Creating a website with an open source CMS (Content Management System) like Wordpress or Joomla allows you to avoid being trapped in a subscription-based web service, which represents the lowest common denominator of all users needs without the possibility of evolution.
It is also an opportunity to be able to optimize the design, security and performances of his site, which is an advantage in a competitive market where small details can make a difference. Here are some basic rules to get started.
Choose your host wisely
Your site's host is the first line of defense when it comes to security and the power of its servers will guarantee the performance of your site. Some hosts do not offer the latest version of programming languages such as PHP, although they are more efficient and secure, or applications that they allow to install in one click. So it's better to pay a little more and choose a reputable host who really protects your site. For example, Infomaniak offers all its clients Patchman security scanner which automatically corrects vulnerabilities present on old versions of the most popular CMS such as Joomla or Wordpress.
Without making an exhaustive list, here are some important characteristics of successful hosting offers:
- automatic backups of files and database in a different data center,
- free TLS/SSL certificate like that of Let's encrypt, in order to protect the confidentiality of information transmitted between the browser and the server,
- fast technical support,
- quick access to the server log,
- SFTP access for secure file transfer and SSH for the command line,
- anti-DDOS and anti-bot protection,
- malware scanning,
- SSD drives,
- generous memory allocation,
- version 2 of the http protocol,
- recent version of PHP and MySQL/MariaDB,
- optimization of PHP (Opcache) or memory cache,
- access to cron jobs,
- CDN,
- a company that respects socio-environmental standards.
More information:
Optimize the Joomla CMS
Optimize the Wordpress CMS
Install your CMS according to the rules of the art
Open source CMS like Joomla or Wordpress offer simplified installation modes, but it is important to do your research before starting. Additional settings will allow you to optimize the security and performance of your site. For example:
- never use the default CMS username, for example 'admin' on Wordpress, which is primarily attacked by hackers,
- use strong passwords (minimum 12 characters) and do not send your employees access codes in plain text by email, really…
- control access to the frontend and backend by limiting the number of accesses, by adopting multi-factor authentication or by modifying the URL,
- block the execution of PHP in certain folders such as the image download folder,
- check file and folder permissions,
- keep the php extension by duplicating the configuration file, e.g. bak.wp-config.php and not wp-config.bak, to avoid disclosing its content,
- move php files out of the public folder (feature available with Joomla 5).
- remove FTP passwords in the CMS configuration,
- use a dedicated email address, not belonging to a current account, for SMTP configuration,
- optimize URLs using keywords rather than parameters (SEF mode),
- remove extensions that are not essential to the operation of the site,
- fine-tune HTTP headers, asset performance, image, CSS and script compression, etc.
Activating a caching system further reduces the load on the server and therefore increases the page load speed. With Joomla, a caching system is integrated into the heart of the application, but on Wordpress, you will have to choose a dedicated extension to install such as W3 Total cache or WP Rocket.
More information:
Secure your Wordpress CMS
Secure your Joomla CMS
Update your CMS and save your data
Joomla and Wordpress are developed and tested by contributors around the world. They are therefore rightly considered safe. When a flaw is discovered, it is quickly corrected. It is therefore very important to update your CMS regularly. Both CMS offer a simple update system with the click of a button from the user interface. Wordpress offers automatic or command line updating. Joomla notifies its users by email when an update is available. To be able to update the CMS without breaking the personalization of the site, you must be careful not to directly modify the files of the core of the application, but to use templates and layout overrides (Joomla), child themes (Wordpress ) and override the CSS files that define the page styles.
Years of work can be lost forever if there isn't a copy of the site in a safe place. Regular backups should be performed to avoid any risk of data loss. By having your own hosting, you are responsible for your own data, which is always better than entrusting responsibility to a third party. It is possible to use specialized services or extensions like Akeeba Backup or perform command line backup (SSH). Be careful, however, not to leave a backup file with direct access to the server; access logs show that hackers regularly scan sites looking for them. Also check that you have full access to the hosting console and the DNS zone of your domain name, if you need to carry out urgent action.
Choose your extensions wisely
Joomla integrates many features into the CMS such as SEO, caching, custom fields or multilingual. On the Wordpress side, the philosophy is different. The core of the CMS is very simple and many important features are added by plugins (extensions).
Users can use sophisticated content editors like JCE or Gutenberg to create web pages without knowledge of HTML. Installing an advanced image manager like the one shipped with JCE Pro can help users crop and resize images that severely slow down the page load speed of web pages.
The CMS and its extensions might also have security vulnerabilities. In one recent case, a Wordpress plugin was even intentionally designed with a backdoor inside to allow the developer to hack the site it was installed on. An experienced webmaster will therefore find out before installing anything and update their plugins as soon as a new version is available or use the automatic update available with Wordpress.
Install a dedicated security extension
If your site uses a .ch domain and is hacked, its Switch registry can suspend DNS resolution and not only will your site become inaccessible, but you will no longer be able to use your usual email. No software is perfect and a security extension will help you reduce the risks associated with hacking attempts. Extensions like Akeeba Admin Tools (Joomla) and Block Bad Queries/6G (Wordpress) filter the various bot attacks in search of vulnerabilities and also improve the quality of audience measurement. Limiting access to the site administration login form is an additional security measure to consider. Admin Tools allows you to hide your URL by adding a secret word which will prevent brute force attacks. WPS Hide Login is a Wordpress plugin that offers identical functionality.
To further reduce the risk of intrusion, it is possible to enable the Joomla two-factor identification system (available with a plugin for Wordpress) which will require the insertion of an additional code provided by a smartphone application. In fact, there is a large choice of security extensions that you are invited to test, in order to find those that will best suit the particularities of your site.
Monitor your website and test…
Adding your site to the Google search console and Bing webmaster tools services allows you to control pages indexation in these two search engines which still represent a preponderant share of visits. They also offer information on the keywords used, errors encountered on the site and SEO diagnostic tools, mobile compatibility, optimization of page load speed and security. Custom audience reports can be created with Google Looker Studio to analyze data from various sources: keywords from Google search console, origin and nature of visits detected by Google Analytics, results from Google Ads campaigns and conversions with contact forms .
Having a central dashboard makes it easier to make decisions based on quantitative data and not just unverifiable assumptions as long as this data is not distorted by untimely visits from malicious bots. In a complex CMS, it is also possible to mistakenly integrate several Google Analytics tracking codes in a row, which will distort the results. No diagnostic tool will ever replace common sense and the webmaster's ability to take a look at the HTML code of his site to detect anomalies.