From unsecure dynamic websites to secure static websites

AdminComments cms, internet,

The biggest CMS platforms that are widely used today are WordPress, Joomla and Drupal and they all use the scripting language PHP and SQL for databases. Research show that scripting languages give birth to more security vulnerabilities in web applications. 


Veracode has crawled popular scripting languages including PHP, Java, JavaScript, Ruby, .NET, C and C++, Microsoft Classic ASP, Android, iOS, and COBOL, scanning hundreds of thousands of applications over a period of 18 months. 

They found that classic ASP followed by ColdFusion and PHP are the riskiest programming language for the Internet while Java and .NET are the safest.

Flaw density in code

Taking a closer look at PHP:

  • 86% of applications written in PHP contained, at least, one cross-site scripting (XSS) vulnerability.
  • 56% of apps included
  • 67% of apps allowed for directory traversal.
  • 61% of apps allowed for code injection.
  • 58% of apps had problems with credentials management
  • 73% of apps contained cryptographic issues.
  • 50% allowed for information leakage.

The majority of web application attacks is:

  • SQL
  • XSJ (Cross Site Scripting)
  • Remote Command Execution
  • Path Traversal

These attacks can result in: 

  • Access to restricted content
  • Compromised user accounts
  • Installation of malicious code
  • Lost sales revenue
  • Lose trust with customers
  • Damaged brand reputation
  • And much more...

Security is expensive

It is also expensive. Akamai has concluded that the average cost of web application attacks is $3.1 million dollar per year and to manage a web application firewall and also keep servers updated and security patched you need an average of 4.4 employees.

Don’t be a part of the problem

If you are running a website that uses WordPress you can follow my 10 suggestions to help you avoid being a part of the problem:

  • Always run the very latest version of WordPress
  • Always run the very latest versions of your plugins and themes
  • Be conservative in your selection of plugins and themes
  • Delete the admin user and remove unused plugins, themes and users
  • Make sure every user has their own strong password
  • Enable two-factor authentication for all your users
  • Force both logins and admin access to use HTTPS
  • Generate complex secret keys for your wp-config.php file
  • Consider hosting with a dedicated WordPress hosting company
  • Put a Web Application Firewall in front of your website

Another solution is to move away from PHP and also ColdFusion. A year ago, we began the process of becoming full stack JavaScript programmers.

There is also a trend to move from dynamic websites (back) to static websites that use Jekyll, Hugo. The advantage is that there is no scripting language and no database that can be compromised. The disadvantage is that there is no wysiwyg-editor to use for the author and there is no plug-ins that can be used.We crawled the web and found one solution that stands out: it is a static site generator as a service that uses Hugo for generating the content and


Appernetic = hugo + octocat

blog comments powered by Disqus