Sometimes simplicity isn't worth it.

A little while ago I rebooted this site using WordPress. It was easy. Click one button to install, and I'm up and writing. I know it's had some security issues, but I figured it'd be more stable/secure by now... Right? Care to guess what happened?

Yeah, my entire hosting account got hacked. What a mess that was to clean up. Needless to say, I removed WordPress. I'm not using any PHP at all in fact. The site is now built using a static blog generator called Publii. Fortunately it has an importer that made moving all the content over to it pretty simple.

So what's the lesson to learn here? WordPress is crap? One click installers are a trap? PHP isn't a solid choice for server software?

Kind of yes to all. But really you just have to understand that it's a non-stop battle with WP/PHP. It's such a pervasive technology stack that there are new vectors of attack exploited every day. Basically, if you can avoid it, then you should. If you can't, then be sure to stay on top of everything. WordPress and its plugins, and the version of PHP you're using on your server.

Constant vigilance!