expand menu

Ultimate Static WordPress Security

Strattic’s static and headless approach to hosting and deploying WordPress eliminates virtually the entire attack surface typically used to attack WordPress sites.

Static, headless security for WordPress makes WordPress vulnerabilities irrelevant

Static websites deployed by Strattic offer the highest level of security by separating the live static website from the WordPress backend. This is achieved because the common web application attack vectors simply don’t exist in a strictly static site.

The many layers of WordPress vulnerabilities

A traditional WordPress website has multiple layers where vulnerabilities can occur, starting from the operating system, moving up to the MySQL database and PHP, and of course in the dozens of WordPress plugins installed in the average site, and the WordPress core itself. More than 70% of WordPress sites are vulnerable to attack at any given time, and because WordPress is Open Source, every vulnerability is publicized and known not only to site owners, but also to malicious actors who use this information to target WordPress sites and breach them.

Securing Open Source CMSs is an ongoing complicated battle

Securing all of these layers of potential vulnerabilities is an ongoing defensive battle. Vulnerabilities are constantly being discovered, and it’s just a matter of time before something malicious slips through. Even a tightly patched and hardened CMS can be penetrated.

In addition, companies may implement security tooling like Web Application Firewalls (WAFs), brute-force protection, and anti-DoS solutions. These defensive tools must constantly be updated with protections for the ever-changing threats and attack vectors, so they demand ongoing attention and maintenance, and they can even conflict with each other.

Finding and repairing the damage done by a breach can be extremely time consuming, difficult and costly.

Authenticated users only

On Strattic, the original WordPress website is not available to the internet at large. It is securely stored in a containerized environment, where only authorized users can access it. Visitors see a static replica of the site, that looks and acts the same, but with one major caveat: the underlying processing server and layers of potential vulnerabilities that are in the WordPress backend are completely inaccessible to any unauthorized users.

Isolating WordPress from the front-end

On Strattic, this static version is generated in one-click, and is completely separated from the WordPress source. By virtue of its pure static architecture (i.e. it’s nothing more than a collection of HTML, CSS, and JS files), hackers and malicious actors have nothing to breach. Your site continues to function as is, while your business team can continue to do their work as needed, and your IT resources who have been tasked with maintaining and protecting your website gain static peace-of-mind.

DDoS mitigation

Visitors to your live site can only view a statically generated replica of it. This replica is then served via a CDN – which makes it virtually impossible to hack or degrade using a DDoS attack.

No downtime. Plus, plot twist! Your site actually gets faster!

Typically, the goal of a DDoS attack is to bring down a site by hammering it with so much traffic that it can’t keep up and ultimately crashes. At Strattic, since the static replica is served by a CDN, a DDoS attack won’t take your site down, and (believe it or not) will actually make your site faster.

Taking your WordPress offline when not in use

As an added security layer for your site, the default state for your WordPress admin is offline. This is because the WordPress site is in a container that needs to be spun up by an authorized user before it can be accessed. When you want to make changes in WordPress you can easily launch the container via your Strattic dashboard.

Vulnerability Standard WordPress security measures Strattic security measures
XSS (Cross-site scripting)
  • Sanitize data
  • Update WP themes and plugins
  • Manual CSP creation
  • Static site disconnected from WP database
  • Manual CSP creation
DDoS Anti-DDoS solutions
  • Static files
  • Static, headless architecture
SQL injection
  • Security scans via WP security plugins
  • Update WP themes and plugins
  • Update PHP version
  • Use external form systems
Static site disconnected from WP database
Brute-force
  • WP security plugins to limit login attempts
  • Two-factor authentication
  • Change Admin login URL
  • Use secure passwords
  • Remove username “admin”
  • Password protect directories
Static site disconnected from WP database
Man-in-the-middle Manual HSTS creation Automated eligibility for HSTS

Static WordPress security: the most comprehensive type of security for your site

When running a standard WordPress site, security is always something to keep in mind. The amount of tooling needed to ward off the malicious actors is time consuming, and the battle against hackers is unending: one slip or missed security patch can spell disaster.

But when visitors are accessing a static replica of the site, hackers have nothing to breach. All the layers of vulnerabilities found in a standard WordPress installation are nonexistent in its static counterpart. They can try to brute force their way in, but on a static architecture even that won’t impact the site’s performance, and it will hum along as usual.

With static WordPress, security concerns become a thing of the past, and instead of constantly worrying about updating plugins and software, you can focus on doing your job.

Experience the security of static WordPress