Dynamic and Static Website Security

Dynamic vs Static

Web pages are generated by an application when requested instead of being made prior to being posted on a web server.
  • Text content is usually stored in a database.
  • The content that appears when a page is viewed can vary depending on how and when the page was viewed.
  • WordPress can be used to create dynamic websites. It is a complex application that is installed on a web server and it requires the installation of a database (MySQL) in order to function.
Web pages for a website are made prior to being uploaded to a web server.
  • Text content is contained in plain text files.
  • The content that appears when a page is viewed does not vary between different viewers (unless a new version of the page is uploaded to the web server).
  • Static websites can be created in a wide variety of ways from writing HTML, CSS, and JavaScript directly in plain text files to using a static website generator such as Hugo.


  • WordPress is extremely popular and hosting companies have made it easy to use WordPress to set up a website that has numerous useful features.
  • WordPress is overkill for the vast majority of sites that use it. While people are seduced by the apparent ease of use of WordPress (an illusion) and all of its premade themes and wonderful plugins, most WordPress sites consist of static content which changes infrequently. These sites would be faster and more secure as static sites.
  • Websites which contain a large amount of content that changes frequently are best as dynamic sites. This is also the case for sites which construct pages based on specific requests from users.
  • While some claim that dynamic sites are easier to manage than static sites, a static site that uses the proper management tools is probably easier to manage than a dynamic site.
  • Static sites are more portable than dynamic sites since they don't rely on a web server application. Static sites can be hosted and tested anywhere.
  • Static sites have better speed/performance than dynamic sites since all pages are built before they are uploaded to a server. A static site can also use a content delivery network (CDN) that puts the site on multiple web servers in a wide range of locations.
  • Static sites are more reliable than dynamic sites since they don't depend on a complex application that generates web pages.
  • A static site can be developed using any tool the developers prefer—even multiple tools may be used. Changing the tool used to develop a dynamic site is usually extremely difficult or even impossible.
  • It is possible to add sophisticated dynamic features (comments, search, etc.) to a static site through the use of APIs.

Dynamic Website Security

The focus here will be on WordPress security. The security of other dynamic site applications is similar.

Static Website Security

  • Static sites are more secure than dynamic sites. In most cases, they are much more secure.
  • Static sites have less exposure to the Internet than dynamic sites. There is no database and no possibility of making a malicious request. A user can only request files that contain HTML, CSS, JavaScript, images, audio, video—the user cannot cause an application to do something bad or a database to divulge privileged information.
  • With a static site, security is the job of the web server, and if the web server is hacked, fixing the site is as simple as uploading the site back onto the server once it is fixed.
  • A static site using a CDN is practically immune to attack because if one web server on the network goes down from an attack, many other servers are available to send out the website's pages.
  • It is much easier to corrupt the database used by WordPress than it is to corrupt the files on a static site. If a file on a static site is corrupted after an attack, the original file (stored offline) can be uploaded to replace the corrupted file.
  • Static sites can use APIs to have dynamic content like comments. One such comment API is Disqus (not recommended). An attack on the comments is not an attack on the website, it is an attack on Disqus.

Control of Assets

An asset of a website is an item that is necessary for the website. Assets include text content, CSS files, JavaScript scripts, images, audio files, and video files.

  • Control of website assets is a security issue. An asset over which full control is lacking is an asset which presents a greater security concern than one over which website developers have complete control.
  • Wordpress makes decisions about many website assets for you. You make the decisions with a static site. You have total control of all assets with a static site.
  • Most of the assets of a static website can be managed with a version control system such as Git. Version control for a database used in a dynamic site is difficult and complicated.
    • Version control allows one to move a site back to a previous state from a (broken) current state. Of course, this can be done by restoring from backups (see below), but it is inefficient to back up a site after every single change.


Dr. Randby's Website Process

  • Text content is written in a plain text file.
  • Text content is written using Org markup in GNU Emacs.
  • The plain text file is exported to HTML using Org's export capabilities.
    • Page and content styling are handled by a cascading style-sheet (CSS) file (also a plain text file).
  • The HTML, CSS, image, audio, and video files for the site are uploaded to a web server.
  • The site is a static site.

Org Plain Text File Example

* Section 1
  :custom_id: section-1


  - Description 1: :: Text for this item.
    + Item of unordered sublist
    + Another item of unordered sublist.
  - Description 2 :: Text for this item
    1. First item on ordered sublist
    2. Second item of ordered sublist
    3. Third item of ordered sublist

** Subsection 1.1
   :custom_id: subsection-11

   Some text for this subsection.

   A link: [[http://srandby.org][Dr. Randby's website]]

* Section 2
  :custom_id: section-2

  Some text for section 2.

  Below is a table:

  | Header 1 | Header 2 |
  | Stuff    |     3.14 |
  | More     |     2.71 |
  | More     |        0 |

Author: Scott P. Randby

Email: srandby@uakron.edu

Made with GNU Emacs 26.1 and Org 9.2

This work is licensed under a Creative Commons Attribution 4.0 International (CC BY 4.0) or later version license.

License summary

Updated: 2019-09-04 Wed 14:06

Validate page code