How come a Platypus is made up of so many different bits?

Russ Winter knows how to properly install, configure, and secure Web sites. After all, that's what he does and he's good at it. Russ also knows people and he's pretty good at working with us, too. Russ combines humorous analogies with lessons in technology, making it easier and far more enjoyable to learn. If you follow this series, you are guaranteed to learn proper Web site administration, or all about Australia. Either way, it'll be worth your time.

How come a Platypus is made up of so many different bits?
(for those non-Australian's out there, translate to:“What else do I need to know to run a successful Joomla! web site?”)

WOW! Now this is a huuuuuge topic, is it going to be possible to cover all topics, from all perspectives and answer all your questions? Unfortunately, the answer is going to be “no”, sorry to disappoint anyone.  Will it be possible to cover a large number of topics in broad enough terms, that with a little bit of self-research across the web or most likely through the Joomla! sites we will be able to point you in the right direction and give you a head start? “Yes”, absolutely!

With a few notable exceptions, the Joomla! framework itself has in fact been one of the most secure and consistently functional Open Source applications in recent times, also amongst some of the most active and comprehensive support systems backing it. On the whole though, most of the difficulties observed by the majority of the community have proven to surround the many and varied hosting configurations and differing methods of using Joomla!, hence the Platypus pun.

There is an argument to be had that follows the lines of; “but for me to make use of Joomla! I need to  <enter your problem>  which may expose my site or server to exploits”.  This statement is always high on the list of forum posts and covers many aspects of web serving, from permissions, PHP settings, web server configurations and even operating system choice, so it is hardly surprising that even for many seasoned site owners, security and site integrity can be a bit of a mine-field.  Let's see if we can at least clear up many of the mis-understandings or urban myths surrounding this statement and more importantly it's underlying components and the many variables effecting it's outcome.

As a few folks that have been on the end of one of my forum rants, I am a great advocate of planning and preparation, if you have seen many of my posts in the forums you will notice that problem resolution is not always at the top of my agenda, but ensuring it doesn't happen again tends to be, along with learning from the experience, so by this I mean two things,
 
    1. Plan before you do something
    2. Prepare for events after you have done something
    3. Plan for if it doesn't go as expected
    4. Prepare recovery for the unexpected effects in the future

Lets start at the beginning, having a plan in place for an installation, although made very simple by the Joomla! installer, it is still important to fully understand the requirements and implications of the choices made during installation. This plan doesn't need to be the size of “War and Peace” or and epic like “Ben Hur” but should cover the essentials and can be used again and again if you plan to run multiple instances of Joomla! or several sites.

First and foremost, decide what exactly needs to be done, by who and when, a checklist of sorts.


    1. Do you have the latest 1.5 release from JoomlaCode or have you migrated from 1.0?

    2. Do you know and understand the basic Joomla! requirements
        - for Joomla! 1.5

    3. What extensions are you planning to use and do you know their requirements
        - these choices may also determine which version of Joomla! you use

    4. Does your server impose any limitations?
        - have you spoken to your Hosting provider regarding these? PHP, MySQL, permissions etc

    5. Do you know where to find common information and help if required
        - Joomla! Help and FAQ's, Installation Guides for v1.5 and Joomla! Forums

    6. Got a question?
        - Have you searched the forums? Many common questions and issues are resolved by a simple search, you're not on your own out there.

This plan will highlight any potential obstacles, if any, that may need to be overcome for success. It will also ensure that some basics are either in place or at least on the list to be completed, such as, what external requirements you might have;

• Hosting environment requirements
• MySQL Database name to be used
• Account and Database passwords
• 3rd Party Extensions requirements
• Joomla! Admin account access and protection
• Account and Password conventions

Following the installation and before going production, prepare for certain possible events, these might include, if your site gets damaged through server problems or hardware failures, defaced via exploits. Is your host taking reliable backups?  Do you know where the backups are? How to recover them? Do they work even? How often are backups taken? What is backed up? Where are they stored? How do you access them in emergencies? In the event of a complete disaster, site or server failure, how do you recover? In addition to the basic backup strategy, how do you monitor for problems or potential issues. Does the host have intrusion detection or protection in place? Do you have access to site logs?

Testbeds and Sandboxes
If you have never installed Joomla! before, it may pay dividends later to spend a little more time now to test and prepare an installation or setup a test environment on your own computer.  There are several options available that offer a single installation or one-stop setup of a basic testing environment, also called a sandbox in some cases.

For Apple Mac there is MAMP, or for Linux you can use LAMP and for Windows there is WAMP, all of which are reasonably simple to install and use, as you become more familiar or experienced you might like to install each application required for web hosting separately, allowing more control over the configuration and setup, but in general each of the self-contained packages offer a lot of configuration options so you may be able to recreate your live site environment pretty accurately.

These type of packages include most of what you need to get started with basic web hosting style environments and provide you with a local test bed that you can install multiple copies of Joomla! in to, test and develop without fear of damaging a live site. These sandbox environments also have the added benefit of offering the opportunity to use backups of the live site, test new extensions or templates and generally get use to Joomla! without effecting your live sites.

To some degree, a local sandbox may also be used as a local backup of the production site, if you ensure that you keep the local copy in sync with any changes made on the production site.


When is a possum not a possum? 
(for those non-Australian's out there, translate to; “When is a duck, not a duck?”)

OK, lets continue at the top, this point of discussion is always a very contentious topic and is covered infinitum throughout the forums, with much confusion still. Lets see if we can clear a few things up here; 


What is the meaning of “writable” in the Joomla! installer?
During the installation process the Joomla! installer checks for a number of conditions within the hosting environment, the most contentious of these is, certain directories, for full operation,  needing to be “writable”.

This is the possum we are talking about, the term “writable”.  Over time, unfortunately, this term has commonly become understood to mean that the permissions have to be “777” or “world writable”.  This in fact is not necessarily always correct or required and in most cases certainly creates a security exposure on your site and maybe even the whole server.

As with any web application, including Joomla!, most only truly require a directory to be readable to function adequately and be able to deliver content through a web browser to the end-user, however if it is required for the webpage or application to be able to write any data back though the webserver to the disk, then “writable” will be required.  As ever there is a “but” to this statement....  (now you see where the confusion creeps in) this depends heavily on the webserver configuration. There are many, many differing configurations out in the world, we all setup machines slightly differently and to our own tastes and experience, but the main three configurations that hosting firms use are generally as follows:

If options 2 or 3 are your only choices, to reduce the risk of elevated permissions, you might consider using Joomla! new FTP Layer in 1.5. (We will discuss and try to clear up the permissions and ownership queries in later articles.)

So what can be learned from this exercise? Firstly, and most importantly, not all servers are built equal, not all administrators are as experienced as others and some possums can be good and bad at the same time. So, when looking around for a web host, a few pre-purchase questions to ask could be: