I know I been chatty here but what’s anyone’s experience with Pinegrow?
Never heard of it.
If you are looking for a host site building, I stand by SquareSpace. I have never used Wix, but I heare good things about it.
Wordpress is not bad if you run minimal things, but it is really boated if your are running static pages.
I still use CSS Tutorial as my resource for all things HTML and CSS.
Honestly Squarespace or wix is worth the money if you want a “build your own website” experience that isn’t going to be day-1 compromised.
I started out self-hosting the site, shouldn’t I just go back to that (I still archived the old HTML pages) and use Pinegrow to edit the HTML and CSS files? Pinegrow does make it considerably easier to edit the website from the first half hour I been using it just recently.
I have about a week to decide on that given the trial is just 7 days (should have been 30 tbh but oh well). I will have to remember to keep track of SSL certificates when selfhosting (using nginx), it’s a pain if it ends up expiring before I remember to renew it though. Costs $150 to get Pinegrow (one-time payment option) if I go this route. Or I can just use SquareSpace/Wix and have some advantages there at a greater long-term cost.
Say though, Pinegrow seems to mention WordPress a few times, but I shouldn’t think that’d be a huge issue in of itself since it’s mostly still just HTML and CSS anyways.
There are Flat-File CMS that behave like a CMS you’re used to while creating the site, but export plain HTML files once you’re done that are then hosted as static files on your domain. This creates sidebars and menus and everything else you need for you, except you don’t need a database or even php.
3 Likes
Really now? That sounds like something worth looking into. Any hints on where to start regarding that? I found Grav to be a potential option there.
Wordpress keeps aspiring cyber types like me in jobs 
NOMNOMNOM CVE for you!
2 Likes
There is always new one in the line:
1 Like
This is a little concerning as I just setup wordpress + woocommerce a few months ago…
I run fairly minimal plugins and try to keep things up to date. Not much custom code as it does what I want but yeah there’s definitely a lot to go wrong as-is.
1 Like
Funny you mention that because that’s the one I was looking for yesterday but couldn’t find it cause I didn’t remember the name.
I think that’s the one Wendell mentioned a couple times before as well.
Otherwise just google Flat-File CMS and you’ll find a bunch of articles.
2 Likes
Yeah, Grav actually looks great but I am not sure how to access it from another system. I just started installing and running Grav on my machine but it seems like I can only access the instance from that machine (via localhost:8000, but I don’t have Firefox or any GUI installed on my web server, there really shouldn’t be a need to).
Seem to be having issues running NGINX with Grav. I can run Grav just fine on it’s own with it’s own web server application (which isn’t meant for deployment like Apache and NGINX) and setting up NGINX by itself is fairly trivial on it’s own (though I was also gonna deploy SSL) but I can’t seem to mix the two together whether I am following the guide on the Grav site and this guide:
And yes, I decided to reinstall the system and swap it with Ubuntu Server rather than CentOS.
So checking htop I see that grav isn’t running with nginx.
UPDATE: I got Grav up and running, however I got a 404 error saying page not found (Oh, that’s because I have to do a bit of redirecting, easy enough). Gonna go check the configuration in the admin panel. But I finally got it up and running as well as SSL certificates (not to mention Gitea), looks like I am finally getting good at this kind of thing since it use to take me hours and hours to set this up and now it took much less time.
2 Likes
Rather than bashing on WP, I would like to present some insights into solutions, and what to pick where.
Background: I’m a C++/C#/Python programmer but I lack experience in web dev. So, I’ve been working on that.
Here’s my journey in the last 3 years to create a great business site:
- HTML/CSS: Just a demo
- Wordpress: nice experience for a novice, but full of security holes. I would certainly avoid it if you’re doing payments. As was said before, PHP attracts some of the worst programmers.
- Drupal: good focus on security, but it felt like I had to put in a lot of effort to make something decent and few good plugins were available (maybe better now.
- Gatsby (Bulma): Static site generator. I modified an example template, and was happy with the result. React was a steep learning curve, and in the end I didn’t like that there were so many npm packages involved.
- Angular (Bootstrap 5) - right now: Seems more structured compared to react and “batteries included” is nice. I’m still learning more JS/Angular/Bootstrap, but with these powerful front-ends you can really do anything. I wish I had more time to learn this more in-depth.
Honestly, for personal sites, look to a statis site gen like Gatsby, HUGO or Jeckyll and host it on Linode/DO/AWS or so. if you just want a simple site for a business, go with something like Wix/Square Space/… Just try not to spend too much. There’s really not too much difference in quality between these. If you really want CMS, Drupal. Unless you’re a webapp business - or you enjoy banging your head against the wall, like me- you don’t need a full-fledged JS framework with all the bells and whistles. For a backend, I’ve been working with Django. All good so far.
I hope this helps someone.
3 Likes
#Update 2022.07.11
I’ve been migrating some Wordpress websites this month and have this to add and alter to what I said above.
Wordpress is very vulnerable to malicious attacks that can bring down the whole server. Some specialist Wordpress hosts can make your very slow site super fast simply by you uploading to them.
My conclusion is that unless you really know how to do super fast WP hosting, it will be slow to very slow depending on how terrible the website. If you want to host your own website and you want it fast then don’t use WP.
3 Likes
My educated opinion on Wordpress is; that it is pretty much Windows as a Web site engine. My teacher would’ve hung me if I’d ever used it. I used Drupal8 back in the day, and I got similar functionality, without all the pay to use plug-ins. In drupal you can go very indepth on your own without so much bloat to hinder you from really knowing where to change things.
Also I find WoPr being very heavy and slow. And it has so often some kind of exploit.
I’d be, maybe I’m already, working on just a “web app” that is pretty much the same.
Bun.sh and surrealdb, maybe I jus go wasm…
2 Likes
My brethren. I am running my site on word press and apache right now. I am going to transition to Drupal in the future when I get time. I tried WP and it is heavy for what I need. But I have had no issues with it. I am just a dinosaur, I guess.
1 Like
Don’t mention the A-word. That frigging series of programs forces us to update our install scripts almost daily with new versions.
I’ve run Wordpress two times, for two separate self hosted websites. I did this because as stated by someone else, its like the windows of websites- its easy to use, turn key etc etc.
I’m not a full stack dev, I’m not a Wendall, I just wanted to host something. I did audit logs though, there was a plugin that was an issue, simply had to update it I believe. Otherwise it was resilient to the usual background noise onslaught of attacks.
Actually did a write-up on the “hack”, lemme look:
Alright specifics: Wasn’t even looking at webserver logs for this, but router logs via syslog out to Splunk and Kam Amir’s Home Monitor app and he has a neat panel that has some really neat SPL logic to somewhat accurately assume something is compromised by looking at private and public IP traffic.
I then grep’ed through lots of webhost logs not finding a smoking gun, so I googled the suspect IP address: Twas the XML-RPC /Pingback DDoS attack- a neat trick a DDoS’er could use to send some traffic to a wordpress instance to join up in a DDoS attack- could basically ask the wordpress instance “hey, can you crazy ping these other IPs? K, thanks”.
So I’m a bit split on wordpress- it enables people that otherwise couldn’t host something, but it isn’t iron-clad either. I get the impression the less plugins you use, the better. To be an instant contrarian, there are a number of good security plugins for wordpress as well.
Another audit log honorable mention: i caught some log traffic that was blowing my mind-- How TF was a creds bot knowing my admin user name?!? Lots of Fail 2 Ban logs with attempts by my changed-by-me admin user name. So some googling:
Helps with their random password list shots-in-the-dark but still no compromise (use good passwords).
wordpress on its own isnt terrible for self hosting. if you know what your doing and there in lies the problem… most people have no idea whats going on under the hood and as a result end up compromising there site and system.
its way to easy to add a malicious or buggy plugin that compromises the whole site…
pretty much every time ive run into a wordpress site as a lab, the exploit they use to teach you was found in the wild, and there do seem to be a lot.
1 Like
It was freaky to see in the logs a brute force effort that knew my unique user name.
That said, I guess my question would be, if someone used a smartly composed list of “must have security plugins” AND had a use-case were they didn’t really need a slew of plugins for site features, how bad is it in that state?
More specifically, I recall some good security plugins that hold your hand through a huge list of settings changes, recommendations etc and gives you a score- very reminiscent of using SCC and SCAP to harden a system.
Curious how “crappy” WordPress still is after that because the convenience factor is immense. Or in other words maybe a pragmatic threat modeling quantifying one’s opinion vs. “it sucks, btw I run arch”.
1 Like