Since December 2015, we have had numerous hacking attempts on Lookuga.com, from SQL Injection to XSS attacks.
While we were kind of happy to see that the blog must be popular enough for people to try and hack it, we were also annoyed by the triggering alerts we were receiving when it was happening.
What a lot people may not be aware of, is that we were running a highly customized version of BlogEngine.NET, with a lot of auditing, reverse tracking and better integration with other platforms, both for security reasons and also to measure the metrics of the content.
While we were implementing these changes we had discovered a number of major security issues, one we even made public (http://lookuga.com/2014/11/16/blogengine-net-security-directory-traversal-attack/), we were not officially credited for it, but we had created the bug report. Along with these security issues, we also had numerous issues with performance when we received large amounts of concurrent hits.
Once we finally had enough with the alerts and issues we decided to move away from BlogEngine.NET to another solution.
We looked at quite a few alternatives, but we decided to choose a static site generator instead of using a dynamic content backend system.
We decided to go with a static site generator because of the following reasons:
- Quicker Load Times
- We can fully use CloudFlare's Static Edge Cache for the entire site
- No backend processing – it is simple HTML files
- No Backend so no way to exploit it directly, unless you get access to github :-)
- Less memory usage
- More scalable if used for larger frontend projects
The static site generator we decided to use was Jekyll. We chose Jekyll, first because it has a cool name, secondly it is directly supported by GitHub (it was created by the same guy who founded GitHub) and thirdly is has some pretty amazing stuff included which we decided to use:
- Jekyll-paginate – Enable paging
- Jekyll-sitemap – Auto Sitemap generation
- Jekyll-redirect-from – Always us to redirect old URLs from BlogEngine.NET to new preferred format of Jekyll
- Minification both CSS and HTML (HTML via liquid add-on)
The entire switch took around a week and a half to do for the following:
- Learn everything about Jekyll
- Create a new, simplistic and improved theme
- Full migration of content and images
- Create all the required redirects (pretty easy with plugin)
- Configure GitHub (domain migration/CloudFlare)
Now with Jekyll there was a bit of a learning curve, but once you go through the docs provided both by Jekyll and GitHub it makes it a lot easier, I have committed the source of the blog and required configuration to GitHub, so if anyone is interested in looking through and learning a thing or two from it, please go ahead.