Mastodon
Zuletzt aktualisiert am
Publii Static CMS
Lazou

Publii: The secure CMS for static websites

Lazou
Lazou Publii

Security expert Lazou from Secunis.de 🇩🇪 looks at the Publii desktop CMS from a security perspective.
🇬🇧 English translation by Christian Spaan.

What is Publii?

Publii is a modern, open-source content management system (CMS) that was developed specifically for users who are looking for a simple, secure and efficient way to create and manage their websites. Unlike traditional CMS such as WordPress, which generate content dynamically and rely on server-side databases, Publii generates static HTML pages. This means that all content is generated in advance and saved as simple files - without a database, without PHP, without running server processes.

This static approach has decisive advantages - particularly in terms of speed, security and freedom from maintenance. Static pages load at lightning speed, require no ongoing updates and offer attackers virtually no opportunities. Classic vulnerabilities such as SQL injections, plugin exploits or brute force attacks on login areas? They simply don't exist here.

The application runs completely locally on your computer (Windows, macOS and Linux). You work offline, create content via an intuitive user interface - and publish your finished website at the touch of a button via FTP, SFTP, Netlify, GitHub Pages or other services.

Publii is aimed at both beginners and advanced developers. You don't need any programming skills - but if you want, you can customise themes, add your own CSS or even develop your own plugins.

Whether it's a personal blog, portfolio, company website or club project - with Publii you can rely on a modern, low-maintenance and secure solution.

Screenshot Publii Block Editor
Screenshot Publii Block Editor

The brains behind Publii

Publii is backed by the Polish company TidyCustoms, which specialises in web development, theme design and performance optimisation. The project is managed by two experienced professionals: Bob Mitro and Tomasz Dziuda.

Bob Mitro is the creative mind and founder of TidyCustoms. He has more than 16 years of experience in web design - including as project manager at GavickPro, a well-known provider of themes and extensions for WordPress and Joomla! Anyone who appreciates Publii's clear, intuitive interface has him to thank for this. In addition to his technical expertise, Bob has a keen sense for user-friendliness, SEO and modern design.

Tomasz Dziuda, better known as "Dziudek", is the technical architect behind Publii. He has been passionate about programming and software architecture since his school days. Today, he is not only a sought-after speaker at developer conferences, but also responsible for Publii's clean, efficient code base. In his spare time, he enjoys tinkering with Lego, watching films or playing board games - a creative mind with technical depth.

TidyCustoms not only develops Publii, but also offers accompanying services - e.g. individual themes, plugin creation, performance optimisation and SEO consulting. This close integration between software development and real application practice makes Publii particularly user-orientated.

Security at Publii: protection through simplicity

1. No SQL database  = No SQL injections

With classic CMS such as WordPress, Joomla! or Drupal, every page request becomes a database issue: content, comments, logins - everything is stored in a MySQL or MariaDB database and is compiled dynamically using SQL queries. It is precisely this dynamic that makes such systems vulnerable - because every query is a potential point of attack.

A particularly dangerous example is SQL injection. Attackers attempt to infiltrate malicious SQL code via inadequately secured input fields - such as login forms, search functions or comment areas. If this is accepted by the system, hackers can read out sensitive data, manipulate content or even take control of the entire system. According to OWASP, this method has been one of the most common vulnerabilities on the web for years - often triggered by simple validation errors or a lack of filter logic.

Publii is completely immune to such attacks - because it simply does not use a database. As a static CMS, it generates finished HTML pages when saved, which are then simply delivered to the server. There are no SQL queries that an attacker could manipulate, no user interactions that could trigger code and no dynamic backend that would have to be interpreted or could be tricked. The complete absence of a database eliminates not only SQL injections, but also other classic forms of database attack - such as dumps, where entire table contents are downloaded, or privilege escalation through poorly set database rights.

🎓 Even if someone tries to infiltrate malicious code via manipulated URLs or input, this attempt comes to nothing - because there is no instance that could analyse this code.

The result:
Publii excludes SQL injections not through elaborate defence mechanisms, but by radically dispensing with everything that makes them possible in the first place. What is not there cannot be exploited - a security gain through consistent reduction.

2. No public login = No brute force attacks

Classic CMS such as WordPress, Joomla! or TYPO3 rely on a centralised, publicly accessible login system - and thus open up one of the most common attack surfaces on the web. Brute force attacks work according to a simple principle: bots automatically test countless password combinations until the access is cracked. Weak passwords, a lack of two-factor authentication or unsecured login pages make it easy for attackers.

With Publii, this scenario is ruled out from the outset - because there is simply no public login. The entire website administration takes place locally on your computer in the Publii app. This means: no login page on the server, no password request, no attack surface. This also effectively prevents phishing attacks on login masks. As there is no login function on the published website, no deceptive fake form can be created and exploited - an important advantage for security-conscious users. Even if a bot scans your site for vulnerabilities, there is simply nothing to get.

By completely dispensing with server-side user management, Publii removes any basis for this attack method. Brute force? Doesn't work here. And that not only saves nerves - but also a lot of maintenance work for login protection measures.

3. No server-side code = No remote code execution

As soon as a website actively processes code on the server - be it for user rights, form processing or dynamic content - a dangerous gateway opens: Remote Code Execution (RCE). This type of attack is one of the most critical threats on the web, as it allows attackers to execute their own code on the server - with potentially catastrophic consequences.

Typical causes: faulty plugins, insufficiently checked file uploads or poorly configured permissions. Once a gap has been found, a manipulated request is often enough - and malicious code is already running in the system.

Publii eliminates this risk with a simple principle: it does not execute any server-side code. The pages consist of static HTML, CSS and optional JavaScript - no scripting languages, no backend logic, no execution mechanism. What is on the server is simply delivered - not interpreted, not changed.

Even if someone tries to inject a malicious file, nothing happens. The server does not "understand" this file - and therefore does not execute it.

🎓 Even more complex CMS alternatives such as headless systems often work with APIs and server-side authentication - which in turn creates attack surfaces. Publii completely dispenses with such components and thus minimises the risk.

Interfaces such as XML-RPC or REST APIs, which are often the gateway for attacks in other CMSs, do not exist in Publii either - the system works completely without open API endpoints.

The result:
Without executable code, there is no attack surface. Publii makes RCE technically impossible - without firewalls, virus scanners or complicated configurations. Publii also eliminates other server-side vulnerabilities, such as insecure deserialisation or faulty access controls at API level - all problems that regularly cause security incidents with dynamically generated pages.

4. No sessions = No session hijacking or CSRF

Modern web applications often rely on logged-in states - whether in the admin panel, for comment functions or personalised content. Sessions are created so that the server knows "who is currently active". These save login data, user rights or personal settings - and this is where two serious risks arise: session hijacking and CSRF.

In session hijacking, attackers hijack a running session - usually by intercepting session cookies in the browser. All it takes is a public hotspot or faulty code validation and strangers can act in your name.

In CSRF attacks, on the other hand, a logged-in user is deliberately tricked into unconsciously carrying out actions - for example via a manipulated link. This allows content to be changed, passwords to be changed or even admin access to be created - all without any action on your part.

Why does this not affect Publii?
Because Publii does not allow this attack scenario in the first place. There are no sessions, no logins and no cookies. Everything happens locally on your computer in the app. The published website does not recognise any users - it only delivers content.

There is therefore no logged-in state that can be taken over - and no interface that can be misused. The server saves nothing, processes nothing, reacts to nothing.

The result:
Neither session hijacking nor CSRF are possible - simply because the technical requirements for this do not exist. This not only reduces the attack surface, but also the maintenance effort. You no longer have to deal with expiring sessions, cookie runtimes or CSRF tokens - all of this is completely eliminated. This not only makes website management more secure, but also significantly leaner. No session management, no cookie guidelines, no security mechanisms - simply no attack surface.

5. No data processing = Inherently data protection-friendly

Data protection has long been mandatory for website operators - at least since the GDPR came into force. But this is where many pitfalls lurk: Do you need a cookie banner? What happens to IP addresses? What to do with personal data? Who is liable if something goes wrong?

With Publii, the answer is in many cases: These problems don't even occur.

Because: Publii does not collect any personal data by default. There are no forms, no login system, no cookies, no database - and no personalised tracking or user profiling. The generated website functions completely passively: it delivers content but does not process any information about your visitors.

Analysis functions such as Matomo - if used - are also configured in compliance with data protection regulations by default, anonymised and hosted locally. No IP addresses are stored and no user profiles are created. This means that even if web analytics is activated, you remain completely safe in terms of data protection.

Local delivery of all assets: All official Publii themes - whether free or premium - do not use external resources such as Google Fonts or CDN scripts. Instead, all fonts, scripts, stylesheets and icons are stored locally on the server. This means no unnecessary data transfer to third-party providers and maximum GDPR compliance straight from the factory.

Integrated cookie banner: If you still want to integrate third-party plugins such as Google Analytics or Disqus, Publii comes with a fully integrated cookie banner. This blocks the corresponding scripts until users give their consent - in the spirit of "privacy by default". Two variants are available: a simple info bar or an advanced configuration with cookie groups (e.g. "Functionality", "Analytics" or "Marketing"). This allows fine-grained control of which tools are allowed to do what.

⚠️ Important: As Publii works statically and does not use server processing, no automatic consent logging is carried out. If you want to provide legally secure proof that consent has been given, you should document this manually or add an external consent solution - depending on the legal situation in your own country.

Convenience without code: All data protection functions can be activated and configured in the user interface - without any intervention in the code. It is also possible to assign plugins to cookie groups at the click of a mouse. If you use your own scripts, you can use placeholders such as {{ gdprScriptBlocker "analytics" }} to integrate them specifically into groups - simply and effectively.

Transparency through your own privacy policy: Even if Publii itself does not collect any personal data, it is advisable to publish a privacy policy - for example, to explain why no data is collected or how integrated third-party providers handle it. You can create this as a hidden post and link it via the menu.

Exception: Official Publii website:

Important: All of the above statements refer to your very own website created with Publii. The official Publii website (getpublii.com), through which you can purchase themes or plugins, for example, processes personal data for order processing, newsletter distribution or support purposes, just like any e-commerce platform. This processing affects you as a customer, but has no impact on the privacy of your own website visitors.


While other systems first have to be made data protection-friendly through plugins and configurations, Publii does this out of the box. You start on a 100% data-saving basis - and have all the tools at your fingertips if you need more.

A real advantage for anyone who sees the GDPR not as an obstacle, but as a design opportunity.

6. Clear separation of backend and frontend

With many CMSs, the backend - i.e. the administration interface - is directly connected to the public part of the website. A login panel is often located under /wp-admin or /administrator, publicly accessible and online around the clock. This is a welcome gateway for attackers: if the backend is accessible, a vulnerability or a guessed password is often enough to compromise the entire site.

Publii takes a completely different approach here.

The entire website is managed locally via the Publii app - offline, on your own computer. You edit content, themes and settings quietly on your own device, without a server "knowing" anything about it. Only when everything is ready do you publish the page as static HTML files and upload them.

The frontend is thus completely decoupled from the backend. Only the finished, non-modifiable version of your website is stored on the server - without access to the administration logic, without login, without API, without vulnerable background processes.

Why is it so secure?
Because attackers simply won't find anything they can manipulate. Even if someone had access to your web space, they would only see the published files - no admin access, no sensitive configurations. And even in the worst-case scenario, you can re-export and upload the site locally at any time.

Another advantage: attacks via cross-site scripting (XSS), which are often infiltrated via the backend, are also ruled out here. There is simply no admin area with input fields that could be manipulated.

The result:
The separation of backend and frontend drastically reduces the attack surface. You retain full control over your system without making it publicly vulnerable - without any additional security plugins or measures.

More autonomy, less risk. This is exactly what modern web publishing should look like.

7. Official marketplace - but with a focus on security

Plugins and themes are a double-edged sword for many CMSs: they extend functionality - but also open doors for attackers. With systems such as WordPress in particular, many security vulnerabilities stem from third-party extensions that are outdated, poorly programmed or have never been updated. The more you install, the greater the risk.

Publii solves this much more elegantly.

Although there is also an official marketplace, it is highly curated. Most of the themes and plugins come directly from the Publii development team itself. This means: tested code, regular updates and clean documentation instead of uncontrolled growth.

ℹ️ Unlike WordPress, not just any developer can publish their own extensions. There is no open vector for introducing malicious code - which significantly reduces the security risk.

The centralised control and strict quality guidelines of the development team ensure that extensions do not contain any unwanted or insecure functions - a significant advantage over open marketplaces with uncontrolled third-party code.

At the same time, you remain flexible: you can decide for yourself whether you want to integrate Disqus, Google Fonts or Analytics and others. In addition, you are not left on your own. Publii shows you transparently which external services are integrated and how you can integrate them in compliance with data protection regulations.

Important to know:
As soon as you install additional plugins or use external services, you leave the completely static security model. This is completely legitimate - as long as you are aware of what you are adding. Publii provides you with the tools, you set the rules.

Maximum control with minimum risk - instead of a proliferation of plugins, you get extensions with security filters.

8. Security comparison: Publii vs. classic CMS (e.g. WordPress)

The difference is particularly evident in terms of maintenance and upkeep: while classic CMSs require regular updates, patches and plugin checks, Publii manages completely without ongoing maintenance thanks to its static architecture. Finally, it is worth taking a direct look at the most important differences - especially with regard to the security architecture:

  • No database: Content is available locally as HTML files - SQL injections are therefore technically impossible
  • No server-side code: No PHP, no script processing - no risk of remote code execution
  • No public login: Administration runs locally - brute force attacks on login pages are impossible
  • No sessions or cookies: No session hijacking, no CSRF, no management of logged-in states
  • No trackers and cookies: GDPR-compliant by default, no hidden data transfers
  • No open APIs: No XML-RPC, no REST endpoints - so no attack surface via interfaces
  • No forms: No contact or comment forms by default - so no spambot risk
  • Admin area local only: No vulnerable admin URL on the network. Everything happens offline
  • No need to update: The published website does not need any security updates - it at all times remains as secure as when it was published
  • Maximum control: Only you decide what ends up on the server - with no automatisms in the background

What needs to be considered with classic CMS:

  • MySQL databases can be attacked via insecure input (SQL injection)
  • Public login pages are a popular target for brute force tools
  • Server-side code harbours risks for RCE and other exploits
  • Plugins and themes can introduce vulnerabilities unnoticed
  • Regular maintenance is mandatory - otherwise security vulnerabilities arise
  • Many CMSs track by default - which makes additional GDPR measures necessary
  • Forms are often active by default - and thus also the spambot risk
  • Admin areas are accessible online around the clock - often only protected by weak passwords

9. Free choice of hosting - allowing for privacy-friendly providers

Another advantage of Publii: You are completely free to choose your hosting provider. While many CMS are bound to certain server requirements (e.g. PHP version, database, memory limit), Publii only needs one thing: a place where static HTML files are delivered. Nothing more.

This means that you can easily run your website with classic web hosts such as Manitu, netcup or IONOS - or with specialised providers that focus on data protection and sustainability.

Particularly exciting for data protection-conscious projects:
Because Publii itself does not process any personal data, you can select hosters that:

  • operate their servers in the EU - ideally in Germany, if you happen to live there
  • use their own infrastructure without third country transfers
  • offer GDPR-compliant contracts for order processing
  • and communicate transparently how they handle user data

This not only keeps your website static, fast and maintenance-free - it also ensures that the hosting is on a legally sound, data protection-friendly basis.

Tip: If you want to be on the safe side, look specifically for hoster seals such as "IT security made in Germany" or check whether an AV contract (in accordance with Art. 28 GDPR) can be easily concluded - ideally directly online.

10. Conclusion: Safety without compromise - and without headaches

Many people immediately think of firewalls, security plug-ins or complex server configurations when they think of web security. Publii takes a completely different approach - a radically simple one. Instead of plugging gaps afterwards, it prevents security problems at the root. And this is how:

  • No database
  • No PHP
  • No public login
  • No sessions
  • No tracking scripts

This means: no classic vulnerabilities, no risk from outdated plugins, no stress with GDPR or cookie banners. And above all: no security concepts that need to be understood first.

Publii does not protect through technical gimmicks - but by consistently eliminating potential attack surfaces. What does not exist cannot be exploited. This makes the system particularly attractive for:

  • Newcomers who want security without specialist knowledge
  • Teams that don't have time for permanent maintenance
  • Projects where data protection and reliability are paramount

Zero-day exploits? A real threat in dynamic systems - but a side note at Publii. Because without active code on the server, there are no points of attack that need to react to new vulnerabilities.

🎓 Whether you want to start a blog project without IT knowledge, need a GDPR-compliant website for your club or need to fulfil the highest security standards in a corporate environment - Publii offers you the technical basis without burdening you with complex security issues.

In short:
Publii puts an end to security headaches.
And that's exactly what makes the difference - without any compromises.

An 🇩🇪 article by Lazou of secunis.de - translated by s3n🧩net

Comments

Featured

Follow us

Authors

Tags