Over the past few months I’ve been involved with securing a number of legacy (old and/or unmaintained) CMS sites. Some were based on well-known CMS, including Wordpress, Plone, and Joomla, but there were several lesser-known examples too.
While some clients require the functionality a CMS provides, for example allowing non-privileged users access to a web-based interface for adding and editing content, there are a number who used them simply to set up a website that was then left in that “finished” state.
An unmaintained CMS instance is fairly obviously a bad idea, so I’ve been spending some time converting these sites to a more secure form: static HTML. It does sometimes seem quite strange to me that web design would come almost full circle. Not so long ago a CMS was viewed as “the” way to produce a website. However, static HTML has a raft of benefits over dynamically generated sites where dynamic features are not required.
Creating a static site in these instances is fairly straightforward. For sites where further updates will be rare,
creating a mirror using
wget is a good starting point:
wget -mkEpnp http://awyr.co.uk/
This generally does a decent job of creating a static HTML version of the site. Sometimes, though, some tweaks will be needed, and for some CMS (e.g. Plone) this won’t be the end of the process.
Other sites needed a little more than this and so we ported these across to a static site generator. This retains most of the benefits of a CMS (e.g. common code, programmatic content) but removes all reliance on databases or server-side code interpretation.
There is a good array of site generators out there (e.g. Pelican, Hakyll, Jekyll). Having tried out a number of them I settled on Jekyll. There don’t appear to be major differences in functionality but, being written in Ruby, Jekyll feels the most comfortable to me (with the added benefit of being the backend to Github Pages).
Now that these client sites had been secured I turned my attention to the Awyr site. This started off as a static site but was redesigned on Wordpress; this was being used for some other clients at the time and there’s nothing quite like dogfooding to help find the best way of doing things.
So - I’ve ported the site to Jekyll. We’ve lost some functionality like commenting (which could probably be reintroduced via things like Disqus) but gained pretty much everywhere else. Combine this with a Docker container running alpine+rwasa and you quickly find a highly performant way of hosting multiple sites with very small attack surface.
Written by Jonathon, categorised as news, 19 July 2015