I think Carpetsmoker is right where he said that you should not use a piece of software your administrators aren't familiar with. However, your administrators not being familiar with a piece of software should not be the reason for not using a piece of software if it's the best choice for you. Of course, you should give your administrators the time to learn to maintain the software before actually using it. With Hiawatha, I'm very sure that I've made a piece of software that's easy to learn and easy to maintain. A get a lot of positive feedback from many people saying how easy it was for them to learn how to use the software.
Yes, Hiawatha is completely written by me. That could be a bad thing but it can also be a good thing. Give me any two developers and you'll have two different opinions about how to write software. Because Hiawatha is written by one person, it's entire code is written in a consistent way. And it's not true that Hiawatha hasn't been audited. Not by a professional company, but in the years that I develop Hiawatha, I've had many e-mail from people who claim to be security professionals or software developing professionals and who have taken a look at the code. Many came up with only minor findings or change suggestions. Only once, someone found an actual exploitable bug. In the past I've done a lot of pentesting, security auditing and code reviewing myself, so I know what I'm doing. Of course, that's no 100% guarantee for bug-free code, but 14 years of development and only 1 found exploitable bug shows at least that I'm doing things right. Because I claim to have a secure webserver at the Hiawatha website, it receives a lot of hack attempts. 14 years of development and no single hack or defacement. Of course, my secure PHP framework (
http://www.banshee-php.org/) is also responsible for that. But while the whole world was panicking with heartbleed and shellshock, Hiawatha users could simply sit back and relax.
With Hiawatha, I don't aim at having a 100% Apache replacement. Hiawatha does not and will never have all the functionality that Apache has. For the main reason that I believe many of Apache's features should not be inside a webserver. I often receive questions from people who want to try Hiawatha and have trouble with converting their Apache configuration to Hiawatha. The amount of shit people have in their Apache configuration. omg... Of course, they are not to blame. It's developers who don't know who to write a proper web application. With Hiawatha I always keep KISS in mind. Keep it Short and Simple. No fancy and complex shit, just be a webserver. Less complexity means less code, less chance for bugs, so less chance for security issues.
If you wonder about Hiawatha's performance capabilities, you are free to test
http://www.ikhebniksteverbergen.nl/. It's a Dutch website about privacy I made. It's build with the Banshee framework and has all the speed functionalities in both Hiawatha and Banshee enabled. I'm sure its speed will be more than what you're looking for. And yes, it also has been tested with heavy-load websites (
http://www.followgrubby.com/). With several thousand simultaneous connections, the load on the server was low. Mainly due to smart caching by Hiawatha.
NewGuy: "WordPress isn't insecure on its own." I seriously think that's not correct. There have been many vulnerabilities in Wordpress itself. But even there weren't, it's code is a complete mess. It has no readable structure inside the code (no MVC) or its directories and files. I've used Wordpress before. In my secure webdevelopment course that is. To show students how NOT to write code. Look at its code and than look at how I did things in Banshee. I'm not trying to say that Banshee is perfect, but at least it has structure. And with Banshee, I do not only focus on secure code, but also at provable secure code. Not only does Banshee prevent SQL injection attacks, with a few simple steps I can also simply proof that it does prevent SQL injection. The same can not, and with its current code structure can never, be said for Wordpress.