Just noticed that about 57% of websites don't use a CMS like Wordpress/Drupal/etc. [1] If you don't use a CMS, what do you use exactly? I use github to host static sites, and things like Heroku for web apps.
Interestingly (for me), I've started going back to building more or less static sites for clients. I used Wordpress for a long time, but have increasingly found none of them want to blog, and few of them update either the site (or Wordpress, which can end up a security nightmare).
Often when it came to updating pages, they would call or email and say "can you do XXX", to which I'd reply "I can, but so can you". 90% of the time they're more than happy to pay me to update a page in Wordpress, which I could have done just as easily / quickly in a static site.
Long and short, the overhead of building a custom theme and setting up Wordpress isn't worth it for most clients, and even less me in a cost/time for the money way.
I am going through a similar transition. Moving my ten odd Drupal sites I built for family and friends to Hugo. In other cases just plain HTML using WinHttrack to download HTML version of site as is. I will convert to Hugo if need arises.
Only one user from the 10 ever used the CMS functionality to modify her site. She did it the one year, totally forgot her password and the following year asked me to make the changes. Maintenance of a CMS is even more of a struggle if that isn't your core job. If I worked on Drupal for my day job I wouldn't leaving the sites on Drupal.
Just about to transition most or all of my Wordpress sites to static generate sites, probably using Hugo.
I love static sites. They load incredibly fast, they're extremely cheap to run, the security hassles go way down and, as another commenter mentioned, they work for the long-term. And these days there are plenty of solutions for reader feedback that don't require you to run a Wordpress instance.
Github to host static page because CSS Flexbox and HTML are so easy and will be well supported in 2017.
I use Swift Sever Side framework for backend and Sveltejs (https://Svelte.technology) for front-end JavaScript to handle just about anything that jQuery could and a lot easier to run same compiled modules code on Nodejs and web browsers with Rollup.
Less worry than running frameworks that will encounter bugs that may take time to resolve e.g. React, Angular 1/2 have enormous issues since 2014/2013, Swift and Sveltejs are a great combination. I roll, I roll, I roll out in 2017!
Pssst. DOM are fastest when you only need to update a small portion of your code and majority of use case with DOM manipulation is fine.
This 57% sounds horribly wrong. They don't really explain how they come to this conclusion here: https://w3techs.com/technologies
My gut feeling is that 57% is a huge number if you assume that they don't use a CMS. I don't think that's manageable by the average owner with static site generators. None of my clients would be able to update their site with GIT + text editors. It's more likely that there's some kind of backend system that the survey was unable to identify.
This is kind of what got me. I feel like the majority of people wouldn't be savvy enough to do a site without a CMS as the setup is a little involved, or at least more involved than the simplicity of going to Wordpress.com and starting a site. So I don't know if I'm just missing something major here, or if the data is off.
Well, that's 57% that they could identify and that they happened to classify that way. There are lots of ways to obscure what's running and many more platforms out there.
I'm loving Jekyll. I've been building a blog with it and it's been a joy so far. I also have a 'main site' (just links to my social media and a little 'about me'), which I made using old-fashioned hand-written HTML and CSS. When I started on that I was a total noob, and now I have to update and maintain it, I understand the error of my ways. I'll probably switch to Jekyll for that too. At the moment I'm hosting everything on Netlify.
Processwire (http://processwire.com) is the darkhorse in the CMS race. Like Wordpress, it is also PHP/MySQL based. However, the ease of use, documentation, and extensibility has really won me over.
I think the difference between Processwire and Wordpress has been in the developer experience. The former (Processwire) is better organized, direct, and addresses the most common things you would want to do in the CMS. Wordpress docs just feel like an afterthought and more of an index of things.
At the moment, I use Caddy's built-in Markdown and template features [1], and simply rsync a bunch of markdown files to my server. It's basic, and certainly not as performant as hosting out static files, but it works well enough for my low-traffic site.
Usually, I develop using https://harpjs.com/ because it's literally zero-configuration and does a ton (seriously, "harp server" and you get sass/less, ejs/jade/markdown and more), then compile to flat html, css and javascript.
Hugo and S3 buckets. Have a Docker image that does the builds and deploys. All triggered on git push using Bitbucket Pipelines https://github.com/rabidgremlin/hugo-s3
I'm using IndExhibit [ http://www.indexhibit.org ] a PHP CMS Thing from 2006. It's unsupported now but simple and viewed well in the design community. I host it staticly by wget-spidering it when I make a change. Only takes a few seconds to update my archive anyway.
It's hacky, but the rest of my site uses AppEngine and I really don't feel like exposing a unsupported hack job of PHP to the open internet. Had a few issues that required modification to the themes, but that was the only issue ¯\_(ツ)_/¯
A single file named `index.php` that loads a bunch of text files and spits out what looks vaguely like a blog.
It's a total mess. Business logic and HTML snippets scattered everywhere. Layers of caching to make the whole thing load in less than 0.03 seconds on cheap shared hosting. I'm sure I do a much better job for paying clients, but somehow never get around to fixing the decade-old garbage that runs my own site.
At least it doesn't have any SQL injection vulnerabilities :p
The script just preloads every file in a hard-coded directory into an associative array and uses isset() to check if the requested post exists. So no arbitrary file access, either.
I started out as a WordPress developer, so once I moved to more advanced programming I kept using WordPress, but it was so annoying to have to keep up with the updates that I decided to try Jekyll because of their static site nature.
Static sites are awesome because they're wicked fast, and they work in perpetuity. I'm a huge fan. If you can handle a little coding I think it's much preferable to a CMS.
For my personal website, I wrote a backend in Haskell: https://github.com/myfreeweb/sweetroll after trying a lot of static generators, writing Dropbox-backed blog engines, etc.
It uses the Micropub protocol for posting/editing/deleting (I also made a frontend editor app for Micropub: https://github.com/myfreeweb/micro-panel), Webmention for talking to other websites, Git+JSON to store content.
I don't like the PHP/MySQL CMS world at all, but I use that at work. We use MODX Revolution (with some sites still on Evolution).
Firstly, sweetroll looks amazingly cool and being able to add javascript plugins seems like a great idea.
Second, have you looked at clckwrks[0]? It aims to specifically dethrone wordpress by making plugins that are provably safe. I think this is a viable way to attack wordpresses stronghold, though I think being able to do things like write plugins based in javascript or other popular languages when an existing provably safe plugin doesn't exist will also be necessary.
Last time I tried clckwrks it was a bit hard to get setup (this was pre-stack) so I don't blame you for rolling your own solution.
I do wonder what you think of clckwrks and the idea of exploiting Haskell to make provably safe plugins so you can create a large ecosystem without the security issues that wordpress plugins have.
I have kinda looked at it — it's not really what I wanted. For my personal website, I don't want an admin interface, password authentication and all that CMS-y stuff. Also, sweetroll was my "learning haskell" project, so of course I had to write a whole backend from scratch!
Setup wasn't the problem, Cabal sandboxes weren't much harder to use than stack… The actual benefit of stack is sharing compiled packages across all sandboxes instead of rebuilding everything every time.
Plugins in Haskell, or any compiled language, are kinda awkward to work with honestly. If you have to recompile the app, it's not very pluginy :D What are the other options? Dynamically loading shared libraries or using standalone RPC processes, neither of which feels good for a web app.
Embedded interpreters like duktape are pretty safe already. In terms of security model (you only expose what you want, there's nothing like file I/O available by default). Of course there might be bugs in them, especially memory bugs since they're written in C, but I'm not very concerned about actively hostile plugins tbh.
> Cabal sandboxes weren't much harder to use than stack… The actual benefit of stack is sharing compiled packages across all sandboxes instead of rebuilding everything every time.
I disagree. Stack saves tons of time by giving me package versions that just build together.
> Plugins in Haskell, or any compiled language, are kinda awkward to work with honestly. If you have to recompile the app, it's not very pluginy :D
If your site has a lot of content, you'll have to use a few tricks to retain fast builds [1].
We had to build a lightweight CMS[2] for regular folks to update content, and a pro hosting alternative to GitHub pages that supports multiple branches, authentication, redirections, proxying...
We're Open Sourcing the CMS part; shoot me an email if you use Jekyll and are interested in testing it out.
I wonder what percentage of websites created by non-technical people are hosted using SaaS that's technically a CMS but isn't standalone -- e.g. Squarespace or Blogspot or Google Sites?
I'm toying with Google App Engine and writing a mini-CMS/ecommerce thing in Python. To create products, categories, and subcategories, you just create folders.
A friend had difficulties with Wordpress + Woocommerce I set for them and I figured everyone knows folders.
I'm tinkering with it from time to time. (As you might notice, I'm also learning web dev, CSS and stuff)..
I switch from wordpress to Pelican. I did not have a particular issue with wordpress apart from the mentioned security hassles but I also found it to be a bit bloated for what I wanted. Now I have a much cleaner implementation in Pelican and I am liking it... alot! check it out @ https://techtum.eu
Las time I used grav for something that does not have to be client friendly. It still felt a bit immature though. (the pretty flat-file markdown quickly gets gobbled up in the YAML headers and than they can only be edited through the admin interface)
I still miss my vim and editing the synced raw files on my mobile...
Both next to impossible with escaped markdown.
I guess markdown keeps the syntax clean for a WYSIWYG editor too, but the real benefit always was that you could write it in plain text with any editor you want.
I use Strikingly https://www.strikingly.com to quickly set up personal/business sites for my friends and make some show case single page sites for my projects.
I've been using Nanoblogger, a Bash-based static website generator, for about ten years. It hasn't been updated in the last four, and indeed is still hosted on SourceForge.
I could switch to something newer and better, but why bother?
> I could switch to something newer and better, but why bother?
Since it's not maintained, personally I'd be tempted to try transitioning to something that is (with minimal change to content and structure/configuration required) to save dealing with it when you're just trying to publish new content and suddenly run up against some bug.
Nanoblogger is a bash script in my home directory. To add an entry, I ssh into the web server, give it the text of the post, and it generates a bunch of HTML and writes it to /srv. It is only run to create a new post. It doesn't listen on a port, or talk to the outside world at all.
An attacker could theoretically edit the bash script to do something nefarious... but if they had write access to my home directory they would just edit .bashrc. An attacker could leverage some kind of hole in nginx, (plus a permission elevation vuln, since www-user can't do much) but by then you already own the box, and don't need to bother with nanoblogger. You could ssh in as me, then do something tricky with the script... but if you're logged in as me you own the box. Etc etc etc.
Nanoblogger has about as much attack surface as a rock.
Well, because we have never seen any exploits with bash (Shellshock anybody?) or ssh (Heartbleed rings a bell?).
You just don't know the weird ways things can be exploited. And if an exploit is discovered you'll be just as happy as everybody else if you don't need to implement a fix yourself but can rely on others implementing, testing and reviewing fixes that they provide to you as an update.
> we have never seen any exploits with bash [..] or ssh[..]?
Sure we have, and they have nothing to do with the static site generator. You're talking about compromising the web server in general. Totally unrelated.
And you don't even need a web server with an SSG. I use a one locally and upload to S3. Maybe I "just don't know the weird ways things can be exploited", but I simply can't think of any conceivable angles on that.
References to mysterious unknowable hacking superpowers aren't really useful. Paranoia is to be encouraged in security, but sometimes it really is just plain secure!
I used Hakyll for some years, which is terrific. I got fed up with the long compile times, dependency problems, etc. So, I switched to Jekyll. I like it slightly less, but setting it up on new machines is a walk in the park.
Given all this recent love for static site generators, it's kind of amazing/sad that MovableType lost out to Wordpress - MT was a static site generator all along, and very sophisticated.
I use Python (Django, Flask) for CRUD, APIs, general purposes (80% of my works); Golang for realtime, websocket; Scala (Play) if I need JVM environment.
I would love to learn more about the lambda/apigateway part, I too need two backend operations on an otherwise static site, mailchimp signup and contact form submission. I am new to AWS, but I am pretty sure lambda could handle this, do you have suggestions on where I could learn more about setting something like this up?
A hackjob of an ASP.NET MVC app that loads html pages from Azure blob storage, hosted on the cheapest tier of Azure WebApps that lets you use a real domain name.
Interestingly (for me), I've started going back to building more or less static sites for clients. I used Wordpress for a long time, but have increasingly found none of them want to blog, and few of them update either the site (or Wordpress, which can end up a security nightmare).
Often when it came to updating pages, they would call or email and say "can you do XXX", to which I'd reply "I can, but so can you". 90% of the time they're more than happy to pay me to update a page in Wordpress, which I could have done just as easily / quickly in a static site.
Long and short, the overhead of building a custom theme and setting up Wordpress isn't worth it for most clients, and even less me in a cost/time for the money way.