Website design software?

[Robert E. Seastrom]

Dan Romanchik KB6NU <cwgeek at kb6nu.com> writes:

> Well, I"m not really all that concerned that my WordPress sites are
> going to be used to distribute malware to visitors. The web hosting
> company that my sites run on would be all over me in a minute if
> that were the case. And, if it's PHP itself that you're worried
> about, then Serendipity is also going to be a security risk since
> it's written in PHP.

I suspect you grossly overestimate the amount of attention that web
hosters pay to what's being hosted on them.  Typically their security
posture is quite reactive, with nothing done unless they receive a
complaint.  The largest problem is not PHP itself (although that is
not an inconsequential problem) but rather from the secondary effects
of it being a least common denominator.

Wordpress has been criticized for having an architecture that makes it
unnecessarily difficult to write code that doesn't suffer from SQL
injection vulnerabilities.

http://blogsecurity.net/wordpress/interview-280607

That's not its only problem, just one of many; it's gotten better
since the 2007-2008 timeframe but that still doesn't mean it's not
going to be the gift-that-keeps-on-giving.

> Let's take a step back for a second. What Terry originally wrote is,
> "What I want to do is be able to put stuff at wb4jfi.com without
> taking up a lot of time and effort. Every hour spent on building the
> website is another hour taken away from SDR design, or other
> worthwhile ham radio project. I kind of like the idea of a blog, but
> not something that takes up a lot of time organizing the thing." 

Blogging software is a good choice, as is the CSS templated approach
that KO4MI suggested.  Terry's last sentence though says that he's not
interested in spending a lot of time organizing the thing.  I'll
assume this includes looking over one's shoulder.  That's why I
suggested that if he goes with Wordpress at all (not my first choice,
obviously) he should go with a service bureau solution rather than
running it himself on a hosted platform.  That way updates are Someone
Else's Problem.  Based on his stated ambitions, I suspect that the
lack of ability to dink around with arbitrary templates and plugins
isn't a deal-killer for him.

> I think that WordPress best fits that bill.

Perhaps it does, perhaps it doesn't.  I'm not telling you that your
kid is ugly or anything.  Lots of free-as-in-your-time-must-have-no-value
software evangelists seem to react that way when you provide information
that their platform of choice isn't the best thing since sliced bread,
and I frankly don't get it.  Pointing out defects in a software package
isn't a personal attack, k?

> This is a personal website, not amazon.com.

You seem to be laboring under the misapprehension that someone would
have to intentionally target Terry in order for his site to get
compromised.  In fact, his greatest risk likely comes from scanning
malware that is automatically looking for vulnerabilities.  For an
example, look at the sshd logs for any host that is connected directly
to the Internet.

-r