you want, there's nothing like file I/O available by default). Of course there might be bugs in them, especially memory bugs since they're written in C, but I'm not very concerned about actively hostile plugins tbh.
I disagree. Stack saves tons of time by giving me package versions that just build together.
> Plugins in Haskell, or any compiled language, are kinda awkward to work with honestly. If you have to recompile the app, it's not very pluginy :D
Dyre?
But Grav had a docs theme like rtd. So far it's running without a hitch. I've moved it a few times because its flat file, would recommend it.
https://github.com/gatsbyjs/gatsby
It's a total mess. Business logic and HTML snippets scattered everywhere. Layers of caching to make the whole thing load in less than 0.03 seconds on cheap shared hosting. I'm sure I do a much better job for paying clients, but somehow never get around to fixing the decade-old garbage that runs my own site.
At least it doesn't have any SQL injection vulnerabilities :p
I use Swift Sever Side framework for backend and Sveltejs (https://Svelte.technology) for front-end JavaScript to handle just about anything that jQuery could and a lot easier to run same compiled modules code on Nodejs and web browsers with Rollup.
Less worry than running frameworks that will encounter bugs that may take time to resolve e.g. React, Angular 1/2 have enormous issues since 2014/2013, Swift and Sveltejs are a great combination. I roll, I roll, I roll out in 2017!
Pssst. DOM are fastest when you only need to update a small portion of your code and majority of use case with DOM manipulation is fine.
A friend had difficulties with Wordpress + Woocommerce I set for them and I figured everyone knows folders.
I'm tinkering with it from time to time. (As you might notice, I'm also learning web dev, CSS and stuff)..
https://github.com/jhadjar/boutique
It's hacky, but the rest of my site uses AppEngine and I really don't feel like exposing a unsupported hack job of PHP to the open internet. Had a few issues that required modification to the themes, but that was the only issue ¯\_(ツ)_/¯
https://theblackbox.ca