Creating a Website for Your Small Business or Organization

Creating a website for a small business is quite manageable for moderately technical business owners, but many will want to contract out many or all of the set-up tasks. The article that follows provides instructions on how to set up a site; you can use this to develop your site or as the template for a statement of work with your website development firm.

The article discusses the following steps:

  1. Choosing a Domain Name
  2. Purchasing Your Domain Name and Choosing a Web Hosting Provider
  3. Defining Requirements and Choosing a Content Management System (CMS)
  4. Choosing a Web Hosting Provider and Plan
  5. Installing Plugins
  6. Creating Content
  7. Setting Up Domain Name Services (DNS)
  8. Obtaining a Secure Sockets Layer (SSL) Certificate
  9. Installing an SSL Certificate
  10. Setting up Search Engine Optimization
  11. Installing a Favicon
  12. Installing Apple-specific Icons

Choosing a Domain Name

Selecting a domain name can be one of the most time consuming steps in the process; most of the good short domain names in the .com and .org namespaces are already taken. In many cases, the choice of a domain name is inextricably tied to the name of the company. There are many web sites that allow you to search for available domain names, but some of them will register an available domain name while you are searching, and will then charge you to purchase it, so first do a search on the reputation on the various web sites available for choosing a domain name.

Purchasing Your Domain Name and Choosing a Web Hosting Provider

Once you have decided upon a domain name, you must purchase it from a domain name registrar. Most registrars also offer web hosting services and most web hosting firms will handle the domain registration for you. Using the same firm as the registrar and hosting firm offers convenience, but if you have problems with the hosting aspect of the relationship, it may be more difficult to move your site to another hosting firm.

Although it is cheaper to sign up for a one year contract, for a first site, it is better to go month-to-month so that you can change hosting firms easily in the event that you encounter support problems with the vendor.

Talk to friends that host web services and find out what their experience has been with their domain name registrar. If you want to see what registrar is used for a site that you respect, Domain Tools will do basic lookup of domain registration information.

There are dozens of registrars/hosting firms. I spoke to a number of colleagues who manage various commercial and organizational web sites and came up with the following list. There are many hosting firms and prices vary widely, so shop around and look for promotions.

  • Network Solutions provides one-stop-shopping for registrar and hosting.
  • GoDaddy provides one stop shopping for registrar and hosting.
  • iPage is a smaller and less expensive provider with somewhat less extensive services than Network Solutions and GoDaddy.
  • Firehost is oriented to high security environments and is relatively expensive.
  • Host Gator is a large hosting firm similar to iPage.
  • Verio is a large hosting firm similar to Go Daddy and Network Solutions.
  • Zyon is a small and less expensive hosting firm similar to iPage.
  • Sprocket Networks is a medium sized firm that is oriented to unusual and highly customized needs.

If you are setting up a web site for a volunteer organization that is part of an "umbrella" organization, you may be able to get hosting services through the umbrella organization. Toastmasters International clubs can host sites on Freetoast Host free of charge, although the club will have to purchase a domain name separately if the club does not want to use the default club number domain (eg 2364.toastmastersclubs.org) provided by Freetoast.

Defining Requirements and Choosing a Content Management System (CMS)

The vast majority of small websites and most large web sites are built upon a content management system (CMS). Although there are many, the most popular are Wordpress, Joomla, and Drupal, in order of decreasing popularity and increasing capability and complexity. All three are open source, are written in PHP and use cascading style sheets (CSS).

Before choosing a CMS, make a list of your major requirements and look for plugins for each CMS to accomplish the goals for your site. Table 1 provides a template that you might use as a starting place for gathering requirements for your web site and choosing the content management system.

Wordpress

Wordpress is the CMS used by the wordpress.com blog hosting site. It was developed primarily as a blog hosting CMS, but has a number of e-commerce plugins that allow it to be used in more business oriented environments.

Joomla

Joomla has a reputation as being somewhat more complex than Wordpress but for having a wider variety of plug-ins to allow a more complex web site. That may or may not be true at this point.

This site was implemented in Joomla.

Drupal

Drupal has a reputation as being somewhat more complex and somewhat more capable than Wordpress and Joomla. It may have the most robust version control capability. It is oriented to larger web sites with custom development projects.

Table 1: Requirements for selecting a content management system.
  Wordpress Joomla Drupal
Easy implementation of SSL (HTTPS) Builtin Builtin  
Structured Data/microdata Several extensions Some capability built in 3.3. Several extensions  
Google Author structured data Several extensions Several extensions.  
Multiple domains with different look and feel on one web site Builtin, but non-trivial configuration. Several extensions.  
Language support and translations      
Version control Several extensions Several extensions. Not a strong point.  
Authentication
  • Password
  • Google
  • Facebook
  • LinkedIn
  • Twitter
  • SSL certificate
  • Two factor
Several extensions Password and Google, and Google two-factor built in. Several extensions  
User management
  • Groups
  • Different menus or templates depending upon group
Several extensions Users and groups built in. Different menus based upon logged in user. Several extensions.  
Web application firewall
  • Geographic IP blocking
  • Log template switching, SQL injection and other security exceptions
  • Securing file permissions
  • Generating an .htaccess file with secure settings
NinjaFirewall Akeeba Admin Tools  
Backup and Recovery Google "wordpress backup" for instructions and extensions. Akeeba Backup  
Photo albums Several extensions Several extensions  
Contact Management      
Mapping Several extensions Several extensions  
Calendar capability
  • Integration with Google Calendar
  • Generate .ics files
Several extensions Several extensions  
Suitability for mobile browsers Extensive capabilities. Some capability built in. Several extensions.  
Template or theme with attractive design for your needs Many developers. Google/Bing "wordpress themes" Many developers. Google/Bing "joomla templates" Many developers. Google/Bing "drupal templates themes"
Performance
  • Page caching
  • HTML compression
  • Combine JavaScript
  • Combine CSS
  • Minify JavaScript
  • Minify CSS
  • Compress .png files
Several extensions Several extenstions  
Shopping cart Several extensions Several extenstions  
Reservations Several extensions Several extensions  
Sports Scoring Several extensions Several extensions  

Choosing a Web Hosting Provider and Plan

Many small businesses purchase the domain name from the same firm that hosts their web site. It makes sense to see what promotions for either web hosting or domain name rental are running at any particular time. Most hosting firms use one of the major CMS offerings by default. It will be easier if the hosting firm that you use offers the CMS that you plan to use. There are three major types of hosting plans from least expensive to most expensive:

  • Web server only (about $10/month)
  • Virtual private server (VPS, about $30/month)
  • Physical server (about $50/month)

Unless you have unusual software needs or high traffic, the domain only service is probably sufficient in all ways but may present some problems for email. A hosting service may operate a hundred domains on a single server; if one of those domains is used for spam, the spam email blacklisting services will blacklist the IP address–not the domain, and email from your domain will be blocked as well as the spam originating domain. This can present a problem even for forwarding email; a volunteer group where I’m an officer has forwarding addresses for officers that won’t forward to Verizon email accounts because the server where our domain is hosted has been blacklisted for another domain that is hosted there.

VPS and physical servers can encounter some email blocking problems as well. Many email systems do reverse domain name service (rDNS) on email, expecting something like mail.domain.com. If the rDNS returns cpanel.domain.com the email that you send may be blocked. In this case you can probably get it unblocked with an email to the receiver’s email administration.

For VPS and physical server installations, most services will offer Web Hosting Manager/Cpanel for an additional fee. These provide a web-based administration interface that simplifies many administration tasks and are well worth it.

Installing Plugins

Once you have the credentials to log in to your web hosting account and the CMS is installed it is time to install plugins to provide the capabilities that you identified in the Defining Requirements and Choosing a Content Management System (CMS) section.

Because this site was developed with Joomla, the discussion about plugins that follows is done in Joomla, but the general approach will apply to all three CMS offerings. Generally speaking, each of the tools will offer these basic capabilities.

Templates and Themes

The template determines how the site looks, menu placement and provides some capabilities. It is possible to change the template or theme after building the site, but it is best to start out with a template that you like.

Administrative Tools

Although administrator tools are not required, the free and low-cost administrative and backup tools from Akeeba are well worth the money. The most important functions are the

  • Web application firewall which traps a number of different types of attacks
  • Generator for .htaccess
  • Secure file permissions

Google Authorship Tools

If you blog on other sites or have users or employees who blog on other sites, you should investigate setting up Google Author linking as a way to improve your ranking in web searches. In setting up authorship tools, it may be necessary to change the loading order so that the authorship tools appear before any tools that implement performance measures like combining, minifying and compressing JavaScript and CSS. Authorship Markup is one of the tools that implements Google Authorship.

Structured Data

Structured data tells search engines like Google and Bing how to identify things like your business hours, location and name. In some cases this is built into the CMS, and in other cases it requires a plugin.

Site Analytics

Site analytics are important for figuring out how your site is being used. Your CMS will give you hit counts for each article, but it won't tell you what geographic location the hits are coming from, or which search terms are being used to access the site. For these capabilities, you will need to use a site analytics provider. There are many, but Google Analytics is probably the largest, since it is free. Some options will require specific clauses in a privacy policy on your web site.

Caching and Performance

With the basic features available in Joomla, this website gets about a 50 (red) out of 100 rating from the Google pagespeed analyzer. By turning on the the JavaScript combining capability in Akeeba admin tools, the page speed rises to about 75 (yellow). With the additional performance capabilities in the Jbetolo plug-in, the page speed rises to about 85 (green). Configuring Jbetolo is not simple, as the order of the Google Authorship and site analytics plugins must be changed in order for everything to work. Generally, they have to load ahead of the performance plugin.

Adding Features

If you need reservations, sports scoring or other capabilities, install the plug-ins for those capabilities as well.

Creating Content

All of the previous steps sound long and complicated, but implementing these steps is relatively quick. While the write-up for this step is short, it is by far the most time-consuming part of the site development process. You will need to write articles about the people in your company, directions, maps, and appropriate subject matter. You should create graphics or photos as appropriate.

In all cases, make sure to give each article a good description and good keyword values. The search engines will probably use the description as the synopsis for the page in search results, so spend some time writing good descriptions. Similarly, make sure to provide a good description of each image in the alt tag for the image, as the search engines will use this to index the image.

Setting Up Domain Name Services (DNS)

When you are ready for your site to go live, it is time to set up the domain name services (DNS). If you purchased domain registration and web hosting from the same firm, this is probably already done, and you can skip to the next step. If you used different firms, you will need to log on to your account at the domain registrar's web site and enter the name of the domain name server at your hosting firm. If you are parking additional domains on your web site, you will need to log on to the Web Hosting Manager software at your web site or have technical support do this for you. In WHM, use the DNS Functions->Park a Domain dialog as shown in Figure 1.

Figure 1: Screen capture of DNS park a domain dialog in Web Hosting Manager (WHM)
Screen capture of DNS park a domain dialog in Web Hosting Manager (WHM)

Obtaining a Secure Sockets Layer (SSL) Certificate

Although most web sites still run un-encrypted HTTP, most large firms are forcing all of their traffic to use the encrypted HTTPS protocol--Google is probably the most conspicuous firm to do this. You should go to the trouble to do this, as it makes it much harder for criminals to implement a man-in-the-middle attack on your customers. If you expect mobile users and especially users who will access your site using public Wifi, you really, really should go to the trouble to implement HTTPS. There are Certificate Authorities (CA) that will issue a free low-verification certificate that is sufficient for the needs of volunteer organizations.

Certificate Types

SSL certificates are used for both encryption to secure communications and trust to verify that you are looking at the website of the real business and not an imposter. Originally, certificates were issued as Class 1 and Class 2, but that has been superceded by Domain Validation (old Class 1), Organizational Validation (old Class 2), and Extended Validation (more rigorous than old Class 2).

If you are running a web site that does not do transactions, a Domain Validation certificate is probably sufficient for your needs.

If you are doing E-commerce or allowing logins, you should get an Organizational or Extended Validation certificate. In these certificates, the CA will check drivers licenses, passports, company incorporation documents, banking records and other items to verify that you are who you say you are and that you are not a cybercriminal. Make sure that the addresses and phone numbers on your domain registration match the incorporation and drivers license/passport documents; you pay for the application for the certificate, not for the issuance of a certificate. If your doc is not in order, they won't give you the certificate and you may have to pay for a new verification of documents.

The certificate authorities offer a variety of features and packages, so if you have multiple domain names, multiple servers and multiple applications like web, email, and a web application server, it makes sense to carefully analyze your requirements and shop around. Some extended valuation certifications may have free features that justify the cost even though you might not otherwise want to pay for an EV certificate. Table 2 below gives a summary of the validation levels and some of the common features that are included in the different offerings from certificate authorities. Generally speaking, certificates in the upper left corner of the table are the least expensive, and certificates get more expensive as you move down and to the right in the table; certificates in the lower right of the table are the most expensive.

Table 2: Types of validation and common features for SSL certificates issued by Certificate Authorities.
Validation Single Domain Multiple Domain Multiple Domain Wildcard Unified Communications
Only valid for one domain name, i.e. www.domain.com. If used to secure both website and email as handled in a typical web hosting package, will have to point email to "www.domain.com" instead of "mail.email.com" and set up appropriate aliases in configuration. Would allow same certificate for www.domain.com and mail.domain.com. All domains must be known and listed at time of issuance. Would allow same certificate for www.domain.com and mail.domain.com. Could add a domain after issuance of certificate.

Will not support multiple levels like mail.division.domain.com.

Would allow same certificate for www.domain.com, mail.domain.com, and in addition multiple levels like mail.division.domain.com.
Domain Validation (Old Class 1) Low cost or free. Verification limited to determining if applicant is the webmaster for the domain.

Appropriate for small business and organization web sites that don't do transactions. Gives lock icon shown in Figure 2.

Commonly offered. Inexpensive choice for organizations that don't do transactions. StartSSL offers free one year certificate. Technically possible, but not commonly offered. Technically possible, but not commonly offered. Technically possible, but not commonly offered.
Organizational Validation (Old Class 2) Moderate cost, significant documentation required.

Appropriate for small businesses that do transactions, but lower value and volume. Gives lock icon shown in Figure 2.

Commonly issued. Commonly issued. May be a free feature with some certificate authorities. Commonly issued. Usually an additional cost. Not commonly offered.
Extended Validation (more rigorous than Old Class 2) High cost. Extensive documentation required.

Appropriate for businesses that do transactions of high value or high volume. Gives lock and green bar icon shown in Figure 3.

Commonly a free feature of Extended Validation certificate. Commonly a free feature of Extended Validation certificate. Sometimes a free feature of Extended Validation certificate. Usually used by enterprises that are using Microsoft Exchange for email.
Figure 2: Screen capture of www.google.com showing the lock icon in the browser bar that indicates an SSL connection but not an Extended Validation certificate.
Screen capture of www.google.com showing the lock icon in the browser bar that indicates an SSL connection but not an Extended Validation certificate.
Figure 3: Screen capture of www.frostbank.com showing the green lock indicating an Extended Validation certificate. Also shows the icon indicating that the Adobe Flash plugin is being used.
Screen capture of www.frostbank.com showing the green lock indicating an Extended Validation certificate. Also shows the icon indicating that the Adobe Flash plugin is being used.

Certificate Authorities

There are numerous Certificate Authorities. The Table 3 below is not a complete list, but includes some of the major CAs

Table 2: Selected certificate authorities.
Certificate Authority Web Address Comments
StartSSL https://www.startssl.com/ Offers free 1-year Class 1 Certificate. This is good for encryption and is reasonable for a web site that does not do the payment transactions. They also offer Class 2 Extended Validation Certificates.
Comodo http://www.comodo.com/ Offers free 90-day certificate; paid after 90 days.
Go Daddy http://www.godaddy.com/ssl/ssl-certificates.aspx Go Daddy offers one stop shopping for domain registration, web hosting and SSL certificates.
Symantec (Thawte, Verisign, Geotrust) http://www.symantec.com/verisign/ssl-certificates Offers features necessary for large institutions, but not necessarily useful for small businesses.

Installing an SSL Certificate

The following tutorial is for using Web Host Manager assuming that you are not using the certificate vendor associated with your hosting company. For other environments the procedure will be different.

  1. Generate a certificate signing request (CSR) via SSL/TLS->Generate a Certificate Signing Request as shown in Figure 4.
  2. You will need a CSR for your web domain and potentially for email and FTP servers.

    • www.yourdomain.com
    • Optionally, mail.yourdomain.com
    • Optionally, imap.yourdomain.com
    • Optionally, ftp.yourdomain.com
    Figure 4. Screen capture of the Certificate Signing Request screen in Web Hosting Manager.
    Screen capture of the Certificate Signing Request screen in Web Hosting Manager
  3. Send the certificate signing request to the certificate authority.
  4. Install the web site certificate via SSL/TLS->Install an SSL Certificate on a domain as shown in Figure 5.
  5. Figure 5. Screen capture of the certificate installation screen in Web Hosting Manager.
    Screen capture of the certificate installation screen in Web Hosting Manager
  6. Install mail server and other certificates via Service Configuration->Manage Server SSL Certificates as shown in Figure 6.
  7. Figure 6. Screen capture of email and FTP SSL certificate installation screen in Web Hosting Manager (WHM).
    Screen capture of email and FTP SSL certificate installation screen in Web Hosting Manager (WHM)

Setting up Search Engine Optimization

The final step in creating your web site is to register with the various search engines and work on the search engine optimization (SEO) for your web site. SEO is a complex topic by itself, and is discussed in a different article. See Search Engine Optimization and Analysis for Small Banks and Small Businesses.

Write Your Web Site’s Privacy Policy

Virtually all websites need a privacy policy, and a website absolutely needs one to stay compliant with the terms for ad display software and most if not all analytics software.

For instructions on what to include and how to write a policy, How to Create a Website Privacy Policy and Win Your Readers’ Trust with a Custom Privacy Policy for Your Blog both provide a good discussion of what to include--or perhaps what to tell your attorney what to include. Local Better Business Bureau organizations require a privacy policy and require one for accreditation--the Dallas BBB Sample Privacy Policy is a good example.

Unfortunately, even these samples are intimidating for someone who isn't an attorney.

  • GeneratePrivacyPolicy.com is fairly comprehensive, but doesn't have check boxes for Google Analytics compatibility.
  • (sic) iubenda is geared to Google Analytics, but it is accessed through a link to their site (it resides on their server) and contains their logo in the policy. It costs $27 per year if you want to remove the iubenda logo from the policy.

Installing a Favicon

A “favicon” is the little icon that appears on the left side of each tab in Firefox, Chrome, Internet Explorer and until recently, Safari browsers (I'm sure Apple is getting a firestorm of criticism for this change in Mavericks). A favicon makes it much easier for users to identify which tab they want to select. Favicons must be square, so when you get a graphic designer to do a logo, make sure that the designer provides at least one version that is square. To create the favicon file, the easiest thing to do is to use one of many web sites that will convert an image file to a favicon-format file. Google “favicon convert image” and you will find a number of sites that will do the conversion. Favicon.htmlkit.com is one example of many. If you have graphics editing software, that software may have built-in capabilities as well.

If you don’t have the funds for a logo designed by a graphic artist and don’t have any skills in this area, there are some inexpensive apps that will help you to create a basic but useful favicon. Art Text 2 Lite is a free app for OS X that will generate a simple icon with letters and background–see the Intentional Genealogist web site for an example of the output from this tool.

Once you have the favicon.ico file, you will need to upload it to a particular location on you web server. For Joomla this is templates/yourtemplate/favicon.ico, where yourtemplate is the directory for all of the active template on your site. If you use multiple templates, you will need to install the favicon in each template.

To test this, you should bring up your web site in a browser that you don't normally use--it can take a while for the browser cache to expire and for default favicon for your CMS to be replaced by the custom favicon.

Installing Apple-specific Icons

Apple iOS devices allow users to add a web site to the home screen of an iPhone or iPad–making this feature work well requires some specialized files and HTML markup on your web site. The article Configuring Web Applications in the Apple iOS Developer Library gives a description of what iOS devices look for when a user adds a web site to the home screen on the user’s iPhone or iPad. Some websites, indicate that some Android devices take advantage of this support as well. Mathias Bynens somewhat dated article Everything you always wanted to know about touch icons gives a good description of how this works.

Since iPhones and iPads come in a variety of resolutions, you will need to make serveral versions of this icon. The easiest way to do this is to use the convert command from the ImageMagick package to generate the various files from your square icon file. For Windows, ImageMagick is available in the Cygwin set of Linux/Unix utilities. On OS X, it is available through MacPorts, a port of a number of utilties that do not come in OS X.


#!/bin/bash
echo "$@"
convert "$1" -background white -alpha off -resize 60x60! touch-icon-iphone.png
convert "$1" -background white -alpha off -resize 76x76! touch-icon-ipad.png
convert "$1" -background white -alpha off -resize 120x120! touch-icon-iphone-retina.png
convert "$1" -background white -alpha off -resize 152x152! touch-icon-ipad-retina.png
convert "$1" -background white -alpha off -resize 60x60! apple-touch-icon.png
convert "$1" -background white -alpha off -resize 76x76! apple-touch-icon-precomposed.png
convert "$1" -background white -alpha off -resize 76x76! apple-touch-icon-76x76.png
convert "$1" -background white -alpha off -resize 120x120! apple-touch-icon-120x120.png
convert "$1" -background white -alpha off -resize 144x144! apple-touch-icon-144x144.png
convert "$1" -background white -alpha off -resize 152x152! apple-touch-icon-152x152.png
convert "$1" -background white -alpha off -resize 180x180! apple-touch-icon-180x180.png
convert "$1" -background white -alpha off -resize 57x57! apple-touch-icon-57x57-precomposed.png
convert "$1" -background white -alpha off -resize 76x76! apple-touch-icon-76x76-precomposed.png
convert "$1" -background white -alpha off -resize 120x120! apple-touch-icon-120x120-precomposed.png
convert "$1" -background white -alpha off -resize 152x152! apple-touch-icon-152x152-precomposed.png
convert "$1" -background white -alpha off -resize 180x180! apple-touch-icon-180x180-precomposed.png

The script above will run on Linux, OS X, or under Cygwin on Windows. The -background white -alpha off parameters deal with the transparent background of a PNG file. Apple converts a transparent background to black, which may not work well for your particular icon. You can substitute whatever color you wish. The exclamation mark after the size forces the image to a square output file, so if your logo is not square, it will look a little strange. The above resolutions and file name conventions are perhaps overkill, but these are all of the ones that I’ve found in web searches and in the 404 errors on my web site; hopefully these will cover all current and older devices.

Once you have generated all of the icons you will need to upload them to your web site in the location(s) referenced in the link statements in your web pages, or to the root directory of your web site, which is much more likely for a personal or small business web site. You probably will not be able to use the graphical user interface for your CMS to upload files to the root directory of the site (not the root directory of the server), so the scp secure copy file program will be the easiest way to do this:


scp touch*.png This email address is being protected from spambots. You need JavaScript enabled to view it.:/home/yourid/www/
scp apple*.png This email address is being protected from spambots. You need JavaScript enabled to view it.:/home/yourid/www/

Once you’ve set this up, monitor the 404 redirect portion of your CMS to see if there are any 404 errors for the any of the touch icon files, and address the problem as necessary.