Best Practices in Web Development: Part 2

August 27, 2008

Topics: Web Development.

  • Part 1 (Contracts, Site Requirements,Information Architecture)
  • Part 2 (Hosting and Security)
  • Part 3 (Navigation, Scent)
  • Part 4 (Semantics, Structure vs. Design, Universal design)
  • Part 5 (Interaction, Errors, and Administration)

Once you’ve established your needs document, you should take the time to pick the right server set-up. Different sites need different services — but the right hosting package should always offer certain key elements. Hosting is an integral part of good web site performance, so you should pay close attention to what’s offered.

Hosting and Web Serving Expectations

Although a lot of what I discuss here primarily effects you as a developer, there are always corollary issues: the more time you spend dealing with problems, the less time you’re spending making sure everything else is done right. A slow server is frustrating to your users. Catching these problems in advance can save a lot of everybody’s time.

Big hint: the most important issues aren’t bandwidth, disk space, or cost.

Although making sure that your hosting offers sufficient bandwidth, disk space, and doesn’t break the bank is obviously important, it’s more important that you can do everything you need to with your hosting.

  1. Is your web hosting adaptable? Can you easily change your services as your needs change? It’s not uncommon for a hosting company to only offer a couple of plans — if your site grows, this means you’ll need to change hosts. While this isn’t exactly the end of the world, it’s an inconvenience you shouldn’t need to deal with. If you pick the right host to begin with, you’ll be able to move up the scale as you grow. Give some thought to your need to scale, however – if you’re creating a small website for your local restaurant, it’s unlikely that your site will grow significantly.
  2. Are there “invisible constraints” imposed on your hosting? This is a nasty one, and can be very difficult avoid — but if you know a few key questions to ask, it can help. Among the problems I’ve seen are limitations on the number of emails sent per hour (50 — impossible for the company of 12 who used this hosting,) server process constraints which caused sites to be abruptly shut off because they exceeded a maximum percentage of processor use, and restrictions on use of server-side programming such as not permitting scripts to send e-mail.
  3. Do they have current version script or database engines? Is your hosting using older versions of PHP, Perl, or other server side scripting languages? Yes, this may not effect you most of the time. However, when it does you’ll be very frustrated.
  4. Do they offer URL Rewriting support? One of the main reasons I frequently recommend that my clients use Linux/Apache based hosting is in one word: .htaccess. Admittedly, there’s a lot more to .htaccess than a few redirects and some URL rewriting, but that is an extremely key functionality. With Windows hosting, URL rewriting can be available through ISAPI Rewrite…but it’s along the lines of “pretty much always” with LAMP hosting and “maybe sometimes” with Windows.
  5. Are databases readily available? Whether it’s MySQL, Posgresql, or anything else, databases are a key element of modern web development practices. If databases aren’t readily available from a hosting company, they shouldn’t be in the running.
  6. Are their servers snappy? It’s nothing special to offer vast tracts of storage space or gobs of bandwidth. Most of the time, hosting services are gambling that the majority of the 400 sites on a server will only use 10-50 Mb of the 100 Gb of storage they’ve been allowed. Realistically speaking, most sites are very small — hosting companies can easily get away with this. However, no hosting company can get away with slow servers. If you can check the server statistics, that’ll help you know what you’re getting into.
  7. What’s their backup policy? Does the company offer backup service on your files and databases? How easily available are the backups? How frequent are they? In case of an emergency, how long would it take to restore your website?
  8. How’s their support? The single most important element from your hosting company. Period. Quick response times, professional attitude from the support team — written messages using full sentences, spoken interactions easy to understand, etc. Good support should completely read your request and respond to what you’ve said, rather than guessing at the problem from the subject line.

If you don’t have a strong foundation for your web site, you’re going to run into some trouble later on. Of course, it’s a regular event to have to work on sites where you had no say in the hosting. Sometimes, that won’t be a problem. You may need to work with an unfamiliar set up, but the hosting itself will be entirely adequate.

Sometimes, it’ll be incredibly frustrating.

Be prepared to discuss changing hosting with your clients — prepare your arguments and know the issues. With truly inadequate hosting services, you might be prevented from doing your job well.

Introducing Web Security

I didn’t mention looking at your host’s security policies and background above. That’s largely because this is an issue that goes well beyond being one of a checklist — this is a core issue for web site best practices.

I also didn’t mention it because there’s little point in asking. No host is going to tell you that they don’t really pay attention to security and have regular problems! Similarly, many hosts won’t tell you any serious details about what they’re doing to protect your security — this is, itself, protection against social hacking; but it could also mean that they don’t know what you’re talking about.

Ultimately, you can’t expect perfect security on any shared server environment to be made available by default. When a hosting company needs to make a generalized environment available which will support a wide variety of software and scripting languages simultaneously, they’re unlikely to be able to lock things down the way you might prefer.

This isn’t to say that you should ignore issues of security when you’re selecting a web hosting company — by all means, find out whatever you can! Look for reports of security violations; complaints from customers who’ve been hacked, etc. It’s good to know. However, more important is knowing what you can do to increase the security of the server for your own use.

  1. Can you use php.ini (or equivalent) to customize settings? If a host doesn’t permit you to change their default settings on an account specific basis, that’s not a particularly good sign. You should check and make sure that their reason isn’t because they’ve already maxed the security and they don’t want anybody weakening their protection; but it’s always helpful to be able to customize your needs.
  2. Can you restrict access to administrative pages? It’s frequently a good idea to restrict access to admin areas fairly stringently. Personally, I usually restrict by IP — only people at the client’s office or home (whatever’s relevant) have access to the administrative areas at all. This can help crack down on problems.
  3. Can you see other user’s accounts? This is an ugly one. Logging into an account and seeing other user accounts means just one thing: they can see yours. This hosting service is obviously not separating accounts appropriately.
  4. Is SSL encryption available? Not every hosting service supports SSL. If you don’t have the option for secure sockets layers, e-commerce is out of the question right away. Even if you don’t think you’ll need it, you might want to avoid any service where it’s not even an option.

A significant part of web site security is related to the scripts and software you install on your site (which will be addressed later); but even before you’ve put a file on the server, there’s potential for security problems. It’s worthwhile to take a close look at potential security problems before getting too far into a project. Hardening your security may not be a priority now, but if you don’t even have these basic options you’re walking into trouble.

Web Development Best Practices: Part 3 (published on Friday, August 29th) covers navigation design, and scent of information. and canonicalization.

Have something to contribute?




« Read my Comment Policy

7 Comments to “Best Practices in Web Development: Part 2”

  1. Great article you have here. I want to agree with everything you stated especially the support part. This can make or mar one’s site. Personally i don’t go for hosts without live support. That’s just me.

  2. I have been reading your articles and find them very informative, even after 14 years of developing websites myself and running a full service hosting company. Many of the clients do not realize what a good level of support is and how good reliability translates into their websites being successful.

    Being developers ourselves gives us the ability to understand and aid in trouble shooting with other developers, which is the bulk of our customer base. But it is a challenge to compete with less forward thinking hosting companies which offer 3.95 hosting and no phone contact at all.

    In regards to uptime, although it can be addressed by reliable hardware, it is much more important to look at the carriers used and redundancy. It should almost be a given that a responsible hosting company would have the users setup properly and be paying attention to security in these times. Keep up the good work with the articles, I think our entire industry can benefit from articles like these.

    Carmen Santora

  3. Thanks, Chi! Uptime is something I didn’t really touch on — although it’s probably fairly closely related to having generally robust servers!

    I’ve been in situations where I coudl see other’s accounts as well — that’s just wrong!

  4. Good solid post on hosting. I have to admit, the only things I’ve worried about was mostly bandwidth and uptime and I’ve been creating sites for over 10 years. After finding my current host, you touch on a lot of topics I’ve learned about a good host. Updated mysql and patches for php programs, quick response to hacks, attentive support, etc… One time I was able to see other people’s accounts – scary.

  5. It’s a major issue — one of those points where you can’t fix the problem without changing servers, no matter how hard you work. Scripts will be slow, downloads will be slow, page loads will be slow…even with lean and refined file sizes. Good thing to avoid!

    Dedicated hosting is definitely a good way to provide more control over issues.

  6. Are their servers snappy?
    {Realistically speaking, most sites are very small — hosting companies can easily get away with this. However, no hosting company can get away with slow servers. If you can check the server statistics, that’ll help you know what you’re getting into.}

    This was one of my biggest concerns when I would recommend clients who i’ve recently developed a website. While we we optimize pages for load efficiency a slow loading server is a slow loading server there nothing to do about that besides change hosting providers. To circumvent this issue I now have my own dedicated hosting for my clients : ).. All in all make sure you check up on the server stats.
    DH