About the platform
1 Jun 2020
During the few years when I was first running this blog I tried a number of content management systems, including Joomla, Wordpress and Drupal. While they certainly all performed their core function they all had a number of limitations. These included having to learn a new formating language, requiring plugins to add functionality, which then require a bunch of libraries that need to be maintained, changing layout required mastering a templating system or trusting a third party template and finally the constant patching in order to address security issues (which also demonstrated that the platform was never secure in the first place). In addition to those issues I have also investigated many website breaches over the past six or seven years. While I know enough about programming to figure out what is going on with any language it takes time to learn the finer details and look up functions that I am not familiar with. So all this contributed to making the decision to write my own CMS in php.
My key requirements of a blogging platform were:
- Easy to add content
- Easy to organise
- Flexibility with layout
This is pretty obvious, and is really one of the the core reasons to use a CMS, rather than just writing HTML. It is pretty easy to write a static website, and a static site would address all of my requirements, except for being easy to add content, simply because with a static site when you add a new page you have to update all your menus. Updaing menus can be automated with scripts (and I did go down this path more than 20 years ago when PERL was THE website language, but thankfully we have moved on since then!) however making changes to layout then tends to become a significant undertaking. For this site I have simply created a few templates for differnet page types and each page is written in html as the body content of the page. No messing about with HTML WISIWYG editors, no need to learn yet another markup language, just editing HTML in a text editor. Super simple and the file is uploaded to the server via sftp into the directory which represents the section it will appear in.
Easy to organise
Using filesystem directories to organise pages into topics makes the process of creating (or moving) sections super easy. Each of the sections you see in the navigation bar is a directory in the webroot. This also makes it simple to backup the site and saves messing around with databases to store content. One current limitation, that I may address in the future, is adding tags to allow pages to be assigned multiple keywords. However with the omnipitence of google adding search functionality and\or keywords to the site seems redundant.
One of the strongest arguments for using a hosted platform is boosting security. Having investigated what seems like hundreds of website compromises over the past few years I have certainly seen an awful lot of poorly maintained sites, these ranged from sites that had not seen an update in years, to sites that were never configured properly in the first place. So building and maintaining my own site certainly carrys risk from that perspective. However when considering potential vulnerabilities a usful starting point is the OWASP top ten. Which lists the following risks:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross Site Scripting
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
For the way this site is used the bulk of these do not apply.
- Only alphanumeric input is accepted from the user
- There is no authentication required anywhere on the site
- There is no senstive data on the site
- No access control, other than blocking directory browsing and every directory has a index.php page
- The only input from other sites is the blog feed, which is a risk, but I am only displaying plain text from those rss feeds
- See point 1.
- I am not using any extenal components
- With any shared hosting site your ability to configure logging is limited, but the value of logs and what logs are of value is something I know very well!
So hopefully this site is secure. Of course having made this claim I expect someone to be bored enough to have a crack at it. Before you waste your time I can assure anyone that wants to try that there are thousands of other sites out there with far more value and that can be compromised with much less effort!
Flexibility with layout
I am a moderatly paranoid person, and I look fondly back to the days when the internet was mostly full of people looking to share knowledge and learn from others. When google search results did not contain any adds, and you could search for a manual using the serial number of a network card and get a usful hit on the first page. I am not looking to monetize what I share here, and I am not looking to help any other platform make money either. There is no tracking on this site, I am not loading webbugs from google, amazon, facebook or any of the thousands of other marketing and tracking systems out there. If that means this page is a little harder for people to find so be it, but you are reading this, aren't you!
How it works
The CMS is pretty simple, when loaded the root pages search each subdirectory for recently modified files and display a summary of the pages found. These are sorted by with most recently modified first. Timestamps are based on the files last modified date stamp, so if page is updated or added it will move to the top of the list.
Page layout is based on a simple HTML template with place holders for each section. Content pages are just what would normally the within the <body> element.
There is no database, and the only write to the filesystem is by the RSS feed processing script. That is written outside the webroot and is not directly accessible by users.
The menu across the top is based on subdirectories within the webroot, each subdirectory starts with a number, with controls the order in which it will appear. One thing that drives me nuts with most 'modern' bloging platforms is that they do a terrible job of helping the user find anything on the site. So you are dependant upon a search function (or engine). I like to be slightly more organised than just dumping everything into a big list, so like to at least be able to divide my content up in some manner that hopefully makes sense to the reader.