Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I beg of you, if you use Wordpress, and don’t have some reason you can’t do this:

Use a static site generator plugin for Wordpress, host it completely behind IP restrictions or firewall rules, for only whoever needs to actually update it. The static site plugin will regenerate/update plain HTML files out of your WP instance whenever you tell it to; then it transfers those to your location of choice where they’ll just be hosted statically.

Wordpress is a pile of garbage from a security standpoint and having it exposed to the internet is basically asking to be hacked constantly by spammers and script kiddies. But it is useful as an easy content generation tool anyone can use, and at the cadence most people actually update it, the regeneration compute time is trivial.



Alternate viewpoint: I keep several WordPress sites online, mostly for testing & experimentation.

They are all configured to auto-update. They have a mix of a small number of plugins - mostly high reputation ones.

They sit there and work and require next to zero maintenance.

Yep, they are regular hack targets. The biggest risk is brute force attempts overwhelming the server (until recently, I ran them on a 256MB VPS, because I like suffering, I guess), but with some decent protection there (e.g., fail2ban) it reduces risk significantly.

I would say if your plugin mix is simple and you have auto-updates, there is almost nothing to worry about for the vast majority of people.


Hacking and brute force attempts, and the risks they pose to uptime are big reasons I advocate for this. And yes, plug-ins matter but a lot of sites tend to have them installed. My point is, there’s rarely any reason to have to deal with any of that stuff. Plain old Apache or Nginx or S3, serving HTML behind cloudfront, is impossible to hack and basically can’t even be DDOSed. There’s little reason not to. It’s not like anybody even uses the features of WP that need to be dynamic, like the commenting feature which can’t be turned on without a flood of bot spam.


Yep as long as you remain up-to-date I've never had a WP install hacked. Not saying the security is good - but there a lot of vulnerabilities reported with other similar software too. Don't know if I'd say WP is worse. Given its market penetration, it is going to be targeted more often.

I've noticed a lot of big companies are using WP for their blog as well... companies that could easily pay for something fully custom (such as Sony/Playstation), so they are arguably doing something right.


That's what many of those hacked sites thought. And yet Google is full of hacked wordpress sites of any caliber.


This is just confirmation bias though - what matters is the percentage of hacked WordPress sites. It's probably not as high as you think.


>Wordpress is a pile of garbage from a security standpoint and having it exposed to the internet is basically asking to be hacked constantly by spammers and script kiddies.

Deleting (or renaming) wp_admin.php is so important I don't know why it hasn't become a standard part of the install. It's incredible how much your attack surface decreases with just that.


The fact that WP hasn’t done that demonstrates how serious they aren’t about making security a priority.


Not sure why this is the top comment. Set the permissions to read only and update via composer


Agreed, Wordpress is one of the leading CMSs, and with proper security it's fine. Any half-baked cache app will do what this commenter recommends anyway. Some people still irrationally hate PHP and WP.


In my experience the vas majority of security attacks to WP sites are plugin related.

But blaming WP and php for that is like bashing linux for users installing random binary files with sudo.


Precisely my point as well. Everything is bad when done poorly. :D


Seems like a lot of work to still have a slow site, wasting tons of CPU to dynamically generate a site when most such sites stay static for days to months.

Yes, you can probably install cache plugins to work around this but everyone is pointing out how you have to be super careful with plugins.

If you don’t need a super dynamic site, Wordpress exposed to the Internet is an unnecessary choice. And it does have 0-days sometimes, so just “being perfect about updating, and knowing what plugins are trash and avoiding them” isn’t 100% adequate to keep your WP site secure.


Everyone is posting to defend “raw Wordpress exposed to the Internet” and pointing out the ways to convince yourself it’s secure, but no one has pointed out even one advantage to doing that, vs simply using it as a site generator and never having to worry about any of that.


If the devs set up a static generator then they have to support it. Better to give your marketing department crummy software that they think they have to use without help.


Wordpress is a pile of garbage from a security standpoint

WordPress is fine from a security standpoint.

It's all the random plug-ins that are a security hazard. And letting non-technical, non-security-minded people install them.


Sure, and many sites use plugins.


WordPress, when updated consistently and used responsibility, has no worse security than most other PHP CMSs and frameworks.

WordPress has developed a bad reputation because of bad plugin authorship and bad theme authorship. If you are installing reputable plugins, keeping core up to date, and maintaining the standard best practices for hosting a PHP app, you're going to be fine.

Source: Industry experience working for enterprise clients in healthcare.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: