Static Sites vs WordPress: Rebuilding My Personal Blog After a Hack - Part 1
Part 1: After getting hacked twice, I rebuilt my personal blog as a static site. Here's why I moved away from WordPress and what I learned about static site generators.
I’ve had a personal blog for years, but it’s been a rocky journey. Twice now, I’ve had to start over because of security incidents. Those experiences are part of the reason why I’ve recently rebooted my blog as a static site rather than going back to WordPress.
Let me share the story, the lessons I learned, and why I believe static site generators are a serious alternative to WordPress if you’re rebuilding or starting fresh.
Getting Hacked (Twice)
The first time I was hacked was almost a decade ago, when my AWS account was compromised. I was running my WordPress site on an EC2 instance (yes, I was that person who thought “I’ll just host it myself, what could go wrong?”).
The attackers didn’t deface the site or steal data. They simply maxed out my compute resources. My monthly AWS bill jumped to somewhere around $18,000. Amazon couldn’t waive the bill, but they were surprisingly accommodating: they transferred the same amount to my bank account and immediately charged it back. In the end, it was a zero-sum game financially, but a huge wake-up call technically.
The second time was a few years ago, and this one stung more personally: my WordPress installation itself got hacked. Attackers filled it with scripts until it completely collapsed, essentially trying to use it as part of a spam network. The site wasn’t salvageable.
At that point, the idea of setting everything up again felt so unappealing that I left it offline. That hiatus lasted at least two years.
Why I Moved Away from WordPress
Don’t get me wrong. WordPress is an incredible piece of software. It powers something like 40% of the web, and it has a huge ecosystem of plugins and themes. But it comes with trade-offs, especially if you’re running it on your own infrastructure:
It’s bulky: Even a simple blog often feels overloaded with features.
It’s a target: Because of its popularity, WordPress is constantly under attack from brute-force login attempts to vulnerabilities in plugins and even comment forms.
It’s slow: Out of the box, WordPress is heavier than a static site. Caching, CDNs, and plugins help, but they add complexity.
It’s finicky to configure: Getting everything to look and behave exactly the way I wanted always felt hacky.
WordPress solves a lot of problems, but in my case it created just as many.
Why I Rebuilt as a Static Site
This time, at the suggestion of my AI “colleagues” (mostly ChatGPT and Cursor), I’ve gone with a static site generator (SSG). Specifically, I chose Hugo, though there are others like Jekyll, Astro, and Eleventy.
Here’s why this approach makes sense for me:
Performance: The site is lightning fast. Static HTML files are served directly from a CDN, no database queries required.
Security: There’s no backend to attack. No WordPress admin panel, no database, no PHP scripts. Just static files. That alone eliminates an entire class of headaches.
Cost: Hosting a static site is practically free. I’m currently hosting mine at no cost, and I’ll only start paying if (hopefully) you like it so much, and share it so much, that it goes viral.
Workflow: I was worried about writing posts in Markdown, but it’s actually refreshing. It forces a focus on content, not fiddling with formatting.
Simplicity: No endless plugin updates, no surprise “white screens of death.” Just text, templates, and a deployment pipeline.
WordPress vs Static Site Generators: Quick Comparison
For anyone weighing these options:
| Feature | WordPress | Static Site Generators (e.g., Hugo) |
|---|---|---|
| Ease of Use | Friendly UI, WYSIWYG editor | Requires Markdown & Git |
| Ecosystem | Massive plugin & theme library | Growing but smaller ecosystem |
| Security | Frequent target, requires maintenance | Minimal attack surface |
| Performance | Dynamic, often needs caching/CDN | Static files = blazing fast |
| Customization | Drag-and-drop, plugins | Code/configuration driven |
| Hosting Costs | Can add up (servers, DB, plugins) | Often free or very cheap |
The Bottom Line
Static site generators aren’t for everyone. If you need complex user interactions, e-commerce functionality, or a content management system for non-technical users, WordPress might still be your best bet.
But if you’re building a personal blog, portfolio, or documentation site, and you’re comfortable with Markdown and basic web technologies, static sites offer compelling advantages: better security, faster performance, and lower costs.
For me, the peace of mind alone makes it worth the switch. No more 3 AM emails about security breaches or surprise hosting bills. Just fast, secure, and simple publishing.
What’s your experience with WordPress vs static sites? Have you made the switch, or are you considering it? I’d love to hear your thoughts.
Next up: In Part 2: Choosing the Right Static Site Generator (Why I Picked Hugo), I dive into comparing different static site generators and explain why I chose Hugo over Jekyll, Eleventy, Astro, and Next.js.
Irhad Babic
Practical insights on engineering management, AI applications, and product building from a hands-on engineering leader and manager.