Hexo was awesome, an origin story

Imagine running a blog on Drupal… then imagine running that blog on May 21st, 2018. Around that time an automated cryptomining zero-day exploit ran wild across millions of Drupal sites. There is no automated way to upgrade Drupal, so any security patches need to be applied manually. To make matters worse, many of the patches available would not work on versions less than a year old. On top of that, even if you patched Drupal, you could not ascertain the state of your blog without rebuilding it… something I suspect most independent installations are not capable of doing quickly.

Contrast that to this statically rendered node based Hexo page whose security relies entirely on Gitlab’s management of docker, their nginx proxy servers and Cloudflare. At the core of what I manage, there lie only markdown, html and javascript files, which can be rebuilt with the latest dependencies with the click of a button.

I’ve run this blog for over 2 years without ANY changes to the code. It works. It has practically no security concerns of any kind. It’s fast because it’s simple. It’s responsive and supported well by everything from an 8k display to a smartwatch. This is a better starting ground than “smart” dynamic websites. To be clear, I can still do analytics, comments and send things to a database.

That said, Hexo is not the future… real web apps are… and in that front vuepress is leading the charge. Once it matures to the point where adding comments and theming is easy… I’ll consider migrating. I reckon that will take 2 years. This code base will be about 4 years old then, and 5 years is the industry standard for “maintainable” code.

Until then, this site will still be up, for a total expense of $12 a year, including exclusively, the cost of the domain.