When the World Wide Web was created it was envisioned as a repository for documents. Lots of little book chapter sized articles connected together with hyperlinks. And it was static. It didn't take long before people realised there was a problem. Whenever we added new articles to our sites we'd have to go back to every other page and update it with links to the new article.
HTML was already a standard by that point but it didn't have anything built in to support showing recent lists of posts or dynamic content. However the server didn't technically have to load content from a static file and so servers started to support different programming languages to produce live updating HTML content.
Big companies had access to a wide array of languages from C to ASP to Lisp, the possibilities were almost endless. The small folk who form the majority of the web had less options in a time when hosting was expensive. The problem is allowing a number of unknown people to run complicated C projects on a server shared by other people is a huge security risk. Massively stripped down and secured languages were offered to the public such as Perl and PHP. PHP quickly won because you just upload some files and click! your site works. There was very little configuration, or if there was it could be pre-configured by the hosting company.
So here we get to the part where Wordpress step in. Movable Type had made a blogging platform for Perl but configuring Perl wasn't the easiest. Wordpress put together a simple package with an in built installer. Suddenly PHP & Wordpress were launched into the most popular platforms online eventually running everything from blogs, to business sites, to full blown ecommerce sites.
But it shouldn't have been this way. At least if we cared about security. PHP and Wordpress both objectively have flaws, many of which have been overcome by hours and hours of work. Today they are both very well built packages and I'd be happy to build with both. But given the choice we can work with platforms that build from a solid theoretical foundation and have security firmly in mind.
Back to where we started
So where we find ourselves ironically is moving back to fully static sites. Wordpress gets hacked because too much of the code is public facing. If you aren't careful about which plugins you install or preventing access to certain files, it's almost a matter of time until someone finds a hack. However if I install an insecure plugin onto Gatsby or Next.js and then switch them to fully static site generation mode, the plugin still does it's job but by the time the site is uploaded the plugin isn't there anymore in code form. There's nothing to hack as only HTML content is produced.
Obviously if your site absolutely needs ecommerce, or comments, or forum posts, or something that changes hour to hour static site generation just won't work. But lots of sites don't need that, and blog comments can actually be loaded over a secure API if really necessary after the main site has loaded. Static sites are fast too. Much, much faster in some cases. Especially if you tell your CDN to serve the content instead of your own server.
For sites that have daily or weekly new posts? Just rebuild them automatically. We may not have had the resources to rebuild an entire site with hundreds of pages years ago, but now we definitely do. And it's much more secure to do that, it's much faster, and it's easier to test that a new update doesn't break user functionality. If a site automatically updates on it's own there's a chance that you wake up one day to a broken site and a massive scramble to fix it. Static generation lets you test any big changes before they ever go live, and sleep a little easier.
How does it actually work
Most of the static site generators rely on dynamic javascript frameworks to build the content. The most common being React or Vue.js. A server runs your javascript project to see what HTML it sees and saves that snapshot in either it's cache or a distribution directory with all the HTML, CSS & JS that your site needs to run.
Probably the two biggest static site builders today are Gatsby and Next.js, and although Next.js is becoming the most popular because it can easily create more than just static sites, for purely static sites I prefer just how explicit and obvious Gatsby is with the optimizations it makes.
How difficult is it to move
It could be easier, honestly. A website builds up a large amount of inertia wherein it becomes difficult to make large changes. It's much easier to set out to use a certain style at the start, although the set up costs will be higher with a static site simply because it's slightly more specialist and the developers cost a little more. Site security improvements alone quickly pay for that.
So if you absolutely had to move away from Wordpress how would you? Well you don't need to get rid of the wordpress completely, you can just close it off from public access and access it from a React site. To do this from Gatsby you would install a GraphQL plugin inside Wordpress and then access the posts from a GraphQL query . The majority of your time after that will be converting a Wordpress theme to it's equivalent React components. It will be much cleaner and easier to maintain and update after you're done but it can be quite a bit of work upfront.
Drawbacks
The number 1 drawback is that a static site only has static content. You cannot by definition have a forum community without installing extra software. Blog comments have to be loaded on the client's browser and will not be available for Google to add into their SEO score. But honestly that could be a good thing if most of your blog comments are spam.
The second biggest drawback is the lack of support from most hosting companies. What this means is that there isn't often a quick one button site rebuild option. You have to manually upload new content either by SSH/FTP or with a script on the VPS. You can use empty git commits to trigger a CI/CD site rebuild but it's more complex. Whether this is a problem depends entirely on the type of staff currently working in your business. It's out of the reach of anyone without a technical background of some sort.
Further Reading
Below I've included some links if you're looking to get started yourself:
Gatsby Documentation
Next.js Documentation
Conclusion
I have experience working with the most common static site generation platforms and can get you switched over to a more secure way of working. Feel free to contact us and let us know what you need.