Goodbye, WordPress

I finally managed to stop using WordPress for my blog.

WordPress suffers (suffered?) from a stream of security holes, which require constant software upgrades. In the end, since I didn't have time to deal with all these issues, I ended up removing write permissions from the WordPress MySQL user account. This way, even if the code was broken into, at least nobody could add hidden spam posts. Every time I wanted to actually post something, I temporarily gave write permissions back, just long enough to post...

I need a setup that's just keeps working, even if I'm too busy for web site maintenance and even if I can't look after my blog for some months or even a year. WordPress is definitely not that solution, at least not if you run your own installation.

The last time I read some WordPress source code and tried to hack it, I found its quality quite low: It suffered from duplicated magic numbers and similar beginner's mistakes. Every little change I tried to make required altering the code in multiple places. Being written in a language with plenty of known issues does not help. Overall, it's software that I no longer want running on my server. I don't trust it enough.

Also, WordPress is much too complex for me because it does much more than what is really needed for a low-volume, one-person blog: A sign-up form? Mailing replacement passwords? An XML RPC interface? I don't need any of these, but they are enabled by default and each is a potential security hole.

So what do I use instead?

A very simple setup: The web server has only static files. No CGI, no PHP. I keep the blog posts in a plain text file and edit it with Emacs. I can search-and-replace in old posts without having to fiddle with SQL. The file format is org-mode compatible, so later on I might add org-mode tags to blog posts. (The format is similar to blorg's, but I'm not using that.)

A short Perl script generates the HTML pages. It runs on my notebook, not on the web server. Most of the work is done by Template Toolkit. I upload the rendered pages using rsync.

Managing comments (which is the only dynamic feature of my blog) is done by Disqus. The new setup stopped displaying any comments from before I started using Disqus. Perhaps I'll still be able to import these old comments, using this method.

Everything, including the source of my blog posts, is kept in a git repository, so if you're curious about the Perl scripts or the templates, go ahead and take a look.

This was a fun Christmas hacking project and I'm glad I don't have to deal with WordPress anymore. Maybe the new setup will even motivate me to crank up my posting frequency to more than once a year....

blog comments powered by Disqus