A Legacy Site with Hidden Risks
michaelpierce.com had been running for years on aging PHP scripts with no security hardening. What looked like a functioning personal site was actually a collection of vulnerabilities waiting to be exploited.
The legacy codebase had zero HTTP security headers — no Content-Security-Policy, no HSTS, no X-Frame-Options. Directory listing was enabled, exposing the full file structure to anyone who knew where to look. Sensitive backup files (.old, .bak, .sql) were publicly accessible. Private photo content was protected by nothing more than obscure URLs — no authentication, no session management, no access control of any kind.
PHP scripts lacked input validation and output encoding, opening the door to injection attacks. There was no CSRF protection on forms, no rate limiting on login attempts, and server information was freely disclosed in response headers. The site had no sitemap, no structured metadata, and no SEO optimization. It needed more than a refresh — it needed a complete rebuild from the ground up.
Vibe-Coding: Complete Rebuild in a Single Day
MDPSync's vibe-coding methodology turned a security liability into a hardened, modern portfolio — every file replaced, every vulnerability eliminated — in one day.
This wasn't a patch job. A senior architect directed Claude AI through a systematic, phased rebuild: first a clean dark sci-fi landing page with animated hero, then a complete security audit that stripped every insecure script, followed by a full gallery system with public and private tiers, authentication with bcrypt and rate limiting, SEO-friendly URLs, and finally a comprehensive hardening pass that added 8 HTTP security headers and locked down the entire Apache configuration.
Twelve commits tell the story — each one a distinct phase of work, from the initial landing page through the final SEO improvements. Every line was architected by a human who understands what production-grade security means, then executed at AI velocity.
✕ Issues Found
- ✕Plain-text database passwords in PHP files
- ✕Unrestricted shell command execution
- ✕phpinfo() exposed with no authentication
- ✕Google Analytics tracking with no privacy policy
- ✕Table-based layout, Comic Sans typography
- ✕No responsive design (broken on mobile)
- ✕No HTTPS enforcement
- ✕No SEO metadata, sitemap, or structured data
- ✕Scattered legacy files across 20+ directories
- ✕No security headers (CSP, HSTS, X-Frame)
✓ Improvements
- ✓Dark sci-fi theme with animated RV landing
- ✓All insecure scripts and credentials removed
- ✓7 public photo galleries with lightbox viewer
- ✓Password-protected private family gallery
- ✓Full SEO: sitemap, llms.txt, canonical URLs
- ✓Security headers (CSP, HSTS, X-Frame-Options)
- ✓Responsive design — mobile, tablet, desktop
- ✓PHP login rate limiting (brute-force protection)
- ✓3 legacy articles converted to modern HTML
- ✓Clean codebase — zero exposed credentials
A Secure, Modern Portfolio
Photo Gallery System
7 public galleries with cover photos, masonry grid layout, vanilla JavaScript lightbox, keyboard navigation, and dynamic photo counts
Private Galleries
Bcrypt-authenticated private galleries for personal and family content with separate login flows, file-based sessions, and rate-limited access
Security Hardening
8 HTTP security headers including CSP, HSTS, and X-Frame-Options. Blocked sensitive file types, disabled directory listing, and locked down Apache
SEO Foundation
Canonical URLs, XML sitemap, robots.txt, llms.txt for AI crawlers, structured metadata, and SEO-friendly gallery slugs via mod_rewrite
Dark Sci-Fi Design
Animated star field hero, typing effect subtitle, RV animation strip, glowing dividers, and a fully responsive dark theme — 1,970 lines of hand-crafted CSS
Authenticated Image Serving
PHP image proxy that serves private gallery photos exclusively through validated sessions — no direct URL access, no hotlinking, no bypassing auth
See It in Action
Photo Galleries
Seven public galleries spanning historical photography, automotive collections, and behind-the-scenes moments. Each gallery card shows a real cover photo, title, description, and dynamic photo count pulled from the server at render time. The gallery index is built with PHP and styled with a responsive grid that adapts from a 3-column desktop layout to a single-column mobile view.
Gallery Viewer
Each gallery opens with its original story text — the context behind the photos, written by the photographer. Below, a masonry-style thumbnail grid displays every photo in the collection. Clicking any thumbnail opens a full-screen lightbox built in vanilla JavaScript with keyboard navigation, swipe support, and smooth transitions. SEO-friendly URLs like /gallery/nyc/ are powered by Apache mod_rewrite rules.
Personal Landing Page
The homepage opens with an animated star field and a bold title rendered in a custom monospace font with glowing brackets. A typing effect cycles through roles — Father, Tech Entrepreneur, Photographer, World Traveler — while an SVG RV animation drives across the bottom of the viewport. Below the fold, the bio section and gallery grid preview invite exploration. The entire landing experience is built with vanilla JavaScript — zero dependencies, zero frameworks.
Security Hardening
Every security vulnerability in the legacy site was identified and eliminated. Here's what changed.
| Area | Before | After |
|---|---|---|
| HTTP Security Headers | 0 headers | 8 headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, XSS-Protection, Referrer-Policy, Permissions-Policy, X-Permitted-Cross-Domain-Policies) |
| Authentication | None | Bcrypt hashes + file-based sessions |
| Login Protection | None | Rate limiting — 5 attempts per 5 minutes per IP |
| Directory Listing | Enabled | Disabled (Options -Indexes) |
| Sensitive Files | Publicly accessible | Blocked (.old, .bak, .sql, .cfg, .ini, .log) |
| Private Content | URL-guessable | Session-authenticated image proxy |
| Output Encoding | None | htmlspecialchars() on all output |
| CSRF Protection | None | Token-based form validation |
Technology Stack
Frontend
Backend & Security
Zero Dependencies, Zero Frameworks
Every line of JavaScript on michaelpierce.com is vanilla — no jQuery, no React, no build tools. The star field animation, typing effect, lightbox viewer, and keyboard navigation are all hand-written. The CSS is 1,970 lines of custom styles with no framework underneath. The PHP backend uses no Composer packages, no ORM, no routing library. The result is a site that loads instantly, has zero supply-chain risk, and can be understood by reading the source files directly.
The Vibe-Coding Advantage
A complete site rebuild — new design, new codebase, full security hardening, gallery system with 400+ photos, and SEO foundation — delivered in a single day. No compromises on quality, security, or craftsmanship.
Complete Rewrite
Every file replaced, every vulnerability eliminated. Not patching old code — building new from the ground up with security as a first-class requirement.
Security-First
8 HTTP security headers, authenticated image serving, rate-limited login, CSRF tokens, and blocked file types — all built in from day one, not bolted on later.
One Day, One Team
Senior architect + AI. No coordination overhead, no handoffs, no waiting. Twelve commits from first line to final deployment — all in a single working session.
What This Would Cost the Traditional Way
Rebuilding a personal portfolio site with this level of security hardening, gallery functionality, and custom design would typically require a freelance developer or small agency working over 2–4 weeks. Between the security audit, custom PHP development, gallery system, authentication flows, SEO setup, and design work, you'd be looking at separate specialists or a full-stack developer billing for significant hours.
At market rates for security-conscious PHP development, that's $5,000 to $15,000 — and that's before factoring in the back-and-forth on design iterations, scope changes, and the inevitable delays that come with traditional project timelines.
Vibe-coding delivered the same result — one architect, one AI, one day. This is the future of software development.
Ready to Build Something Extraordinary?
Let MDPSync bring your vision to life with vibe-coding. From concept to production in record time.