Making a website that doesn't need maintenance
I don't want to have to update dependencies, or deal with an image gallery that has a security vulnerability or a privacy policy that is no longer compliant with the latest EU laws.
Is it even possible to have a website like this? Can modern content management systems offer fully featured websites that will work for 5 years straight without needing an update or don't leak sensitive data?
My experience with CMS
I mainly used WordPress as a content management system for websites, but also tried Drupal and Joomla!. When I was a kid, I made a couple of simple phpBB forums. It was so nice to just install scripts on a server and have a website already!
I poured hours and hours into creating content for the websites, checked on the analytics and saw them grow. And that was the coolest thing ever.
Inevitable disaster
However, just installing a CMS and calling it done was just waiting for something to go wrong, eventually. I wasn't on top of the latest hacker news and vulnerabilities, nor was I updating to the latest versions of any dependencies and frameworks.
One day I just woke up, checked on my phpBB site, and all the content had been replaced by malicious links and spam. Each post had thousands of comments with viruses, gambling and pron. There were thousands of new users created, despite my "state-of-the-art" registration form with a randomly generated string to type into a text field. I also had no backups, no database dumps, no ways to revert the damage. This is one way to learn about website security.
Surely, security is better now, right? Right?
The shit is crazy I'm not gonna lie. I expected that I would need to do research to find bugs and security issues severe enough to have realistically affected any CMS recently, but what I found is concerning, to say the least.
Let's have a quick peek at the reports.
I just opened 2 NIST (National Institute of Standards and Technology nist.gov) reports and they are both in security plugins, LOL xD. I just opened first 2 I found on something related to CMS. The one below was published less than a month ago.
You might be thinking you are "Bolstering WordPress Security with Two-Factor Authentication" by installing the Orion SMS OTP Verification plugin, but in reality you are just opening an attack vector (CVE-2025-9967)
vulnerable to privilege escalation via account takeover in all versions
In this vulnerability you need to know somebody's phone number to change their password and take over their account. It would be a pity if the numbers of key employees were publicly available on the "Contact" page, wouldn't it? How do we get their logins though? Well it would be another bad coincidence if the blog posts on the website had a clearly visible "Author" section...
Let's take a look at report CVE-2024-10924, that just reads like poetry:
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass
This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled
Attacks on this website
Even though this website is tiny, and I don't even know how to find it in google without typing "tymski.pl" in there, it already has been a target of bots searching for vulnerable targets.
I checked the server stats. Among requests to various config files, install scripts, like
/wp-admin/setup-config.php/wp-cron.php
I can see 60 requests to a very suspicious looking file path:
/wp-content/plugins/hellopress/wp_filemanager.php
A quick google search confirms that it's a file with a known vulnerability exploited in the wild.
Locked version vs. Automatic updates
When you use a locked version (no updates), any security vulnerabilities discovered later after may affect you.
When you use automatic updates, a secure version can be updated to an insecure, or even a broken one (insert a CrowdStrike reference).
In either case, you need to monitor, maintain, and act, and eventually be vulnerable to some bug in a bad version of plugins or CMS you use. Of course you may just decide to ditch them, but that can make creating the website very inconvenient.