I’ve gotten a few different questions about how I host my blog, and I also spent a fair bit of time researching different options before I did my big site revamp, and it turned out to be surprisingly hard to find good information. So I wanted to just write a post describing the backend of this site, which hopefully maybe can help other people who have similar questions. If you don’t care about any of that stuff you can stop reading now — I’ll get back to the photos soon enough.
A couple of notes and disclaimers: first of all, I’m a computer scientist and software engineer, so I like dealing with computer internals (most of the time). Second of all, I’m somewhat security-paranoid, so I don’t really want to trust other people with my stuff, even if my stuff is just photos that I post publicly anyways. So all that’s to say, the choices I made setting up this blog probably aren’t going to be the same choices you might make setting up a blog. But even if not, maybe it’ll give you some ideas or things to think about.
So, without any more kerfuffle, let’s dive in! I’m going to go bottom-up, and start with the domain name. I use Name.com for my domain name registration. I used to be on GoDaddy and then switched off around the time they made a bunch of really horrible PR moves. At the time I switched, I did a bunch of research and Name.com seemed like one of the better options. I’ve heard anecdotally that GoDaddy has gotten a lot better but I don’t have any incentive to go back.
Next up is the server: I pay for a server in the cloud via Linode. DigitalOcean is also a good option if you go this route, but remember, all you’re getting here is a bare Linux box. It’s up to you to configure everything “correctly”. Fortunately both Linode and DigitalOcean put out extremely comprehensive documentation, tutorials, and guides, so you can get a lot of stuff up and running pretty easily just by following the steps. A third option here would be something like Amazon Lightsail, or even just a bare EC2 instance, but when I was configuring everything this was a more expensive option.
My server also hosts mail, a Minecraft server, and some other random stuff, so I pay for a slightly-larger-than-bare-minimum machine. If you’re just looking to host your blog, you probably can get away with their cheapest option.
At this point you might be wondering, “If you’re so privacy-conscious why are you hosting your blog (much less a mail server!) in the cloud on someone else’s machine?” The short answer is that it’s nigh-impossible to host anything from one’s house, due to ISP restrictions and IP address spam blacklists. So yea, in theory Linode could get at my data (or someone could hack into Linode and get my data) but that would have to be a pretty dedicated attacker, so I feel like the tradeoffs are “ok”, if not quite as under my control as I might ideally want.
Anyways, back to the stack: everything on my site is served via a fairly typical LAMP (Linux, Apache, MySQL, PHP) stack. If I were going to set this up from scratch today, I’d likely use nginx (probably inside a Docker container) like all the new-fangled kids are doing, but I set this up a long time ago and Apache is what I knew, and now it’s too much work to change it.
On top of all of that, I’m running WordPress. Here’s where I spent a lot of time thinking and researching before my big site revamp. There’ve been some fairly major WordPress vulnerabilities in the past, and the easiest way for some script kiddie to own my box is to hack my WordPress. But, as far as I can tell, WordPress itself is actually pretty secure (insofar as anything as massive as WordPress is can be), and the majority of “big” WordPress attacks are actually attacks against plugins (more about that in a bit). Moreover, trying to run something that’s not WordPress would require quite a bit more setup and configuration, and I just don’t have time for that–I like doing computer stuff, but I also want to take photos and have a place to share them.
The next big decision I had to make was about the theme. I wanted a theme that looked quite a bit more modern than what I had before, and I wanted to take advantage of a lot of the developments that have been made to the Internet in the last twenty years, but I’m not really a frontend developer, and again, I don’t have time for that nonsense when I really just want to post photos. And this is where I really had trouble, because hooooo gollly there’s a lot of junk out there. WordPress powers a good chunk of the internet, and everybody who’s ever taken a course in PHP thinks they can make a buck as a theme developer. Just try searching for “good WordPress themes” and you tell me which one of your search results are trustworthy, reputable sources.
After a lot of reading and research, I finally settled on the Photography theme in the Envato marketplace. This is one of the more popular themes that I saw referenced on many different sites, it’s quite customizeable, and I liked their demo pages. I still had some hesitancy, because the Envato marketplace itself seems to have Not Great customer service (apparently getting a refund is quite difficult), and unlike the WordPress developers, the theme developers are probably not thinking about security best practices (or have a security team). So this is one place where there are probably some big security holes — but my other option was… well, I’m not even sure. Write a theme myself? I don’t trust myself to write a security-hole-free theme, and again, the time thing.
Anyways, I’ve done a brief skim over the Photography theme source and it seems “reasonable”-ish. That’s nothing at all like a full security audit, and some automated scanning tools that I ran found a few things that might be issues, but I didn’t see any big glaring holes. So it’s what I’m going with for now.
The last thing to talk about here is plugins: just like the theme, once you start installing plugins in your WordPress site you open up some (potentially) big attack vectors. There are lots of examples of plugins getting hacked, people hiding malicious code in plugins, people writing malicious plugins masquerading as popular plugins, you name it. But I still ended up with a pretty long list of plugins, and I think most of them are reasonable. Here’s what I’ve got:
- Akismet: this is an anti-comment-spam plugin which works wonders. By far the most common way to “attack” a blog is to leave a comment with a malicious link and hope that readers of the blog will click your link. So this plugin is basically a necessity (plus, I require that any new commenter goes into a moderation queue before their comments will get posted, and Akismet helps keep my moderation queue small).
- Envato Market: this came with the Photography theme, and is required to let me know when new versions of the theme are updated. I might still disable this one, and just check for new versions by hand every once in a while.
- JetPack: honestly, this plugin kinda sucks. It provides a bunch of marginally useful features that don’t work very well, plus a bunch of junk you have to pay money for, combined with a bunch of annoying nag screens talking about how amazing JetPack is. I only use this plugin because it has a nice “visitor statistics” module. (It also has a subscription module, which I was originally using, but there was some bug with that so I gave up). The saving grace for this plugin is that it’s developed by WordPress developers so I have a slightly larger confidence in its security.
- Limit Login Attempts Reloaded: this plugin does what it says on the tin; it keeps people from trying to brute-force my admin password by limiting the number of times you can enter a wrong password before locking you out of the site.
- Multiple Post Thumbnails: this came with the theme, I’m not sure if I need it yet, I might still disable it.
- Photography Theme Custom Post Type: this also came with the theme, and does what it says: I can create custom post types (galleries, portfolios, etc), which is useful for what I want to do with the site.
- Slider Revolution: This came with the theme, it lets me create the fun slider image you see on the front page. It’s pretty clunky. They’ve implemented a whole entire user interface on top of the existing WordPress admin page UI. But it makes nice results and hopefully now that it’s set up I won’t have to mess around with it too much.
- Subscribe2: Does what it says, sends out emails when I post something new.
- Sucuri Security – Auditing, Malware Scanner and Hardening: This is one of the most-recommended security plugins out there. It locks down a bunch of extra stuff and will produce reports on activity on your blog (so if your theme files or WordPress files or whatever get some malicious payload injected, it can — in theory — let you know).
- Theme Check: this plugin just audits your theme files to see if they meet all of WordPress’s requirements. The theme I’m using doesn’t 🙁 but I’m not that surprised.
- Two-Factor Authentication: this plugin requires users to have a “second factor” to log in, in addition to their password. It’s a pretty standard best security practice.
- WP Super Cache: this plugin renders commonly-visited pages using static HTML instead of having to evaluate and parse all the PHP code. It’s an extremely common/popular plugin and is pretty great at significantly speeding up loading times for the site. The downside of being a popular plugin is that it’s probably targeted by attackers more frequently.
- WP/LR Sync: I haven’t actually used this one much yet, but it comes with a corresponding LightRoom component that lets you export your photos directly from LightRoom to your blog. One of my big frustrations is that after I get done editing all my photos (itself a time-consuming process), then I have to spend a ton of time uploading the photos and composing posts about them and stuff. I’m hoping this plugin will take at least a little bit of that frustration away.
Aside from the various security-related plugins I have installed above, the one other security thing I do is to lock down the permissions on all the WordPress files. By default, the only place that anything (theme, plugin, or WordPress itself) can write is the wp-contents directory. Everything else is read-only. The only annoying thing about this is that I can’t use the automatic WordPress updater, because it needs to write to all those other places. So instead when I need to update I just temporarily open up all the permissions on those other directories and let WordPress do its thing, and then lock it all back down again. It’s one small extra manual step, but it’s infrequent and easy to do.
So anyways, there you have it! The GlassDreaming tech stack. I’d love to hear if I’m doing anything bad or wrong in the comments, or if you’re looking to set up your own blog, maybe this can be some inspiration even if you do things differently than me!