Getting to Grav and Gantry was a long and winding road...

My Requirements

Since lots had changed in the time between my last run at websites and my decision to try again, none of these were hard requirements. I knew I had to be ready to zig when I would prefer to zag.

  • Offline editing: I went a decade with no internet, so I really wanted a way to do my work offline and then upload it when ready. Yes, I know. The world has gone remote. I don't care. This is the closest thing I have to a drop-dead requirement.
  • Web Processing: I've been using word processors for decades, all the way back to Apple //. I've run expert-level classes in word processing. I spent 30 years as a programmer. I just didn't see any reason why building a website should be harder than putting out a newsletter or producing training documents. Not a real drop-dead requirement, but close. I've got a bit of flexibility here, but getting into raw HTML should be extremely rare.
  • Pure HTML: Okay, I knew right off the bat this was a pipe dream. Still, if I could avoid JavaScript, PHP, etc. I'd sure like to. At the very least, I'd like my hosting provider to be doing a great job of PHP (or whatever) configuration and security. JavaScript can be a cesspool of external dependencies with all the security risks that entails, but I was pretty sure that there was no way to avoid it.
  • No Database: Again, I suspected that this was a pipe dream. I know that it's just one of a million different attack vectors, but I have a possibly irrational fear of SQL Injection attacks.
  • Open Source: I have gladly spent untold thousands on high quality (and garbage!) software over many decades. I have no problem continuing to do so, but I now act alone and for myself, so I can choose more freely than I once could. If I'm paying for software, I like knowing that I can tinker with the code if I feel like it. I rarely do, but I have. Others do, and they extend the software beyond what the original creators could envision or can afford to do. Likewise, open source software means that it is generally easier to find bugs. Closed source software requires a lot of funky tools and processes to go bug hunting. Finally, open source software creators are almost without fail far more open to accepting and dealing with bugs that affect security.
  • Community Support and Development: Everyone needs help sometimes. My experience is that community support is often more important than corporate support. Having lots of people producing templates, plug-ins, and enhancements is great. I have some other things I'd like to eventually do with this website, and having a strong and active community will be crucial in the months and years down the road.

First Steps

I looked for standalone software that let me build my website offline for uploading to my website. Such software might exist, but I couldn't find anything I would pay for. Even if it's free, I just don't have much patience for software that is free because nobody in their right mind would pay for it. The promising stuff was priced well out of reach to the hobbyist. I didn't find any solid open source projects.

My original version of this site was built using CityDesk by Fog Creek, now Glitch. That seemed like something worth a look. As great as it looks, and it does seem like a masterpiece in the making, it's all online, there is no obvious plan for letting people self-host or use the output on their own site, and there is too much exposure to the raw HTML for my tastes. Too bad, but I heartily recommend taking a look at it. Anyway, I also excluded SquareSpace and other comparable offerings for similar reasons. WordPress offers both hosted and self-hosted solutions, and my provider, HostPapa is a WordPress hosting provider. So let's check out that as part of looking at everything that HostPapa offers.

Host Papa Offerings

In addition to WordPress, HostPapa offers three other Content Management Systems (CMS): Concrete5, Drupal, Joomla, and Typo3.

  • WordPress: WordPress seems to be the most popular CMS on the planet. Of course, that doesn't mean it's actually the right choice for me. It is database-backed, something I didn't want but which I came to terms with, because there didn't seem to be a choice. It comes under frequent attack by bad actors, but that's not surprising given its popularity; it doesn't mean it's actually less secure than anything else.. It has a lot of plug-ins and themes developed by a huge and active user community. I wasn't happy with the workflow, possibly because I just didn't really understand how to do what I wanted, but more likely because it represented my first foray into CMS.
  • Typo3: At first glance, I thought this would do the trick. Unfortunately, HostPapa does not offer the latest version by default, and I wan't interested in going through the hassle of getting them to offer a new version. HostPapa is the only place I've ever heard of Typo3, so I'm guessing it would make more sense for them to stop offering it than to fiddle with getting new versions to work.
  • Concrete5: I was underwhelmed at first glance. Given the size of companies that use it, I felt I should at least give it a chance. In the end, I didn't even bother to install it.
  • Drupal: I know it's pretty popular and it looks like a decent offering, but I just didn't think it was my cup of tea. It looked like something requiring a huge investment of time, rather than something that I could use to hit the ground running.
  • Joomla: This one actually looked great. Everything made sense to me. I tinkered with it a bit, built a couple of pages, and was on my way. Except...

Left Turn

I started hunting for Joomla templates to ease the burden of creating a nice looking site that worked across all platforms. Enter RocketTheme. This was not the first Joomla theme site I found, but they seemed to have a large collection of themes at fair prices and with reasonable terms of use. But there was this menu item "Grav". What was that? And the rest is history. Grav uses PHP and JavaScript, but so it seems does anything worth looking at. What Grav doesn't have is a database back end. Just files. Even though I like databases --- I made my living with databases for years --- I think they are overkill for the kind of site I'm interested in building and maintaining. Just plain files means I can create a working installation on my laptop, then copy the files up to my site when I'm ready. Remember those requirements? Offline. Upload to publish.


So, I did a local install. Easy peasy. No scripts, just copying a bunch of files. Which means that I can also install it to my web host with minimal or no support. The system requirements are clear and easily met by HostPapa and my own system. Right away I discovered that the minimal install I chose required that I learn about directory structures and something called YAML. (Did you follow that link? Looks like fun, eh?) YAML looks great, especially to a programmer. And I'm a programmer. But this programmer knows better than to edit things like YAML by hand, except in emergencies. Fortunately, it was easy to find the tools I needed to mostly forget about YAML and directory structures. Really, the admin tool plug in was enough and it's such an obvious choice that only an oddball would choose an install that didn't include the admin plugin by default.

Naturally, that still leaves me with the task of understanding the directory structure. That is something I'd need to do for any product, even my own, that is used for offline development with uploads for deployment. Using and understanding directory structures comes second nature to me after over 40 years of computer use. Grav's directory structure is also very well documented. On the other hand, the admin plugin does a good job of keeping this user on the straight and narrow, so the only real understanding I need is "which files and/or directories do I need to upload?" That's easy: everything to start with, the "user/pages" and "user/images" folders after that. For minor changes, it's easy to cherry-pick the specific files necessary. For a large site, a better plan making use of metadata like "modified date", etc. will limit the size of the upload. That will be necessary for any site like mine that will eventually have lots of images, but I'll cross that bridge when I come to it. Also, once everything was uploaded to my site, I got rid of the admin and admin-power-tools folders in "users/plugins" because I won't be doing any editing while online. Although minor, it's still a reduction in the attack surface.


My template search led me to Gantry. Which, of course, led me back to RocketTheme. RocketTheme is the developer of both Grav and Gantry. Now don't get me wrong. Once I learned of flat file systems and templating systems, I did research other offerings. But I kept coming back to Gantry. That both Grav and Gantry are developed by the same people is, for me, a huge bonus. One stop shopping, and all that.

Gantry templates are easy to work with. I haven't found any templating system that works the way I would prefer to work (like a word processor), but Gantry is simple, clear, and easy to use with a good workflow. After a few weeks of casual tinkering and my decision was final: Grav + Gantry.

Final Words

I have no doubt that Joomla with Gantry templates would be a great solution,but there was something compelling about Grav. Installing to HostPapa was as simple as uploading everything from my local install to the web root of my website. The site was live as soon as the copying was done. There was one minor glitch requiring me to change a PHP configuration parameter, but HostPapa makes some settings available for site administrators to change and that one of them.

Once the upload was completed and tested, I removed the admin stuff from the website. Everything still worked. In the end, I didn't get my plain HTML, but I don't have a database and I can do all my work offline, uploading changes when ready.

I've found a bug in Grav and reported it. It doesn't seem like a security issue, but it could sure confuse someone because it results in unexpected directory and file structures. In my case, with all development taking place offline, there is definitely no security risk. Based on what I've seen when looking through their bug tracker, I expect it will get the attention it deserves.