Web sites, CMS systems and the entropy

I made my first site in 1996. That was easy: just a few html pages. Later I wrote shell script to generate these files from source text to have all cyrillic encodings available to all browsers (once there was hell with encodings -- koi8-r, windows1251, macintosh, ms-dos, etc).


It was cumbersome to use but safe to leave unattended for years. No php, no scripts, no security holes. But it was difficult to edit. Now many CMS offer easy interface to do the same job. But there is a hidden price: SECURITY


All complicated systems like serious scripting languages and CMS systems tend to have security breaches, old and new. It's impossible to choose a CMS and be sure that it's going to be safe five years from now without upgrade. It WILL have security holes.


Upgrade? Well, that's good if you have time to do it. Sometimes upgrade breaks everything and you have to dive deep and spend hours to fix the problem. Sometimes software goes obsolete and you are left without security fix. And then worms creep into your site, spreading spam and viruses. 


My solution is simple. I run a CMS system under web server's password, so nobody could access login page or anything scriptable, using separate domain. CMS (my choice is CMS Made Simple) has "pretty urls" feature enabled, that mimicks .html web pages instead of typical dynamic CMS urls. Now when I'm satisfied with all site contents I use wget to download my site recursively from test site to my main virtual server. Which is bare http server without any scripting or other dangerous tools around.


Now if a web server kept secure (and that's many times easier that keeping secure CMS and PHP) we can relax and forget about the site for some more years.

This page was last modified at 26-Nov-2012 15:04