Sunday, 19 February 2017

WordPress site without WordPress on Amazon S3

Recently WordPress hit the headlines with an issue which turned to be nightmare for millions of websites around the world. REST-API exploit was a really bad issue, on 1 to 5, this was number 5, because potentially it opened many sites to other exploits and it's just a matter of time when some of the affected servers are going to join the army of botnets doing bad things or users discover that ransomware was installed and they can't access their data.

There are many things that you can do to secure your server and site, but there is always a chance that something might go wrong. What is interesting on most WordPress sites is that all what they do is just to serve static content. This means HTML generated by PHP and webserver also serves content like images, css and js files. When content is not user specific, there is no user area on the site, WordPress is used just for editing and publishing content.

Amazon S3 or Simple Storage Service by definition is "Simple web services interface that you can use to store and retrieve any amount of data, at any time, from anywhere on the web."  Now you can ask the question: what S3 has to do with WordPress which you would run on EC2 instances. Simply you will need at least webserver and database. On S3 you can't host WordPress but there is one interesting option, you can host there Static website.

As a static website you can imagine webserver with disabled PHP. Advantage would be that this site would be almost impossible to hack - no php, no database, no ssh or ftp access to the server. Another interesting aspect are hosting costs. For a tiny site might be ok to have just one EC2 instance, cheap t2.micro is $0.012 per hour ($105 per year + $12 10GB storage = $117 per year) and any bigger site with ELB, multiple web servers, database server, this would be significantly more (>$1000 per year).
In comparison S3 would be $0.090 per GB for data transfer, $0.023 per GB per storage, both per month. For a small site lets say $1 per year. To move a site from EC2 to S3 could mean that hosting will be more than 100 times cheaper for you.

So when you have two very good reasons - security and money, how to do it?

To make it clear, you will still need WordPress installation, but you would use it only for editing and publishing content; it's not going to be used for public access.
You have a few options there, to run tiny EC2 instance only for yourself, use dedicated Vagrant box or Docker container.

When content is ready, use a tool like httrack to create static image of your site.

When you have a snapshot of your site, on S3 create bucket, where the content will be uploaded.

What is important is to give the bucket a name same as your site URL and enable static site hosting. Given End point you need to use for CNAME DNS record of your domain, to point it to S3.
This is all you need to do, to have a fast, cheap and secure site. When you edit content, you will need to repeat the step to create a snapshot and push it to the S3 bucket, but this can be done easily with a simple script.

And a small advice on the end, if you need something more sophisticated and static site can't do the trick, move functionality outside WordPress. WordPress is not a platform for complicated things anyway, use the API server and handle it in a Javascript Anglular / React application and keep WordPress just for CMS.


Post a Comment