Why leave WordPress

For more than 10 years, this website has been running on WordPress. Over time I come to dislike it for multiple reasons.

  1. Security: Occasionally, I got PHP shell injection and once even my credentials were compromised. The core WordPress philosophy of keeping server-side executable PHP code inside a database makes it hard to keep the overall website secure.
  2. Cost: The requirement of running a Postgres server for just a website with a few 100 (or even a few 1000) articles makes it an expensive setup.
  3. Plugins: WordPress has a great plugins ecosystem. However, they are abandoned from time to time. In 10 years, I have migrated across at least three different code syntax highlighting plugins. Upgrade and you risk plugin incompatibilities. Don’t upgrade and you risk security vulnerabilities!
  4. Co-mingling of UI and data: WordPress comingles the UI (HTML and CSS) with contents of the blog posts.
  5. No git-based flow: Git-based flow allows automation, e.g. checking broken links and auto-compressing images. One can write WordPress plugins for these but that’s several magnitude harder effort that using a CI-based automation.

Static sites

Most personal websites should be written as a static site deployed as a single docker container. This drastically reduces vendor lock-in, reduces the security attack surface, and makes the whole build process hermetic.

The stack I eventually ended up with is

  1. Markdown - all posts have to be in Markdown. Overtime, I have fallen in love with writing posts in Markdown and have been copying it over to WordPress.
  2. Single container deployment - Deployment as a single container on Google Cloud Run
  3. Hugo - Tooling written in interpreted languages like Python and TypeScript decays really quickly over time. The fact that Hugo was written in Go was a huge upsell for me. I, myself, have written several tools and have always felt that the code maintainability of languages like Go is much higher than Python.
  4. Busybox - To minimize the attack surface even further, my final docker image contains HTML, CSS, Javascript, and only one binary busybox-httpd server. I don’t think one can cut the attack surface more than this.

How to migrate

Migrating isn’t easy. There are tons of caveat.

As a small sample of the items that one should be careful while migrating,

  1. I wanted to preserve the location of the feeds.
  2. I wanted to preserve the GUID of the entries.
  3. I wanted to download associated files e.g. media.
  4. I wanted to migrate tons of external embeds, like YouTube embeds, Google Maps embeds etc.

I looked at several tools, none migrated these properly. So, I ended up writing wp2hugo. wp2hugo made it to the Hacker News’s frontpage!

What about the comments

This is a common concern that people make about static sites. And that’s a valid one. Most Hugo users seem to use Disqus for this. I migrate to Remark42, a system that can be deployed an self-hosted. Since, this uses a file-based comments system, I mounted a single Google Cloud Storage (GCS) bucket as a directory to persist the comments. And then Remark42 itself can be deployed as a separate docker image.

Current status

The new site is up and running at https://v2.ashishb.net/.
For now, the old site is still running at https://v1.ashishb.net/ but will be shut down in a few days.