Considering starting a site, some questions on the basics, security, etc.

• RebeccaBlack wrote on 2012-05-31 16:29
  Let me start off by saying I have absolutely no idea what I'm doing. I apologize in advance if I say something that seems really dumb.
  
  So I've been thinking about starting a site, but I've got a few questions.
  
  1. Does it matter where I get my domain name? Are there any tricks to the "cheap" hosts that sell you domains for a dollar or two a year for a .com compared to a site like Godaddy that might charge quite a lot more? Or is it all related to the hosting tools/services they give you? Is there anywhere/anything you'd recommend? I'm going to be looking for a standard .com domain name and I suppose pretty basic hosting tools. I'll look into the hosting part myself.
  
  2. I want to make my site as secure as possible. The goal would be to end up with a site that cannot be taken down or messed with by someone who knows what they're doing. I'm not counting denial of service attacks in this because I doubt much can be done about those. What kinda things do I need to look out for? I've heard a bit about SQL injection, but I hardly even know what it is. Besides that, is there anything I really need to worry about? Where can I learn about how to build a very strong and secure site?
  
  3. This is kinda relevant to the second question, but are the emails often provided with these services safe and secure? If the site gets hacked, can the email get compromised along with it?
  
  4. I already know how to embed a Youtube video and get it the way I like it, make sure it autoplays in HD, etc. How would I make a different one load randomly from a playlist (or selected URLs I enter) every time the user refreshes the page? It can't be too difficult.
  
  5. This next one is a little tricky. Is there a way I could have a box pop up only on certain pages (such as after "entering" the site) where a user would get to choose the background of the site with one option and the music that plays with another? It's a little hard to explain, but kinda like how Nexon did this except replace it with options that, when clicked, stores a cookie (like the 'don't show again' button) and change how the site looks. The goal is to provide a more customizable, personalized experience.
  
  6. Can I prevent people from seeing all my directories and stuff? Will a simple redirect stop this? I just don't want all of the content of my site to be easily located. The way I stopped it before was just by making a blank index.html page for every directory.
  
  I am probably going to be making the website 100% from scratch with the exception of possibly installing Wordpress on it to use as a blog, so I'll have a great deal of control over everything that goes into it and the vulnerabilities of foreign code won't be as much of a problem.
  
  I know this is a lot, but I'm having trouble wrapping my head around everything and I just want to turn all these ideas into a reality. If I know what to look for and what to read, it'll all be so much easier for me and will give me peace of mind. The biggest problem is I just don't know where to start.
• Taycat wrote on 2012-05-31 16:33
  I'm kinda curious, what kind of website?
• Yoorah wrote on 2012-05-31 16:36

  Quote from RebeccaBlack;876934:

  I know this is a lot, but I'm having trouble wrapping my head around everything and I just want to turn all these ideas into a reality. If I know what to look for and what to read, it'll all be so much easier for me and will give me peace of mind. The biggest problem is I just don't know where to start.

  
  
  You need to start from the basics and work your way up, first. Answering those questions would be pointless right now. :P
  Here's a decent into: http://code.google.com/edu/submissions/html-css-javascript/
  You'll want to learn PHP and SQL after.
  
  There's also http://www.w3schools.com/, although some purists don't like it.
  
  Also take a look at this: https://developer.mozilla.org/en/Web_Development
• RebeccaBlack wrote on 2012-05-31 16:42

  Quote from Mythical Detective Loki;876938:

  I'm kinda curious, what kind of website?

  
  A general purpose, "do whatever I want" kinda site. It's slightly aimless, but it's primarily going to host videos (well, host as in embedded from Youtube), pictures, store controversial writings that would almost certainly be taken off of blogging services, .swf files, and generally act as a neat little place for me to do my thing freely.
  
  I mean, to be honest, I already did do this in the past, but I had even less of my nonexistent experience and my shitty free host lolselfdestructed after about a year and a half. In search of something a little more proper and official, I'm remaking it (for the third damn time!) and taking it a bit more seriously.
  

  Quote from Yoorah;876942:

  You need to start from the basics and work your way up, first. Answering those questions would be pointless right now. :P
  Here's a decent into: http://code.google.com/edu/submissions/html-css-javascript/
  You'll want to learn PHP and SQL after.
  
  There's also http://www.w3schools.com/, although some purists don't like it.
  
  Also take a look at this: https://developer.mozilla.org/en/Web_Development

  
  Is this absolutely necessarily for security, as in I can't just look things up as I need them? ;__; I'm not going to be doing heavy design or making particularly complex things, really.
• Taycat wrote on 2012-05-31 16:46

  Quote from RebeccaBlack;876948:

  A general purpose, "do whatever I want" kinda site. It's slightly aimless, but it's primarily going to host videos (well, host as in embedded from Youtube), pictures, store controversial writings that would almost certainly be taken off of blogging services, .swf files, and generally act as a neat little place for me to do my thing freely.
  
  I mean, to be honest, I already did do this in the past, but I had even less of my nonexistent experience and my shitty free host lolselfdestructed after about a year and a half. In search of something a little more proper and official, I'm remaking it (for the third damn time!) and taking it a bit more seriously.
  
  Is this absolutely necessarily for security, as in I can't just look things up as I need them? ;__; I'm not going to be doing heavy design or making particularly complex things, really.

  
  
  Wow it sounds pretty interesting. I'd be sure to visit it. I wish you luck in your endeavors.
• RebeccaBlack wrote on 2012-05-31 16:51

  Quote from Mythical Detective Loki;876954:

  Wow it sounds pretty interesting. I'd be sure to visit it. I wish you luck in your endeavors.

  
  Ah, nah, it's just me messing around. It isn't meant to be a serious thing, but rather something enjoyable that acts partly as a miniature storage system and partly as a small, all-in-one area for me to share... well, whatever comes along. It's an experiment, if anything.
  
  And thank you~
• Yoorah wrote on 2012-05-31 17:01
  Those things are just introductory articles and video guides, lol. :( Security problems in sites are caused exactly by the type of web developer who tries to make something just work. If you want to build a secure web application, you need to have a strong base knowledge of web development, at the very least.
  
  And paid hosts will take down "controversial content" the same way blogs will. Unless you host it from some criminal east european company or something.
• Bakuryu wrote on 2012-05-31 17:16
  Use a good CMS if you don't want to be learn too much stuff, you'll still have to learn the CMS, but that's easier.
  
  Also, if you are going to use w3schools, read through this first.
• RebeccaBlack wrote on 2012-05-31 17:50

  Quote from Yoorah;876967:

  Those things are just introductory articles and video guides, lol. :( Security problems in sites are caused exactly by the type of web developer who tries to make something just work. If you want to build a secure web application, you need to have a strong base knowledge of web development, at the very least.
  
  And paid hosts will take down "controversial content" the same way blogs will. Unless you host it from some criminal east european company or something.

  
  I don't mind going through some introductory articles/video guides :P The problem is I thought you meant I had to have a strong understanding of all of them, which obviously extends beyond that starting stuff.
  
  I'm not looking to do anything illegal. Really, I'm not. No piracy, no copyright, nothing that is against the law for me to say, etc.
  
  The problem arose years ago. I knew I was going to have to say things people didn't like, so I carefully picked a major blogging site to basically make sure they'd be cool with it and woke up to see my post disappear. Twice. Without warning, notification or email. It was just gone as if I had deleted it myself and signed off. I got fed up and thought, you know, it's time for me to just take it back to my own place where I don't have to fear things like this. Since, I've grown to quite like the idea of a site.
  
  I'm not even pointlessly being a jerk, I just feel there should be somewhere that I can call people out and give honest opinions on things, you know? But that's only a small part of it all at this point. It might get one tiny section of the site, if that.
  

  Quote from Bakuryu;876983:

  Use a good CMS if you don't want to be learn too much stuff, you'll still have to learn the CMS, but that's easier.
  
  Also, if you are going to use w3schools, read through this first.

  
  Will look into it after I'm done checking out the introductory stuff Yoorah posted.
• Osayidan wrote on 2012-05-31 22:06
  In your situation if what you want is the website and not the whole making it from scratch part, look into wordpress or something like that.
  
  For the domain, the average price for a .com where all you're buying is the .com is around 7 - 10$ per year depending on any specials the registrar might be doing. Might go up to 11 or 12$ if you add something called "whois privacy" which stops people from finding out your personal info by looking up the domain name. I use http://name.com for my domains and have never had an issue.
  
  Usually the only way you'll get a .com for less than the actual value of a .com (verisign is in charge of their pricing and you can't really get one for less than 7$ last I checked, and the registrars need t profit off them so they charge more than the base cost). is by having it bundled with other garbage that you don't want or need.
  
  The domain and wordpress is the easy part.
  
  Finding a web host that doesn't suck huge donkey dick is another issue. Don't bother using their email either, and don't buy your domain with your web host.
  
  Use something like google apps for email this way your email stays away from your web host, is more secure, gets practically zero downtime, and it's free and offers more than 99.99% of webhosts are able to offer for a paid service. It's basically a google account but @ your domain.
  
  I can't really suggest a host though. What you'll want to start with is very cheap, shared hosting (meaning hundreds if not thousands of customers on one server or cluster of servers). I've been using dedicated/virtual servers for too long so I don't know whose good or not anymore. I suggest you use a host that allows you to manage DNS records once you've pointed your domain to them. Any host that doesn't allow you that freedom should go fuck themselves.
• RebeccaBlack wrote on 2012-06-01 08:53
  I had Wordpress on the original site I used in some sections of it, but prefer to keep other pages "normal" and made from scratch. So basically, I'll probably end up with a mixture of both depending on how suitable it is for the situation.
  
  I really appreciate all this help. Will definitely be using name.com. I'm messing around on the site and I like it already. It's cheaper to register some stuff on here than on Godaddy. Thanks for the Google Apps tip as well, I didn't know that kinda stuff existed. The hosting part probably does come down to personal preference/needs <.< I'll do my research on that.
  
  For now, I just woke up and I'm busy reading stuff/playing around with what Yoorah gave me. It's really quite a bit of fun.
• Odin wrote on 2012-06-01 22:53

  Quote from RebeccaBlack;876934:

  1. Does it matter where I get my domain name? Are there any tricks to the "cheap" hosts that sell you domains for a dollar or two a year for a .com compared to a site like Godaddy that might charge quite a lot more? Or is it all related to the hosting tools/services they give you? Is there anywhere/anything you'd recommend? I'm going to be looking for a standard .com domain name and I suppose pretty basic hosting tools. I'll look into the hosting part myself.
  

  
  Not really. Many hosting providers even include a subdomain off of one of theirs free of charge.
  
  Though it is considered a more established or more serious project if you do buy a domain name for it, which shows that you're investing not only your time into building it.
  
  Biggest thing to remember with hosting though is that bigger/cheaper does not imply better, in fact in most cases you will find that cheaper hosting or larger plans for the price are in fact inferior because of higher server loads leading to reliability problems.
  
  

  Quote from RebeccaBlack;876934:

  
  2. I want to make my site as secure as possible. The goal would be to end up with a site that cannot be taken down or messed with by someone who knows what they're doing. I'm not counting denial of service attacks in this because I doubt much can be done about those. What kinda things do I need to look out for? I've heard a bit about SQL injection, but I hardly even know what it is. Besides that, is there anything I really need to worry about? Where can I learn about how to build a very strong and secure site?

  
  SQL injection is nasty. It lets a hacker insert a specifically formed command into a normal user input, causing the server to execute that command to do whatever they like to your site's data. Incidentally such a hack is being used by Mabinogi and Maplestory gold botters now to steal gold and rare items to sell. The solution is to sanitize any and all user input. Most tools automate this by commenting out special characters, effectively breaking SQL injection attacks by invalidating the commands they insert.
  
  Another common attack to beware of is the XSS attack. This takes advantage of certain site structures and insecure file permissions to inject javascript into the site, usually making clients viewing the site do something destructive. Taking care to set the file permissions usually blocks it.
  
  For the most part individual site owners need only worry about those two, and any exploits in any software packages they are using- such as Wordpress and it's regular (but fortunately short-lived) known exploits.
  
  

  Quote from RebeccaBlack;876934:

  
  3. This is kinda relevant to the second question, but are the emails often provided with these services safe and secure? If the site gets hacked, can the email get compromised along with it?

  
  Many hosts don't even offer incoming email with web hosting on free accounts, because of the risk of those same accounts being used for spam generation or illegal activity. Though some do indeed. For the most part if the site gets hacked the email should still be okay, but if the site goes down because the server got hacked you just lost everything.
  
  Make regular backups, although some hosts do generate internal backups you are still responsible for your own data.
  

  Quote from RebeccaBlack;876934:

  
  4. I already know how to embed a Youtube video and get it the way I like it, make sure it autoplays in HD, etc. How would I make a different one load randomly from a playlist (or selected URLs I enter) every time the user refreshes the page? It can't be too difficult.
  
  5. This next one is a little tricky. Is there a way I could have a box pop up only on certain pages (such as after "entering" the site) where a user would get to choose the background of the site with one option and the music that plays with another? It's a little hard to explain, but kinda like how Nexon did this except replace it with options that, when clicked, stores a cookie (like the 'don't show again' button) and change how the site looks. The goal is to provide a more customizable, personalized experience.
  

  
  I would have to look this up, but if it's been done once it surely can be done again.
  
  

  Quote from RebeccaBlack;876934:

  
  6. Can I prevent people from seeing all my directories and stuff? Will a simple redirect stop this? I just don't want all of the content of my site to be easily located. The way I stopped it before was just by making a blank index.html page for every directory.
  

  
  Usually .htaccess can help with this. You also want to properly configure your robots.txt file so that google and the like only sees what you want them to see. It also is sometimes possible to disable the directory index that appears when an empty folder is accessed. I would have to look up how to do that, as it normally is not necessary.
  
  

  Quote from RebeccaBlack;876934:

  
  I am probably going to be making the website 100% from scratch with the exception of possibly installing Wordpress on it to use as a blog, so I'll have a great deal of control over everything that goes into it and the vulnerabilities of foreign code won't be as much of a problem.
  
  I know this is a lot, but I'm having trouble wrapping my head around everything and I just want to turn all these ideas into a reality. If I know what to look for and what to read, it'll all be so much easier for me and will give me peace of mind. The biggest problem is I just don't know where to start.

  
  
  Easiest way to start is jump in. Find a host that offers a small package either for free or for an amount you are comfortable with, upload wordpress, and see what you can do. It's perfectly fine to look things up as you go, although you do take a little more risk security-wise that way you can also avoid that same risk by paying attention to the notes in the documentation. Commands that are know to have security risks usually have notes saying so in the articles about them, along with best practices for use.
  
  Or you could do exactly what you are doing now and talk to people that know a thing or two about it to find out what works and what doesn't. I recommend getting on the IRC, I can answer most of the questions you might have about making websites.
  
  The IRC itself runs on my web hosting servers, I've been in the business for over two years and coding sites even longer than that.
  
  

  Quote from Osayidan;877267:

  I can't really suggest a host though. What you'll want to start with is very cheap, shared hosting (meaning hundreds if not thousands of customers on one server or cluster of servers). I've been using dedicated/virtual servers for too long so I don't know whose good or not anymore. I suggest you use a host that allows you to manage DNS records once you've pointed your domain to them. Any host that doesn't allow you that freedom should go fuck themselves.

  
  
  Hundreds and thousands? I've honestly yet to see a typical small server run stable with more than 100 or so on it. Most I've ever put on a server is like 20, though I am also using rather small servers.
  
  And definately. It's nice to be able to modify the DNS info as needed rather than being chained to their restrictions. Many hosts even let you use an external DNS for your site, though the configuration becomes slightly more complex this way because you have to manually update it should the host's IP change.
• Osayidan wrote on 2012-06-01 23:04

  Quote from Odin;878164:

  It also is sometimes possible to disable the directory index that appears when an empty folder is accessed. I would have to look up how to do that, as it normally is not necessary.
  

  
  
  I think it's Options -Index on the directory for apache.
  or Indexes, one of the two.