Michael Rash, Security Researcher

Site Update - WordPress Theme without Running WordPress

WordPress site WordPress has a loyal following in the blogosphere and is used to power thousands of websites and blogs, and several books have been written about it. A compelling measure of WordPress popularity is the number of downloadable themes that can provide an easily deployed and consistent look and feel to WordPress sites. So, when I was looking to update the presentation of the site, it seemed a natural step to consider a WordPress theme.
I've updated to use a slightly modified version of the Daleri Selection (v1.0) Theme by Andreas Viklund, but with a twist: I don't run actually Word Press. All of that PHP code and MySQL database backend is throwing a lot of complex code (and associated potential security vulnerabilities) at a problem that (in my case) can be solved in a simpler way. That is, I just want to provide an outlet for my software and publications, and maintain a blog for my corner of the security technology landscape. For this, I just need a themed website in plain HTML and CSS along with RSS and Atom feeds, and I need an effective way to manage all of the pages and create new blog posts. This is where perl, rsync, and subversion comes in.
The website and blog is managed by a set of custom perl scripts that perform each the following tasks:
  • Provide a way to create new blog posts and link them into the blog hierarchy. For example, the forward and backward links at the end of each post (such as this one) are auto-generated based on the posting date, and the permanent blog links are created from each post by the blog post title. The number of blog posts is summarized by date and organized into categories that can be browsed via the blog archives, and updates to the RSS and Atom feeds are automatically generated.
  • Validate HTML and XML page structure. This is exceeding easy through the use of the perl XML::Simple module. But, using the W3C HTML validator is more thorough, so I periodically use it as well to spot check various pages on
  • Validate software release MD5 digests and GnuPG signatures (see the fwknop download page for example), and automatically correct if any digest is invalid.
  • Search through the entire website and flag any broken links (parsing the output of a recursive wget against the staging server make this easy).
  • Send blog pings out via the XMLRPC::Lite module to various blog aggregation services such as FeedBurner and Technorati.
  • Drive the entire site via Subversion for source control, and deploy with rsync to separate staging and production servers. When it comes to deploying a more complex piece of software for visualizing changes to the source code for any of the projects, my first choice is Trac, but when it comes to the main site, a set of HTML pages maintained by a consistent WordPress theme is sufficient.