Dynamic and Static Website Security

Dynamic:

Web pages are generated by an application when requested instead of being made prior to being posted on a web server.

• Text content is usually stored in a database.
• The content that appears when a page is viewed can vary depending on how and when the page was viewed.
• WordPress can be used to create dynamic websites. It is a complex application that is installed on a web server and it requires the installation of a database (MySQL) in order to function.

Static:

Web pages for a website are made prior to being uploaded to a web server.

• Text content is contained in plain text files.
• The content that appears when a page is viewed does not vary between different viewers (unless a new version of the page is uploaded to the web server).
• Static websites can be created in a wide variety of ways from writing HTML, CSS, and JavaScript directly in plain text files to using a static website generator such as Hugo.

• WordPress is extremely popular and hosting companies have made it easy to use WordPress to set up a website that has numerous useful features.
• WordPress is overkill for the vast majority of sites that use it. While people are seduced by the apparent ease of use of WordPress (an illusion) and all of its premade themes and wonderful plugins, most WordPress sites consist of static content which changes infrequently. These sites would be faster and more secure as static sites.
• Websites which contain a large amount of content that changes frequently are best as dynamic sites. This is also the case for sites which construct pages based on specific requests from users.
• While some claim that dynamic sites are easier to manage than static sites, a static site that uses the proper management tools is probably easier to manage than a dynamic site.
• Static sites are more portable than dynamic sites since they don't rely on a web server application. Static sites can be hosted and tested anywhere.
• Static sites have better speed/performance than dynamic sites since all pages are built before they are uploaded to a server. A static site can also use a content delivery network (CDN) that puts the site on multiple web servers in a wide range of locations.
• Static sites are more reliable than dynamic sites since they don't depend on a complex application that generates web pages.
• A static site can be developed using any tool the developers prefer—even multiple tools may be used. Changing the tool used to develop a dynamic site is usually extremely difficult or even impossible.
• It is possible to add sophisticated dynamic features (comments, search, etc.) to a static site through the use of APIs.

The focus here will be on WordPress security. The security of other dynamic site applications is similar.

• Dynamic sites have greater exposure to the Internet than static sites. Every request for a web page made to a dynamic site causes an application to run and a database to be accessed. A malicious request might cause the application to do something bad or the database to divulge information it shouldn't divulge.
• Malicious code can be sent to a dynamic site via things like password entry forms.
  • https://www.cloudways.com/blog/wordpress-sql-injection-tools-techniques/
  • https://www.wpexplorer.com/common-wordpress-attacks/
  • https://www.getfilecloud.com/blog/2018/06/identifying-the-top-10-most-common-database-security-vulnerabilities/
  • https://www.wordfence.com/blog/2018/12/wordpress-botnet-attacking-wordpress/
• WordPress requires constant updating to maintain security. Most must rely on someone else to do the updating for them. Fewer than 45% of Wordpress sites are kept updated.
• There is much advice available explaining how to secure WordPress sites and how to fix them after they are successfully attacked. The process is not easy (see https://sucuri.net/guides/how-to-clean-hacked-wordpress). If nothing works, then a reinstallation of WordPress (and a database) will likely be required followed by uploading a backup (see below) if one was made.
• Third-party plugins to WordPress present another avenue of attack. It is hard to determine how seriously the developers of a third-party plugin take security or if they have bad intentions and use the plugin to attack sites that use it.

• Static sites are more secure than dynamic sites. In most cases, they are much more secure.
• Static sites have less exposure to the Internet than dynamic sites. There is no database and no possibility of making a malicious request. A user can only request files that contain HTML, CSS, JavaScript, images, audio, video—the user cannot cause an application to do something bad or a database to divulge privileged information.
• With a static site, security is the job of the web server, and if the web server is hacked, fixing the site is as simple as uploading the site back onto the server once it is fixed.
• A static site using a CDN is practically immune to attack because if one web server on the network goes down from an attack, many other servers are available to send out the website's pages.
• It is much easier to corrupt the database used by WordPress than it is to corrupt the files on a static site. If a file on a static site is corrupted after an attack, the original file (stored offline) can be uploaded to replace the corrupted file.
• Static sites can use APIs to have dynamic content like comments. One such comment API is Disqus (not recommended). An attack on the comments is not an attack on the website, it is an attack on Disqus.

An asset of a website is an item that is necessary for the website. Assets include text content, CSS files, JavaScript scripts, images, audio files, and video files.

• Control of website assets is a security issue. An asset over which full control is lacking is an asset which presents a greater security concern than one over which website developers have complete control.
• Wordpress makes decisions about many website assets for you. You make the decisions with a static site. You have total control of all assets with a static site.
• Most of the assets of a static website can be managed with a version control system such as Git. Version control for a database used in a dynamic site is difficult and complicated.
  • Version control allows one to move a site back to a previous state from a (broken) current state. Of course, this can be done by restoring from backups (see below), but it is inefficient to back up a site after every single change.

• Backups are part of security considerations. Failing to back up a website leads to disaster when the website or its web server is successfully attacked in a way that destroys the site.
• Backing up a Wordpress site requires a Wordpress installation and it is a multi-step process. Making a backup of a WordPress site is not simple and neither is restoring a WordPress site which has been damaged.
  • https://websitesetup.org/wordpress-backup/
  • https://www.wpbeginner.com/beginners-guide/beginners-guide-how-to-restore-wordpress-from-backup/
  • https://www.wpexplorer.com/backup-wordpress-site-plugins/
  • https://blogvault.net/manually-restoring-wordpress-site/
• A backup of a static site is the actual site. Since a static site is not built on a web server using an application installed on the web server—it is built on a different computer (perhaps offline)—backing up a static site requires no work. Additional backups can be made using whatever method one prefers.
  • Restoring a static site from a backup is a simple matter of uploading the files in the backup to the web server hosting the site.

• Text content is written in a plain text file.
• Text content is written using Org markup in GNU Emacs.
• The plain text file is exported to HTML using Org's export capabilities.
  • Page and content styling are handled by a cascading style-sheet (CSS) file (also a plain text file).
• The HTML, CSS, image, audio, and video files for the site are uploaded to a web server.
• The site is a static site.