Moveable Type is the first one that comes to mind. It's a feature they push heavily.

Also, if you install the boost module on drupal, it will cache static pages, but it only caches them on first request by default, so you would have to set it to cache on creation and have it check regularly. So if you ran cron just before rsync and verified that the cache was up to date, I think that would work too.

Typos3 can also export static pages.People who like it seem to love it, but I could never wrap my head around it.

Hey everyone, any others come to mind?

Thanks for your answer, ergophobe.

MT is definitely worth a second look.

Drupal is out for security reasons and Typo3 is way too complex for my customer ;-)

Anyone with some more ideas?

You can probably do this with MODx CMS too. It gives you the ability to export a static html version of your site.

Thanks einsteinsboi - I've played with ModX and liked it, but have never really used it. I didn't realize it had that built in.

It's one of those CMS I'm always thinking I should check out again. Last I looked, it was still in a pre-version 1.0 and was missing some stuff I really wanted, but that was at least a couple of years ago.

>>Drupal is out for security reasons

I let this slide before because I don't want to sound like a shill for Drupal. There are many reasons to avoid Drupal (*complexity* being number one and usability being another). I see Drupal as being more secure than most other options.

One thing to keep in mind with Drupal: since they take security very seriously, they report all known exploits including exploits in all modules, including any third-party modules. That makes it look like there are a high number of alerts, which there are, but that's because they report and monitor things that nobody else does. Wordpress certainly doesn't. You could have an insecure plugin installed for years and have no idea.

Also, you can sign up for their security mailing list, which means you get notified of exploits by email. Again, if WP has such a mailing list, they don't push you to join it like Drupal does.

As for the alerts, 90% of these are for third party modules that I never have and never will use, especially ones that allow complex users to create their own complex relations.

Many of the alerts for modules I do use only apply if you are doing things like giving anonymous users advanced permissions. So in most of the cases where there are known exploits to modules I actually use, my sites are still not subject to the risk in the exploit.

Finally, many of the alerts are zero-day exploits. Because the Drupal community is large and has its roots in a programmer/hacker tradition (in the whitehat sense of hacker), many of the security exploits are patched before they get used in the wild.

In terms of maintenance, it would be nice if Drupal had auto-upgrade capabilities like WP, but one thing I like about Drupal is that you can go to the Available Updates report and it tells you whether or not there is an update to any particular component, and whether or not that update is security related (highlighted in bright pink).

So when you're pressed for time, you can focus just on those updates. Again, you can't say the same of the Wordpress Plugins page or the update notification - it just says update, but doesn't give any indication of whether or not failing to update poses some risk to your site.