You aren't wrong, but if you use Cloudflare Pages with a static site the only job you have to do for a static site is make sure your Cloudflare account is secure with 2fa etc. Cloudflare will handle the security of everything else.

If you have Wordpress exposed to the internet, there's a lot more security stuff to deal with.

You're not wrong, but compromising a server that exposes nginx configured for static files, sshd, and nothing else is at least an order of mag or two harder. Probably no one is going to drop an nginx 0day on your blog.

And you can run one written in a memory-safe language, like Caddy.

The web server can be hacked so it serves something other than the static HTML you uploaded but there is no 'app' to hack, there's a whole class of problems that can happen on WordPress that can not happen with static sites.

What would hacking an HTML file even mean.

I had a website got hacked when the FTP server running on the shared host got exploited. They added some malware injection code to the index.html file.

After that I added a cron job that compared the hash of the index.html with a precomputed value. Didn't change often enough to be a hassle.

Even if it's remotely possible to hack Nginx... what's the motivation to hack a static site?

There's no DB with juicy data and no compute to abuse for mining crypto or running DDOS attacks.

Similar motivation as hacking a Wordpress site, putting seo spam out there.

There’s less payoff, but people still do it.

yeah but the difficulty in hacking Nginx vs Wordpress must be orders of magnitude more difficult though

trick users into clicking malicious links, host ads, seo link farm, host other questionable content, or some people just like to deface websites

Usually SEO spam link insertion and generic Viagra spam redirects...

you can change the payload sent to users, static or not. If you serve javascript you're serving dynamic, runtime dependency injecting code.

Other siblings have piled on this, but let me just add:

Your source of truth for a static site will never be the deployed contents of the server (even if you do go that route). It will be your local Git repo or possibly your upstream Git forge.

Even in the rare case that such a simple case gets you hacked, you can throw away your entire setup and start over quite easily. Whereas all of the Wordpress/Drupal/etc/etc. options I'm aware of will require you to do your own database backups, if you are self-hosting, or else you are simply hosed (as the attacker could corrupt or erase the source of truth).

If you are with a hosted solution then obviously your security (and backups) will be as good as their security/backups, and all of this will be moot except for pricing.

I understand all this. I didn’t say that static sites are easy to hack or valuable, I responded to GP’s claim “They cannot be hacked”

I think static sites are a good technique that has vastly improved security over dynamic sites, but thinking that using them makes you invincible is faulty.

If it makes you as vulnerable as S3, that's as close to invincible as you're going to get.

Depends on where you host.

The whole website is on Amazon S3, that's where you host it!

I host dozens of static sites, none of them run on s3.

The beauty of a static site is you can then put it on something like Github Pages or S3 to give the responsibility of the server to someone else.

Or you can just pay someone to host it and maintain and support the web server for you, for a lot cheaper (often free, like Github Pages).

Good luck hacking an html file served through nginx.