Author: DocumentDesign.net
The purpose of this article is to help users evaluate optimal methods of web development based on different types of content and retrieval systems in order to improve performance, search engine optimization (SEO) and security. This article discusses the advantages and disadvantages of static sites versus dynamic sites. General information about static and dynamic sites is provided.
Static sites (HTML and CSS) are recommended for service oriented businesses (with no inventory), blogs, portfolios, informational content and other content that remains the same for every site visitor. HTML and CSS are open source and free to use, but require significant coding knowledge along with time and energy expenditures. Static sites are cost effective and can be published on both free and paid hosting domains depending on memory and functionality requirements.
Dynamic sites (content management systems, CMS)are recommended for retail oriented businesses with large product databases where search results change for every site visitor. Wix and WordPress are hosting domains with content management systems and templates that make building websites easy for users with no coding experience. However, content management systems can be expensive and are vulnerable to hacking through Java, JavaScript and SQL. Plugins, extensions and themes are also targets of malicious code injection. Therefore, the most effective method to build websites is based on variables such as content, goals, values, resources and skillsets.
A static site means that every page is already built and hosted on a web server as an individual file (Large, 2022). If a developer’s goal is to build a static site to host a blog, portfolio, service oriented business, or other unchangeable information, the developer should build a static site. Skillset requirements for building static sites are HTML, CSS and JavaScript. HTML, CSS and JavaScript are open source and free for everyone willing to learn. Static sites can be published on both free and paid hosting domains depending on memory and functionality requirements.
Static sites offer speed, security, affordability, and efficiency. Static sites are easier to host than dynamic sites. They load faster and can rank higher in search engine results depending on other search engine optimization enhancements. Static sites are hosted on content delivery networks (CDNs) that distribute content globally. Users in any part of the world will have a fast loading experience when visiting a static site. With CDNs, static sites are protected on the server end, which is more secure, whereas application servers used for dynamic sites are vulnerable to hacking and code injection. Static sites do not need a database to function. Pages are not assembled on demand. Entry points exploited by hackers like JavaScript and MySQL requests are nonexistent. If anything does happen to a static site, files can be restored from the original HTML and CSS or easily migrated to a different hosting platform. However, building static sites with HTML and CSS requires significant coding knowledge as well as time and energy investments. These are the major drawbacks of building static sites.
In contrast, dynamic sites are graphical user interface (GUI) environments that assemble page elements including content, themes, databases, and plugins on demand using a content management system (CMS). Assembling pages on demand can take several seconds and significantly affect SEO. Dynamic sites personalize content for every user meaning that content changes based on user searches and preferences (Large, 2022). Businesses with large inventories like Ebay.com or Amazon.com use a CMS.
Dynamic sites are slower, less secure and less affordable, but user-centric. Dynamic sites require a lot of maintenance. The more complex a dynamic site, the slower it renders, especially on mobile devices. Also, if one part of a dynamic site fails, the entire site fails. Dynamic sites have many moving parts and every moving part has a potential weakness that can be exploited by hackers. For example, in April 2022 over 6,000 websites hosted on WordPress were infected with malicious JavaScript code that was injected into more than two dozen themes and plugins including Google Code Inserter, Facebook widgets, and site metrics reporting plugins (Cawley, 2022). Wordpress is a content management system that hosts over 455 million websites due to its large catalog of plugins that simplify website building for users who do not know how to code. Because of its popularity with customers it also attracts hackers. The plugins, themes, JavaScript, and SQL all provide entry points for cyber criminals. Botnet attacks are also very common on WordPress (Goodin, 2023).
Plugins are code used to embed features like e-commerce payments and logins. Plugins are page specific. Extensions are code used to create additional features and functions for browsers like ad blockers. Extensions are browser specific. Those are the differences between plugins and extensions. While extensions are exclusive to browsers and not relevant to websites, web developers interface with the websites they are building through browsers. That is why this information is important to know. It is also why two antivirus software companies are referenced in the body of this report and in the "References" section. It is recommended that web developers obtain good antivirus software and firewalls to detect and remove malicious code. Malwarebytes.com and Pandasecurity.com both offer free and paid antivirus software. Additionally, a good firewall and VPN is recommended. ZoneAlarm offers both free and paid versions of firewalls. Proton VPN offers both free and paid versions of VPNs. (ExpressVPN and NordVPN, register outside of countries that are Five Eyes, Nine Eyes, and Fourteen Eyes Alliances jurisdictions if that’s a concern, but they’re expensive.) Users should perform research regarding antivirus, firewall and VPN services and utilize the best for their situation.
All third-party plugins have the potential to compromise user security through malicious code or backdoors (pandasecurity.com). Plus, malicious code can be spread from user to user. Loss of control of user devices or websites is the first sign of infection. This can result in a data breech of user information (pandasecurity.com). For example, compromised company plugins like payment processors provide an avenue for massive data grabs to occur (Boyd, 2018). Plugins require Java to run and Java is the most vulnerable to hacking (Boyd, 2018).
For this reason, Google, Microsoft and Firefox browsers do not allow third party browser plugins like Flash and JavaScript updates anymore because hackers were sending fake update files (Boyd, 2018). Hackers injected plugins on company sites with malicious code infecting browsers, files, and websites intending for that infection to be surreptitiously passed on to others (Boyd, 2018). These are called supply chain or pipeline attacks (Boyd, 2018). Static sites that do not utilize CMS or plugins are safest from these types of attacks (pandasecurity.com).
Third-party extensions are as vulnerable to malicious code as third-party plugins. In 2020, more than two dozen Chrome and Microsoft browser extensions were compromised by third-party extensions (Goodin, 2021). This resulted in 3 million users’ browsers being infected with malware (Goodin, 2021). These extensions stole personal data and hijacked browsers. This breech was not initially detected because it masqueraded as a Google analytics feature (Goodin, 2021). Google analytics software is free to use and provides invaluable information to web developers regarding website performance. Many websites use Google analytics.
Third-party extensions can be updated with malicious code or contain dormant tracking code and malware to be activated later. Some of these extensions are purchased and some are free. If they are free to users it is because users’ data is the product (Knight, 2019). Besides tracking users and harvesting data, users never know when the ownership of these extensions and plugins has been transferred because there is no legal disclosure requirement. Sometimes developers are offered big money to sell their extensions to third parties. Once extensions change hands, new permissions and disclosures are not required. New owners can update extensions with malware that spies on or inundates users with adware while capturing data and selling it (Amadeo, 2014). In fact, a few third-party extensions have been caught capturing credit card form data (Heddings, 2014). If an extension is constantly asking for permissions, block it or uninstall it because it is probably sending user data to a third party (Amadeo, 2014). The same goes for extensions that aggressively push bogus security warning pop-ups (Nield, 2019).
Static sites are recommended for service oriented businesses, blogs, portfolios, and informational content that stays the same for every website visitor. Static sites can improve SEO by loading faster. Static sites are more secure because they do not integrate CMS vulnerabilities exploited by hackers. Dynamic sites are recommended for sites with large product databases. Dynamic sites change content for every user by assembling pages on demand based on search parameters and preferences in order to personalize content. Dynamic sites load slower, which affects SEO. Dynamic sites provide avenues for hackers to exploit through Java, JavaScript and SQL. It is recommended that web developers use good antivirus software to detect malicious code and remove it.
Amadeo, Ron. "Adware vendors buy Chrome Extensions to send ad- and malware-filled updates."ars Technica. 17 Jan. 2014. https://arstechnica.com/information-technology/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/.
Boyd, Christopher. "The Danger of Third Parties: Ads, Pipelines, and Plugins."Malwarebytes.com. 20 Jul. 2018. https://www.malwarebytes.com/blog/news/2018/07/third-party-dangers-ads-pipelines-and-plugins.
Cawley, Conor. "A Bunch of WordPress Sites Have Been Injected with Malicious JavaScript."Tech.co. 13 May 2022. https://tech.co/news/wordpress-sites-malicious-javascript.
Goodin, Dan. "28 Malicious Extensions Disguised Traffic as Google Analytics Data."ars Technica. 3 Feb. 2021. https://arstechnica.com/information-technology/2021/02/malicious-chrome-and-edge-add-ons-had-a-novel-way-to-hide-on-3-million-devices/.
Goodwin, Dan. "Hundreds of WordPress sites infected by recently discovered backdoor."ars Technica. 4 Jan. 2023. https://arstechnica.com/information-technology/2023/01/hundreds-of-wordpress-sites-infected-by-recently-discovered-backdoor/.
Heddings, Anthony. "What Is Static Content, and How Does it Affect Your Website?"How-To Geek. 16 Jul. 2022. https://www.howtogeek.com/devops/what-is-static-content-and-how-does-it-affect-your-website/.
Heddings, Lowell. "Warning: Your Browser Extensions Are Spying On You."How-To Geek. 20 Jan. 2014. https://www.howtogeek.com/180175/warning-your-browser-extensions-are-spying-on-you/.
"How secure are static sites?" Accessed 19 Mar. 2023. Flatsite.com. https://flatsite.com/faq/security/how-secure-are-static-sites/.
Knight, Jon. "5 Ways to Keep Google from Collecting Data on Your Android Phone."Gadget Hacks 25 Feb. 2019. https://android.gadgethacks.com/how-to/5-ways-keep-google-from-collecting-data-your-android-phone-0181002/.
Large, David. "Static vs Dynamic Websites: The Definitive Guide."Cloudcannon.com. 24 Aug. 2022. https://cloudcannon.com/blog/static-vs-dynamic-websites-the-definitive-guide/.
Nield, David. "All the Ways Google Tracks You: And How to Stop It."Wired. 27 May 2019. https://www.wired.com/story/google-tracks-you-privacy/.
Ong, Si Quan. "How to Improve SEO: 9 Tactics That Don’t Require New Content."ahrefs.com. 22 Aug. 2022. https://ahrefs.com/blog/how-to-improve-seo/.
"The Dangers of Plug-ins." 20 Mar. 2018.Pandasecurity.com. https://www.pandasecurity.com/en/mediacenter/security/dangers-of-plug-ins/.
Tuvikene, Kristina. "30+ Ways to Increase Website Traffic."Websitesetup.org. 20 Dec. 2021. https://websitesetup.org/increase-website-traffic/.