I used WordPress for about 15 years, and while it was absolutely a great way to get started, it eventually became too great of a security and maintenance burden. Now I've switched my blog over to a static site generator, and I think it was a great decision.
Why the move?
WordPress is a PHP application, and is no exception to the pattern of PHP apps being riddled with vulnerabilities. I think WordPress overall is fairly secure at this point, but there is still a steady trickle of patches. This might be OK if all I needed to do was upgrade my installation, but I have fallen behind a major version multiple times, and I don't want to have to patch in an emergency and then find out that I have to totally overhaul my templates or something.
The maintainers backport security patches to some older major versions, but they don't list those patch versions on the security announcements, and they sure don't make it easy to find those version lists in general.
And, well, I don't use most of Wordpress's features. I write from my laptop, not from multiple devices. I might as well write directly to files on the laptop and get backups of my site for free as a result. There's little point in my blog being run as an application. It can just be a set of HTML files.
Why write my own?
I originally tried to switch over to Hugo. It seemed like a nice static site generator with a reasonable amount of flexibility. I forked a WordPress-to-Hugo exporter and banged on it for a while, but eventually ran into various issues around templates. I spent a good week or so of evenings fighting with the templating language and trying to coerce it into replicating my blog's site structure.
I'm sure it's possible. It's probably even easy. But it turned out to be more trouble than it was worth to learn Hugo's model of the world. I ended up spending three evenings on writing a static site generator from scratch in Python and adapting my exporter to support it, and at the end I had something working. It was janky, but it did exactly what I wanted. It's fast, it supports comments (displaying existing ones, not receiving new ones), and it's very easy to tweak.
I kept most things identical in the output. URLs of posts have not changed, but all the chronological and tag archive pagination is gone. The main page of the blog just lists titles, and at some point I may generate history pages complete with truncated post content, but it's not a high priority. I did have to change the Atom feed URLs, and I'm not supporting RSS anymore. (Sorry, RSS users, it's a terrible spec—but Atom works much better, and your feed reader should be able to switch to it just fine!) I added some .htaccess rewrite rules to take care of the feed URL change. Search is gone, and I don't know if I'll both making a client side search index. And of course no one can leave comments. I'll likely be following in Wladimir Palant's footsteps and adding commenting to the static site by the expedient of writing a small comment-queueing service that I run on my home server.
The code is currently tangled up with the rest of my blog's private git repo, so if you're curious you can download a snapshot of the code as it exists today. I may eventually pull apart the templates from the code and post up a filtered-history git repo, but I make no promises.
In descending priority, here's what I'd like to do next:
- Fix the lack of commenting. Small Python service running on the Raspberry Pi in the basement that would queue up comments for moderation and notify me, and extend ssg.py to pull those comments and publish them. Something for anti-spam to remember people and allow them to bypass moderation.
- Update the HTML and CSS to be more friendly to a wide variety of screen sizes. I don't have a smartphone, but I can just wing it with a responsive layout and call it good.
- Header text on older posts warning people that the posts were written by a much younger me and that they should keep that in mind. I'd really rather not take down my older words, but college-freshman-Tim said some things that I find embarrassing now.