Configure Security Settings
Despite its performance benefits, Simply Static is often used by people who care about security, and that's great!
The problem is that people often throw all kinds of "security" features into their websites without questioning or configuring them.
That's why we created a small guide to help you navigate using Static WordPress with Simply Static.
Disable Security Plugins
Most security plugins just don't work in a static WordPress environment.
They will literally have zero effect as your entire WordPress website is locked down behind Basic Authentification, and no one besides yourself will ever be able to access WordPress.
Here are some plugins that should be disabled when using Simply Static:
- WordFence
- Ninja Firewall
- Sucuri Security
- Hide My WP (these features are already included in Simply Static Pro)
As mentioned, these plugins have zero effect in a static WordPress environment and often cause issues by altering false positives (especially true for WordFence).
We highly recommend disabling the plugins mentioned above when using Simply Static.
Cloudflare Firewall
We are fans of Cloudflare and its services. We almost always recommend them for DNS and even static site hosting. The problem is that people almost always activate the firewall without spending a second configuring it.
If you know what you are doing, feel free to use the Cloudflare Firewall and make sure requests coming from your own server don't get blocked.
If you don't, it might be better to disable the Firewall entirely—your static WordPress website is already a vast security improvement in itself.
Challenge mechanisms
Always ensure you are not blocking your server from making requests. Simply Static works a lot like the Google Bot. If we hit a challenge page (like the one from Cloudflare), we will download that page instead of the actual page from WordPress.
Because of that, it's critical to exclude requests coming from your own server from the challenge solution within your Firewall.