Some readers have emailed asking me for more specifics about how to run WordPress offline, like I suggested in my last post. So I spent a couple of hours struggling with it last night to get a sense of what it would take.

This is an almost useless and jargon-packed summary, but my hope is that some intrepid WP user may try following these steps and use them as a starting point for a proper HOWTO.

1. If you want comments, you'll need to switch from whatever is built in to WordPress to an outside JavaScript-based service like disqus. Disqus can import your existing comments when you set it up. Disclaimer: I have never used this service and know nothing about it - there may be better alternatives.


2. Set up WordPress on the machine where you want to do your writing and editing. The WP site has copious instructions for all kinds of installation scenarios.


3. Configure WP to use 'fancy' permalinks - not the default, which uses query string parameters. Basically, if there's a question mark in the URL, you can't mirror the site. If you're on OS X, you will now have to struggle with mod_rewrite and .htaccess permissions for a while.


4. Configure WP to allow robots access (otherwise wget will not work in the next step).


5. Use wget to crawl your new blog and turn it into a bunch of static files:
   wget --mirror -p --html-extension --convert-links http://your.local.url/
   What this does is explained in detail here. I've left off some unnecessary flags.


6. Set up apache on your blog server to serve static content from wherever you want your blog files to live.


7. Now copy over the static files you created with wget to their new home on the remote machine using a secure transfer method like rsync or sftp.


8. Laugh in the face of mankind / email me about why this didn't work.

Good luck, and please let me know if you are able to follow these steps and produce a more helpful HOWTO that I can link to.

I am going to break with seven years of precedent and indulge in a little bit of blog software wank.

Recently an exploit has surfaced in WordPress, a popular kind of blog software. If you run WordPress on a public server, an attacker can get full access to your site and do nasty things, up to and including deleting all your data. If you listen to the WordPress people, the answer to this is 'be extremely zealous about updating your software', which is the same as saying, devote half your life to learning and understanding WordPress administration.

If you listen to me, the answer is much simpler. Do not run this kind of software on a public server. Either host your blog with a competent centralized site (like LiveJournal or Blogger) that takes the burden of upgrading, backing up and patching off your hands, or use whatever personal publishing software you like (WordPress, Movable Type, and so on), but keep it on a local machine.

You can use a program like wget or curl to generate a flat HTML version of your website from this local version, and then upload these files to your public server to share them with the world. Now there is no way you can get hacked, because your server is just serving static files. As a bonus, you don't have to worry about your site ever going down because of database problems or excessive load. And as another bonus, you now have a remote backup of your blog.

If you want comments or other fanciness (why??), you might need a little more complicated setup than this. But the basic idea of keeping your administrative interface off the internet will save you endless angst as these exploits keep coming. WordPress has an especially terrible track record with security, but all these programs are just accidents waiting to happen.

If you have a blog setup that you think is insecure but don't know how to begin fixing it, feel free to email me and I will do my best to point you at an answer.