10y of http://egypt.urnash.com running on Wordpress with a small set of plugins, including one for security, says otherwise.

> You’ll never maintain a Wordpress site long term securely. Need to convert it to static html one way or another.

I'm in favor of static HTML myself where possible, but it's not hard to maintain a secure Wordpress install. Keep automatic updates enabled and don't install any third party plugins.

It's that second part that most people screw themselves with.

It may not be very hard to maintain, but you still have to maintain it. Whereas if you just have a collection of articles that you want to keep around as an archive, if you convert them to a static site, you can basically forget about them afterward...

> It may not be very hard to maintain, but you still have to maintain it.

When the maintenance is "ensure auto updates are on, and don't do anything that would not get updated automatically" it's not like it requires regular effort.

> Whereas if you just have a collection of articles that you want to keep around as an archive, if you convert them to a static site, you can basically forget about them afterward...

Your web server, your operating system, etc. still require at bare minimum the same level of maintenance.

You can outsource that maintenance to someone else of course, but you can do the same with WP as well.

--

My point is that WP alone doesn't massively increase the maintenance burden, it's what people tend to do with (to?) WP that increases the burden and eventually leads to unmaintained sites.

>When the maintenance is "ensure auto updates are on, and don't do anything that would not get updated automatically" it's not like it requires regular effort.

no dog in the fight here but I felt impelled to point out that ensuring auto updates are on solves almost all security holes except for the security hole it opens up.

> no dog in the fight here but I felt impelled to point out that ensuring auto updates are on solves almost all security holes except for the security hole it opens up.

In almost any computing context, but especially in the context of a personal blog, the vast majority of exploits are against known security holes for which patches have already been released and those with automatic updates enabled are already safe from.

Yes, hypothetically updates can deliver new flaws of their own and even potentially intentional malicious code, but from a practical sense it's not worth worrying about if you're using mainstream software packages on a major OS.

>it's not like it requires regular effort

More effort that you'll be able to exert when you're dead.

I assure you it'd be a whole lot easier for your survivors to manage a WP install than it would be to figure out your Jekyll configs.

Considering Jekyll's deployable assets are just static assets, there's no reason they'll have to learn any configs at all.

Although I highly doubt learning a jekyll config would be harder than managing a PHP daemon, web proxy and mysql database.

Right. I should have clarified it’s unlikely to happen if you want to be hands off for years at a time. If that’s the goal the ideal state is to convert it to static.

That's true for any piece of networked software. In reality, unattended-upgrades makes life easy.

WP security has come a long way. I've had a site up for over a decade, and while I used to be VERY nervous, now with automatic updates and a fair amount of code-hardening, it really hasn't been a problem.

Another approach might be to toss it on blot.im. (I’m in no way affiliated with Blot, but I like how simple the product is.)

Wordpress itself is reasonably secure nowadays. It is the plugins which are a mess.