I built LastSignal because I was uncomfortable trusting a third party with extremely sensitive information (final messages, recovery instructions, etc.).
LastSignal is a self-hosted dead man's switch: you prepare encrypted messages that are automatically delivered to chosen recipients if you stop responding to periodic check-ins.
Security-wise, the server is treated as untrusted by design:
- messages are encrypted client-side
- the server never sees plaintext
- the operator cannot decrypt stored data
I've documented the security model, threat assumptions, and known limitations here:
This is an early but usable version. I'm especially interested in feedback on the threat model, edge cases, and assumptions around liveness and delivery.
Currently the search engine we offer with HardyPress is very simple: we index the site content during the deploy process and we provide APIs to retrieve results (or you can use our native modal box with no additional coding).
Regarding plugins, currently about 90% of the plugin we reviewed are fully compatible, because the do not have any dynamic behavior on the frontend. If your site use some plugins marked as "incompatible", our system suggest you an alternative to replace the plugins behavior.
I perfectly understand your concern about HardyPress being a new "hosting provider", but HardyPress infrastructure is entirely built on the cloud, currently on Amazon AWS and the static generated sites are hosted on Amazon S3 Buckets that we use as pull-zones for the CDN, so your websites are really unbreakable and they'll stay up, no matter what!
You don’t need to trust us to feel safe!
If you want to have full control of your data you can always download your static generated site and host it somewhere else as your wishes. In this way you will use HardyPress only as a Static Site Generator plus the benefits that we will proxy your contact forms, and we'll make the search work!
Plugin support is a real challenge... anyway we are seriously building a white list of compatible plugins, and so far they are about 90% of the total. For the remaining 10% it is usually always possible to replace them with some external service (facebook-comments or disqus for comments, our Zapier app for mailchimp/drive/dropbox integration, beds24 as booking system, etc)
We also thought about something like your idea (keep a second installation live somewhere to submit the data), but, as you will have to host your real WP somewhere, you will lose one of the main benefits of HardyPress, namely to have your site unbreakable.
What about custom plugins (developed in house by your customer)?
For your point about security, that could be solved by asking them to whitelist your resolver IPs at the origin. Or you could even host the “origin” for them, in a closed network.
Actually with those plugin you still have some drawback: first you still need to have and maintain secure the live WordPress installation somewhere, second you have to download the static version and upload it somewhere else, last but not least your contact forms and search will stop working.
There is huge differences between running a live WordPress site on a docker container (where you still have php, mysql, etc), and running it as a static site in a serverless environment.
Actually yes, we are a new hosting company, but the live site is hosted an a AWS-S3 bucket with a CDN in front of it, so, even if you don't trust us, I could feel quite safe with it.
In my personal experience, I used to have a web agency with dozens of WordPress installation to keep alive, mostly of them where simple “brochure” sites. I used auto-update mechanisms and caching layers provided by the hosting service, but it happened more than once to have security/performance/technical problems and headaches.
Only after I put the static copy of these sites online I started sleeping well at night. There was no way that things could go wrong.
Of course it is easier if you build them with the "static solution" in mind. Anyway you will find a compatibility list of the plugin you are using on the site dashboard once your site is on HardyPress.
I too have self-hosted dozens of Wordpress sites over the years, including reverse proxy servers to terminate SSL and cache pages, and CDNs to mitigate DDOS and reduce roundtrip times.
I don't bother anymore. I think your biggest competition today isn't self-hosted Wordpress sites, it's Wordpress.com, WP Engine, Pantheon, GoDaddy Managed Wordpress, etc.
I don't want to seem negative, but I'm having a hard time seeing why I would prefer your system to those. From my perspective the static site generation + services adds complexity, it doesn't remove it. And I'd still have to maintain the Wordpress instance since it provides the backend.
If Wordpress is the backend, then a static copy, to me, just seems like one particular implementation of a caching strategy. I would not expect S3 to serve HTML pages any faster than Varnish, for instance.
Actually there are a couple of things that I'd like to clarify:
1) There is no WordPress backend to maintain as it doesn't exists unless you turn it on in a temporary/hidden/virtual environment to make your changes. For the rest of the time it simply doesn't exists. No PHP, no MySql, nothing that can break. You don't even need to keep your installation updated if you don't want to.
2) The pages are not served from an S3 bucket but from a CDN with 20 edge server around the world. The bucket is only a "source of true" where the CDN loads the files when the "cache" is invalidated. This reduce the TTFB (Time to first byte) up to 10x from any location respect a traditional hosting service.
I think you've identified the right problems--security, pain of maintenance, performance. I don't think you're solving in them in the best way, but don't let that stop you! Hope your business is successful.
There are already some plugins that "staticize" your website, but
1) you still need to have and maintain secure the WordPress Installation somewhere. With HardyPress WP can be paused and restored when needed with a click.
2) you have to download the static version and upload it somewhere else manually (your client certainly can't do it on their own). HardyPress does it with a click.
3) contact forms and search will stop working. With HardyPress, if you use CF7, everything will work seemlessy.
To solve the problems above HaryPress needs to hosts your WP installation.
Honestly think your business model would be improved by ditching the hosting, and have the static output just get git-synced, and working to incorporate the forms and such with something like Netlify which should support that, and Netlify has great workflows and integrations that you should be able to work with; or at least add the option of just pushing the static to Git/Netlify. Most of the value in what you are offering here is just in the headless (or WP front-end as a service shall we say) Wordpress component. I think a significant potential user base would much rather plunk down $5/mo to use the nice WP FE you've created, in conjunction with some type of Git/Netlify (or similar) integration, vs being locked in to having to host with you. Just my two cents. Believe others have weighed in similarly as well.
I see your point, but I also think that most of the value in what we are offering here is the ability to turn WordPress on/off on demand, so you can forget about it after the changes.
How could this be achieve without hosting files and DB?
Sure, that's the front-end and the service you are providing, just the ability to use WP. Sure it's great that it's not "on" unless I'm editing or using it, but why not add an option to build/output the static to a user's Git account? I understand that may not be the market you are going after, however I don't think it will lose you any of the customers who just want an WP/hosting easy-button; it will just add the customer who know's what they are doing a little bit, can work with Git, and wants to host it where they want. I think you can only win by adding this as an option/feature..
Ok, about this we will release soon a new feature where users will be able to deploy their static site on a custom ftp/sftp server.
Adding a git repo as destination won't be a problem :-)
Yes, there are some plugins that "staticize" your website, but
1) you still need to have and maintain secure the WordPress Installation somewhere. With HardyPress WP can be paused and restored when needed with a click.
2) you have to download the static version and upload it somewhere else manually (your client certainly can't do it on their own). HardyPress does it with a click.
3) contact forms and search will stop working. With HardyPress, if you use CF7, everything will work seemlessy.
To solve the problems above HaryPress needs to hosts your WP installation.
I built LastSignal because I was uncomfortable trusting a third party with extremely sensitive information (final messages, recovery instructions, etc.).
LastSignal is a self-hosted dead man's switch: you prepare encrypted messages that are automatically delivered to chosen recipients if you stop responding to periodic check-ins.
Security-wise, the server is treated as untrusted by design:
- messages are encrypted client-side
- the server never sees plaintext
- the operator cannot decrypt stored data
I've documented the security model, threat assumptions, and known limitations here:
https://lastsignal.app/security/
Source code:
https://github.com/giovantenne/lastsignal
This is an early but usable version. I'm especially interested in feedback on the threat model, edge cases, and assumptions around liveness and delivery.
Happy to answer questions.