Once you’ve established your needs document, you should take the time to pick the right server set-up. Different sites need different services — but the right hosting package should always offer certain key elements. Hosting is an integral part of good web site performance, so you should pay close attention to what’s offered.
Hosting and Web Serving Expectations
Although a lot of what I discuss here primarily effects you as a developer, there are always corollary issues: the more time you spend dealing with problems, the less time you’re spending making sure everything else is done right. A slow server is frustrating to your users. Catching these problems in advance can save a lot of everybody’s time.
Big hint: the most important issues aren’t bandwidth, disk space, or cost.
Although making sure that your hosting offers sufficient bandwidth, disk space, and doesn’t break the bank is obviously important, it’s more important that you can do everything you need to with your hosting.
- Is your web hosting adaptable? Can you easily change your services as your needs change? It’s not uncommon for a hosting company to only offer a couple of plans — if your site grows, this means you’ll need to change hosts. While this isn’t exactly the end of the world, it’s an inconvenience you shouldn’t need to deal with. If you pick the right host to begin with, you’ll be able to move up the scale as you grow. Give some thought to your need to scale, however – if you’re creating a small website for your local restaurant, it’s unlikely that your site will grow significantly.
- Are there “invisible constraints” imposed on your hosting? This is a nasty one, and can be very difficult avoid — but if you know a few key questions to ask, it can help. Among the problems I’ve seen are limitations on the number of emails sent per hour (50 — impossible for the company of 12 who used this hosting,) server process constraints which caused sites to be abruptly shut off because they exceeded a maximum percentage of processor use, and restrictions on use of server-side programming such as not permitting scripts to send e-mail.
- Do they have current version script or database engines? Is your hosting using older versions of PHP, Perl, or other server side scripting languages? Yes, this may not effect you most of the time. However, when it does you’ll be very frustrated.
- Do they offer URL Rewriting support? One of the main reasons I frequently recommend that my clients use Linux/Apache based hosting is in one word:
.htaccess. Admittedly, there’s a lot more to
.htaccessthan a few redirects and some URL rewriting, but that is an extremely key functionality. With Windows hosting, URL rewriting can be available through ISAPI Rewrite…but it’s along the lines of “pretty much always” with LAMP hosting and “maybe sometimes” with Windows.
- Are databases readily available? Whether it’s MySQL, Posgresql, or anything else, databases are a key element of modern web development practices. If databases aren’t readily available from a hosting company, they shouldn’t be in the running.
- Are their servers snappy? It’s nothing special to offer vast tracts of storage space or gobs of bandwidth. Most of the time, hosting services are gambling that the majority of the 400 sites on a server will only use 10-50 Mb of the 100 Gb of storage they’ve been allowed. Realistically speaking, most sites are very small — hosting companies can easily get away with this. However, no hosting company can get away with slow servers. If you can check the server statistics, that’ll help you know what you’re getting into.
- What’s their backup policy? Does the company offer backup service on your files and databases? How easily available are the backups? How frequent are they? In case of an emergency, how long would it take to restore your website?
- How’s their support? The single most important element from your hosting company. Period. Quick response times, professional attitude from the support team — written messages using full sentences, spoken interactions easy to understand, etc. Good support should completely read your request and respond to what you’ve said, rather than guessing at the problem from the subject line.
If you don’t have a strong foundation for your web site, you’re going to run into some trouble later on. Of course, it’s a regular event to have to work on sites where you had no say in the hosting. Sometimes, that won’t be a problem. You may need to work with an unfamiliar set up, but the hosting itself will be entirely adequate.
Sometimes, it’ll be incredibly frustrating.
Be prepared to discuss changing hosting with your clients — prepare your arguments and know the issues. With truly inadequate hosting services, you might be prevented from doing your job well.
Introducing Web Security
I didn’t mention looking at your host’s security policies and background above. That’s largely because this is an issue that goes well beyond being one of a checklist — this is a core issue for web site best practices.
I also didn’t mention it because there’s little point in asking. No host is going to tell you that they don’t really pay attention to security and have regular problems! Similarly, many hosts won’t tell you any serious details about what they’re doing to protect your security — this is, itself, protection against social hacking; but it could also mean that they don’t know what you’re talking about.
Ultimately, you can’t expect perfect security on any shared server environment to be made available by default. When a hosting company needs to make a generalized environment available which will support a wide variety of software and scripting languages simultaneously, they’re unlikely to be able to lock things down the way you might prefer.
This isn’t to say that you should ignore issues of security when you’re selecting a web hosting company — by all means, find out whatever you can! Look for reports of security violations; complaints from customers who’ve been hacked, etc. It’s good to know. However, more important is knowing what you can do to increase the security of the server for your own use.
- Can you use
php.ini(or equivalent) to customize settings? If a host doesn’t permit you to change their default settings on an account specific basis, that’s not a particularly good sign. You should check and make sure that their reason isn’t because they’ve already maxed the security and they don’t want anybody weakening their protection; but it’s always helpful to be able to customize your needs.
- Can you restrict access to administrative pages? It’s frequently a good idea to restrict access to admin areas fairly stringently. Personally, I usually restrict by IP — only people at the client’s office or home (whatever’s relevant) have access to the administrative areas at all. This can help crack down on problems.
- Can you see other user’s accounts? This is an ugly one. Logging into an account and seeing other user accounts means just one thing: they can see yours. This hosting service is obviously not separating accounts appropriately.
- Is SSL encryption available? Not every hosting service supports SSL. If you don’t have the option for secure sockets layers, e-commerce is out of the question right away. Even if you don’t think you’ll need it, you might want to avoid any service where it’s not even an option.
A significant part of web site security is related to the scripts and software you install on your site (which will be addressed later); but even before you’ve put a file on the server, there’s potential for security problems. It’s worthwhile to take a close look at potential security problems before getting too far into a project. Hardening your security may not be a priority now, but if you don’t even have these basic options you’re walking into trouble.