“You CAN have the cake and eat it too”
WordPress is an extensive blogging and CMS platform. With over 15k plugins and the most used CMS platform today. It’s ease of use and extensibility are important factors for choosing it as a CMS. The downside is that, because of its popularity, a lot of security holes have been discovered and there are probably more hiding. Therefore you cannot use WordPress as a CMS if you’re security savvy, or can you?
This post describes how to use WordPress to manage your content and publish it to static HTML. This has the security benefit that no code is executed and hence no vulnerabilities can exist. This also introduces a performance benefit.
Point of interest is dynamic elements in your site, they no longer work – the WP-way. The comments function, for example, needs to be substituted by something like Disqus. The contact-form needs to be substituted by, for example, a Wufoo form. The good thing about this is that these online services are focusing on one thing only and will do everything to keep this running. Therefore i think the security levels of Wufoo will be higher than if you have your own hosted contact form, when configured correctly.
There’s a plugin called really-static. What it does is create static HTML files of your pages, posts and other stuff and uploads this to an (s)FTP-server. More on this plugin at http://wordpress.org/extend/plugins/really-static/. The plugin will run every time you update/delete/create a page or post. What it doesn’t do automatically is transfer the themes/plugins/wp-include directories. But that’s easily fixed.
Here’s how it works:
- Install wordpress on a private system. Configure your WP installation as you please. Please use online services for dynamic elements.
- Install a webserver where the files should end up.
- Install the really-static plugin and patch it to transfer addition directories. Perform the initial transfer.
- Use it.
Install wordpress on a private system
Nothing special here. Just install wordpress as you normally would. The only thing to bear in mind is that dynamic elements will not work. Use their online equivalent.
Install the publish webserver
This is the secure webserver. Configure it accordingly. You don’t have to install PHP on it. Make sure there’s an account that can write files to the documentroot.
Install and configure really-static
In my example I have my WP installation on server.local in /var/www/wp which is accessible via http://server.local/wp/. I publish the page to http://www.company.com in /var/www/ which is available at http://www.company.com/.
Install the really-static plugin from the plugin menu and enable it. Add the following code to wp-content/plugins/really-static/php/configupdate.php just before the last function call ‘reallystatic_configok ( __(“Finish”, ‘reallystatic’ ), 3 );‘
// Function to loop through dir's and getnpush the data
// $basepath is the path to your WP installation on your servre
// $subpath is the path relative to your $basepath that you want to getnpush
// $sitepath is the path where the $basepath is accessible on the webserver
function getnpush_misc( $basepath, $subpath, $sitepath ){
$ignore = array( '.', '..' );
$dh = @opendir( $basepath.$subpath );
while( false !== ( $file = readdir( $dh ) ) ){
if( !in_array( $file, $ignore ) && !preg_match('/\.php$/', $file)){
if( is_dir( "$basepath$subpath/$file" ) ){
getnpush_misc( $basepath, "$subpath/$file", $sitepath);
} else {
getnpush ( "$sitepath/$subpath/$file", "$subpath/$file", true );
}
}
}
closedir( $dh );
}
reallystatic_configok ( "->misc files", 2 );
getnpush_misc("/var/www/wp/", "wp-content/themes", get_option ( 'siteurl' ) . "/");
getnpush_misc("/var/www/wp/", "wp-content/plugins", get_option ( 'siteurl' ) . "/");
getnpush_misc("/var/www/wp/", "wp-includes", get_option ( 'siteurl' ) . "/");
Now configure really-static under Settings -> Really-static:
- Source: Where can you find your WP-site and it’s theme?
- Destination: use sftp and add the user you created on the publish server. The domainprefix is where your published site will be accessible and should be set accordingly
- Settings: Make sure to tick the rewrite option (high security) so all references to javascript, css et cetera point to the publish server
- Reset: push the button to mark everything as ‘pending’
- Manual Refresh: hit the ‘write all files’ button to transfer the whole site
Use it.
For the first time transfer, click manual refresh in the really-static settings. This should give a list of all files that are being generated and transferred.
Now for every page or post you add, edit or delete the really-static plugin gets started to publish it.
Please note that everything else you change on the site, like menus, themes, plugins, et cetera don’t get transferred automatically. They require a reset & manual refresh to transfer the whole site.
Things to address
- Google API key changes
- When deleting a post, delete it on the publish server
- Google Site Search
Joost is curious 
If only the developer would update this plugin – it’s so logical to use for info sites that don’t really need the interaction of comments etc.
Hi Joost, I have 4 really static blogs and just tested your code. Works like a charm. Thanks for sharing it with us 🙂
Hi,
I am trying to setup really static, but its not working. Images embedded in posts, are not transferred to the new destination. Any suggestions how I can solve this problem?
Regards… Matz
Do you have those images attached to the post or are you just referencing them? I think that really-static just copies the media items attached to a post/page.
Hello,
I want to use the Really Static plugin to make my site more secure. I love your instructions here, they are very clear and concise. I am confused about one thing though. My wordpress installation is already installed at http://mywordpressinstallation.com. It is in the main domain url already. It is in the /public_html/ . It is NOT under a subfolder or on a subdomain.
If my WordPress installation files are on my main domain http://mywordpressinstallation.com how do I make it static using Really Static plugin? Do I have to physically move all the WordPress folders to a subfolder or subdomain? Then have the Really Static plugin install the static version onto /public_html/ (http://mywordpressinstallation.com/) ?
I need to have the static version as the main domain.
Thanks for your assistance.
Best regards,
Mike
Hi Mike,
The dynamic and static sites must live at different locations. I would put the dynamic WordPress-powered site on http://mywordpressinstallation.com/wordpress/ and the static one in http://mywordpressinstallation.com/static/. In the root of mywordpressinstallation.com you could add an index.php with header(“Location: /static/”); or similar.
hth