Security

How open source platform Ghost solves security and productivity for bloggers

Ghost, a blogging platform designed for writers, shows a great deal of promise for being a secure alternative to other platforms with frequent security issues.

ghost.jpg
The Ghost interface.
Image: Ghost

Finding a blogging platform that suits your needs can be a difficult endeavor. The incumbent favorite, WordPress, is a frequent victim of hacks, either from the core WordPress code itself, or due to insecure plugins. Hosted options such as Blogger are problematic, due to incidents of blogs being unilaterally deleted without recourse.

Ghost, a blog platform that leverages node.js and ember.js, is not just a more secure option, but one that eases the process of composition by offering a more tightly focused product.

The problem with WordPress

WordPress is a security nightmare, though this is a moderate overstatement. In truth, the project is a victim of its own success. Because of the sheer amount of WordPress installations across the web, more hackers endeavor to find security vulnerabilities, as any vulnerability can be widely exploited fairly quickly. In essence, the issue is a result of a monoculture. That said, the plugin model of WordPress has been the source of a disproportionate amount of issues, such as a third-party Google Analytics plugin allowing for cross-site request forgery, or WP-SlimStat allowing an SQL injection.

SEE: On-the-job training: How to develop IT skills that translate into results (Tech Pro Research)

WordPress has been the vulnerable component in a variety of high profile hacks, including the Panama Papers leak, the Linux Mint website hack, the hack of Microsoft's anti-surveillance website, and various other websites prompting the FBI to warn users to update WordPress plugins to avoid having their websites defaced by ISIS. Deployments with poor to nonexistent management are not themselves arguments against using a particular piece of software, and it will come as no surprise to astute readers that unpatched software tends to be targeted.

There are a few common threads here. WordPress started life as a blogging platform, yet morphed into a CMS as the project grew. On a vanilla installation, it is not as robust as Joomla or Drupal (both of which have their own security issues), but the reliance on extensions with questionable coding quality greatly increases the attack surface. This can be attributed in part to the use of PHP, whereas Ghost uses node.js.

If you are not moved by the security argument—in fairness, WordPress is about as secure as anything else if you keep it updated—the benefit of Ghost is in the design. Ghost is designed foremost for composition, in the same way that the command line is designed for productivity.

Markdown makes composition easier

Ghost uses Markdown for formatting, as opposed to the WYSIWYG editors found in WordPress (or, for that matter, Microsoft Word). While there is a small learning curve to text formatting, the overall process is much simpler—and allows writers to keep their hands on the keyboard, rather than alternate between the keyboard and mouse to click on formatting widgets. While this provides the benefit of a continuous stream of typing—allowing an idea to reach completion without the flow being interrupted by the formatting process—formatting with Markdown is more gratifying than manually typing HTML tags.

For example, rather than having to explicitly open and close tags, like <h1>Heading<h1>, this is handled using the pound sign (the # symbol, the thing found at the beginning of a hashtag). Similarly, <h2> is two pound signs (##) and <h3> is three pound signs. Additionally, text can be italicized by putting it between asterisks, bolded by putting it between two asterisks, and both bold and italicized with three asterisks. Other text styling in Markdown is possible, including strikethrough, highlighting, lists, quotes, and inline code. If all else fails, you can rely on standard HTML as well.

Deploying Ghost for your website

A managed Ghost blog is available from the developers, but the pricing is nonsensical—the $19 per month personal plan simultaneously claims "unlimited transfer and storage" while having a "soft cap" of 25,000 views. The pricing of $19 per month is also quite high, an issue compounded by the fact that this is the price billed annually, as the plan is $29 when billed month-to-month. As Ghost is open source, it is definitely worth the time and savings to deploy it yourself on a VPS.

SEE:4 cloud VPS providers that could be a better fit for SMBs than Amazon or Google

DigitalOcean and Scaleway both offer one-click deployable Ghost images, and the Ghost project team also provides an official Docker image for quick deployment. For manual deployments, the Ghost documentation provides instructions for Linux or Windows installation.

What's your view?

Do you use Ghost, WordPress, or some alternative package for your blog? Have you been the victim of a hacked WordPress installation? Share your experiences in the comments.

Also see

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox