Strattic’s static and headless approach to hosting and deploying WordPress eliminates virtually the entire attack surface typically used to attack WordPress sites.
Static websites deployed by Strattic offer the highest level of security by separating the live static website from the WordPress backend. This is achieved because the common web application attack vectors simply don’t exist in a strictly static site.
A traditional WordPress website has multiple layers where vulnerabilities can occur, starting from the operating system, moving up to the MySQL database and PHP, and of course in the dozens of WordPress plugins installed in the average site, and the WordPress core itself. More than 70% of WordPress sites are vulnerable to attack at any given time, and because WordPress is Open Source, every vulnerability is publicized and known not only to site owners, but also to malicious actors who use this information to target WordPress sites and breach them.
Securing all of these layers of potential vulnerabilities is an ongoing defensive battle. Vulnerabilities are constantly being discovered, and it’s just a matter of time before something malicious slips through. Even a tightly patched and hardened CMS can be penetrated.
In addition, companies may implement security tooling like Web Application Firewalls (WAFs), brute-force protection, and anti-DoS solutions. These defensive tools must constantly be updated with protections for the ever-changing threats and attack vectors, so they demand ongoing attention and maintenance, and they can even conflict with each other.
Finding and repairing the damage done by a breach can be extremely time consuming, difficult and costly.
On Strattic, the original WordPress website is not available to the internet at large. It is securely stored in a containerized environment, where only authorized users can access it. Visitors see a static replica of the site, that looks and acts the same, but with one major caveat: the underlying processing server and layers of potential vulnerabilities that are in the WordPress backend are completely inaccessible to any unauthorized users.
On Strattic, this static version is generated in one-click, and is completely separated from the WordPress source. By virtue of its pure static architecture (i.e. it’s nothing more than a collection of HTML, CSS, and JS files), hackers and malicious actors have nothing to breach. Your site continues to function as is, while your business team can continue to do their work as needed, and your IT resources who have been tasked with maintaining and protecting your website gain static peace-of-mind.
Visitors to your live site can only view a statically generated replica of it. This replica is then served via a CDN – which makes it virtually impossible to hack or degrade using a DDoS attack.
Typically, the goal of a DDoS attack is to bring down a site by hammering it with so much traffic that it can’t keep up and ultimately crashes. At Strattic, since the static replica is served by a CDN, a DDoS attack won’t take your site down, and (believe it or not) will actually make your site faster.
As an added security layer for your site, the default state for your WordPress admin is offline. This is because the WordPress site is in a container that needs to be spun up by an authorized user before it can be accessed. When you want to make changes in WordPress you can easily launch the container via your Strattic dashboard.
|Vulnerability||Standard WordPress security measures||Strattic security measures|
|XSS (Cross-site scripting)||
||Static site disconnected from WP database|
||Static site disconnected from WP database|
|Man-in-the-middle||Manual HSTS creation||Automated eligibility for HSTS|
When running a standard WordPress site, security is always something to keep in mind. The amount of tooling needed to ward off the malicious actors is time consuming, and the battle against hackers is unending: one slip or missed security patch can spell disaster.
But when visitors are accessing a static replica of the site, hackers have nothing to breach. All the layers of vulnerabilities found in a standard WordPress installation are nonexistent in its static counterpart. They can try to brute force their way in, but on a static architecture even that won’t impact the site’s performance, and it will hum along as usual.
With static WordPress, security concerns become a thing of the past, and instead of constantly worrying about updating plugins and software, you can focus on doing your job.