Static WordPress: Faster and More Secure?

WordPress is one of the world’s most popular content management systems and there are many reasons for this: it’s free, there are tonnes of plugins and themes (many also free), you can manage it online with minimal programming experience, etc. etc. etc. Hence, WordPress rules.

But there are downsides to WordPress, which are basically this:

First, WordPress is very popular and so also popular to hack and spam, so you will regularly have attempts to hack your admin account, post spam comments, or send you spam via the contact form. Although usually unsuccessful, these kind of attacks can get you in trouble with your hosting provider.

Second, WordPress pages are created dynamically, so the page your user sees is extracted from the main database, and the content, widgets, etc. This is very cool, but requires processing power, and can thus slow down a website. Regular, static HTML requires almost no processing power and can therefore load much faster, even in high-traffic situations.

So the question is: should you go static with WordPress? And if so, how?

If you do decide to do a static version of WordPress, you are essentially using your regular WordPress installation to generate the website, and occasionally you “print out” the static version which you host online.

So what do you give up when going static? Any dynamic content, such as comments and contact forms (which all work with the WordPress PHP), although you can embed a contact form hosted elsewhere into an HTML site, e.g. using Google Forms.

What you gain aside from the quick loading, is that public users can no longer access your back-end, as the yourblog.com/wp-admin page is no longer visible (assuming you generate your WordPress page in another location than where you host your static page). That prevents hacking attempts.

Now from an operational aspect, you essentially need one plugin, aptly called Simply Static. It can export your WordPress installation to a directory on the same server. So you can have a static yourblog.com, while WordPress is running under a hidden (sub)domain like myhiddenwpinstallation.suckithackers.tk (get free domains from Freenom). As an extra protection you may wish to secure your WordPress installation further with Password Protected so those pages remain invisible.

Obviously no website is unhackable, but if server load is anyway a concern, then a static WordPress site may be a very good and simple solution.