This post was originally posted on my personal / professional blog: Sergiu Nagailic - this is just a part of the full post.
Running a self-hosted blog has its challenges - and I bumped into some of those eventually. Well, rather than running out of ideas / motivation or time to come up with new articles, I eventually had some technical problems: Updates & Security - being the most important one 🔑 👾.
If you’re using a self-hosted blog, you eventually will need to do constant updates. The more popular engine you’re using - the more risks of being hacked and the more up-to-date you have to be (especially if you’re running on Wordpress). I am kinda lazy, so eventually I skipped some big updates and my hosting got hacked. And this happened many times.
Many hacking waves are automated - they just crawl the web, identify Drupal websites and try commonly known exploits on them (that are documented everywhere), and if you’re not up-to-date, they breach-in. You can leave it hacked - but eventually someone will sell access to your hosting on the black-market and some shady things will start happening - in my cases I had some websites popping up on my VPS (I used DigitalOcean VPS) - and after making a backup of my website, I had enormous pleasure of destroying the Droplet with all the weird websites it had on it.
In modern days, there are ways one can automate this process, in example:
- use something like Pantheon - it comes with automatic core updates, however this still leaves room for contributed modules or plugins if you’re using Wordpress, which can also act as an attack vector
- use a CI tool, like CircleCI or Github Actions - you can have regular tasks that run daily, i.e. have proper Core Updates and Contributed Module Updates, maybe even run tests and if all goes well to deploy to production.
- something simpler but riskier would be - to have a cronjob that just runs updates directly on production - but you never know what will happen. Normally you want to test things first on your local environment and then replicate things on production.
However, to me, these options are way overkill - I don’t want to pay extra for Pantheon, nor I want to write a CircleCI (or Github Actions) script or a crontab + shell script. Also I don’t want to constantly run updates locally and then deploy those (that’s why I got hacked in first place).
Also, other than CMS’s vulnerabilities, there are also PHP’s vulnerabilities, Apache/Nginx’s vulnerabilities, ssh vulnerabilities - so you’d have to update the operating system itself and all the packages, then restart nginx, php-fpm, mysql and hope for the best.
That's an introduction into the main post, more in this post:
- Advantages of Headless Drupal + Static Front
- Migration Process (with all the steps)
Hey, I'm new here, any suggestions / criticism is highly appreciated.