Great idea! Even though I have already started developing my site this helped with some questions I had. Great to know!

Day 19 - A Step Back

So, I've left you to begin developing the content of your site and I'm sure you've been head-down since the last post, but I want you to get up and take a break - this is supposed to be enjoyable, after all.

It is good to step back from a project once in a while and get another view of what you've been doing. When you are close up and working hard at it, you don't always see how things are falling into place. It is especially important at the beginning of the project because you are setting precedents for the remaining work to come. It is easier to make small adjustments now than to completely re-work a site with 100's of entries later.

Log out of your site - look at it from a new visitor's perspective. Can you tell what the site is about? What options do I have while I am visiting this site? What are the menu options? What is Wiwi (or pico or ...)? What do you want me to do next?

Visit some of the other areas of the site - do some of the blocks disappear? Do new ones appear? Is the look consistent? Do you know where you are? How do you get back to the home page?

OK - let's get back into webmaster mode
Log in and look at your Main Menu - based on this step-by-step, you should have Home and Wiwi (or whatever the default name of your content module is). You will want something a bit more visitor-friendly than 'Wiwi'. Go to the Administration Menu, hover over System Admin and click on Modules. In the list of installed modules (the top part of the page), notice that each installed module has a text box below the icon and the name of the module. You can change it! Type a different name and click on the Submit button at the bottom of the section. The confirmation page will load showing the changes you have made. Click on the Submit button at the bottom of that page to save your changes. After the changes are saved, click on the Back to Module Adminstration link. That name will be how that module is listed in the Main Menu.

You only have one module installed, so the order of your Main Menu is pretty simple - Home at the top, your content module below it. When you have more modules that will appear in your Main Menu, you may want to change the order of the list. The weight of the module determines its position on the list. They are listed in numeric order, lower numbers are higher on the list. If 2 modules have the same weight, I'm not exactly sure which one is listed first (I think it is the one that was installed first). If the module is given a weight of 0, it will not display in the Main Menu.

Now that you also have content, you will activate the first way people can interact with your site - Comments (if you have them allowed for the module. They usually are turned on by default). Think about how you want to handle comments. Will comments always be approved without administrator approval? Depending on your situation, this usually is not a good practice. Comment spam is big on the internet and you can get a flood of 'comments' from people only hoping to promote themselves. Will you trust your registered users? If you have chosen to automatically activate new users, or allow them to activate themselves (the default), anyone can register. At this point, you are the only registered user, so the management load isn't too high. Think about what will happen as your site traffic climbs.

Earlier, I recommended creating a test user and adding them to the different groups on your site. Test their logins and view the site with their access. Does it behave as you expected? Can they access the areas you intended? Can they use the functionality you've provided? If you have enabled posting any content for the other groups, check it out!

How many browsers can you view your site with? Look at it with at least Internet Explorer and Firefox. Look at your site with varying resolutions - if you have a widescreen flat panel and are building your site at 1440x990, things will look different to someone still using a 15" CRT at 800x600.

There still is more to do, but keep looking at how your site is progressing.

Day 20 - Did you notice?

Way back, when you edited your profile, one of the options you can set is if you want to receive notifications and how you want to receive notifications. We zipped right by that on that day, because there weren't any notifications to receive. Now, that has changed.

Notifications can help you keep track of what is happening on your site and you have the ability to set which events will trigger notices for you. Your users can also have the option to set up their own notifications, depending on your configuration settings.

First, start your web server and log into your site. On the User Menu, click on Edit Account. Scroll down the page, almost all the way to the bottom. The first notification option is the method - how will you be notified? The default is to send a message to your private message inbox. Alternate methods are to send an email to the email address in your profile, or to turn off notifications for your account. The second option is your notification mode and the default is to send all notices. As the site administrator, I would leave that setting as is.

Now, what notices can you get? That is controlled by each module you install on your site. Go to your Administration Menu, then click on the content module you installed (I installed Wiwimod). Click on the Preferences (or General Configuration) link for that module and scroll to the bottom (usually).

Depending on the module, you should have 2 options to set - enabling notifications and a selection of notifications to give your users. Look at the Enable Notification option first. Most often, the default is to Enable Notifications (both styles). The 2 styles available are block and inline. The block option is to use the system block for notifications, and you will have control over where it is on your page using the block position options, and who has access to the block through group permissions. The inline option places the notification choices at the bottom of the content page for that module, usually below the comments area. You don't have control over who can see the notifications area with this option - if the user can view the content, they will have the notification options, too.

Note: I have found the current version of Wiwimod (0.8.3) only works with inline notifications, not block notifications

Visit your content area and select to receive notices for some of the events of that module. Again, depending on the module, you may have global events, or only item events. Some modules also provide category events. Become familiar with each module you install and what notification events they provide. If you will be reviewing user submissions before making them public (required for the sites I manage, mostly because of spam), be sure to set notifications for those modules, otherwise posts by your users can go unnoticed for a long time.

Also, this feature is a benefit to your users - make them aware of it and show them how to use it!

Honestly, once you have gone through this process a few times, most of the steps for starting a new XOOPS site can be completed in a single day.

--- More Information ---
Xoops Dev Wiki - Notifications

Day 21 - Security Checkpoint

We have been building our site offline, so security has not been an issue. But, we are getting close to the point where we want to go public, so we will need to take a close look at what security we have in place to protect our site when it is online.

First, we need to be very clear of all the areas that need to be secured - the server OS, the web server, the database, PHP, XOOPS (the code), your files and folders, the modules you install and the usernames and passwords on your site.

For every aspect, make sure you are using the latest version that has been patched and 'hardened' for the best security.

Server OS (operating system)
Unless you are planning on hosting your site on your own server, you won't have much to say about this. When you find a host, make sure you understand what your host provides and if you will be on a shared server or a dedicated server.

With your hosting account, you will be given some kind of access to manage your account. Be very cautious will your account information! The administrator username will probably be determined by your host, but you can and should set a secure password for this account. Use a combination of letters (uppercase AND lowercase), numbers and symbols to create your password. Please do not use any word or combine words to create your password, either.

My accounts let me also create passwords for administering the databases, allowing FTP access to the site and the email password for the main account. Be sure you have strong passwords for all those types of access to your account.

While you are looking around the access settings for your site, look at the FTP configuration - you definitely need to disable anonymous access. If you do not, anyone can FTP to your server and gain access to your files and folders.

Web Server
The most common web server is Apache and it too needs to be secured. Unless you have a dedicated server, you will need to work with your provider for any changes to the configuration of the server. One thing to check with them is the use of mod_security for Apache (see, even Apache has an add-on for security!)

As an additional precaution, look in your host's control panel to see if you can disable directory listings and make sure it is active. This will prevent the web server from displaying a list of files in a folder if a default page cannot be found.

Most hosting providers will allow you to create a custom set of rules for your site. To put those in place, you create a text file and save it as .htaccess - no filename, just the extension. There is a limit to what you can control this way, but you can certainly improve your security and performance with .htaccess files.

MySQL and the database
The biggest part of securing your database is user security. MqSQL has a default administrator of 'root' and also an 'anonymous' user. Be sure your 'root' user has a password, and a strong one, at that. Remove the 'anonymous' user completely! I also recommend creating another user for use on your XOOPS site, giving it only enough permissions to access and use your XOOPS database. Be creative with the username and use a strong password (uppercase, lowercase, numbers and symbols)

If you have control over your database name, be creative, not obvious.

PHP
PHP is a programming language, designed to control many operations in your web environment. Knowing that, PHP can expose a lot of vulnerabilities if not properly configured and used.

Again, given your hosting situation, you may have different options, depending on how PHP was installed on your host and which version is installed. The basic, most critical, components of PHP that need attention are register_globals, safe_mode, and allow_url_fopen. The XoopsInfo module will provide you will the status of each of those settings. Green is good, red needs attention!

Some of these can be set using the same .htaccess file for configuring Apache, some will require adding a php.ini file, others will require having your host make the change for you.

XOOPS
When I was looking at which CMS to use, I was impressed by the amount of attention the XOOPS developers paid to security. They have been responsive to any vulnerabilities discovered and released fixes quickly. XOOPS was, and is still, one of the most secure CMS options available. But, you must be using the latest release on your site! And, you must install the latest version of Protector.

Now, there are some things you can do to make your site vulnerable - pick an administrator username and password that are easy to guess and your site will be compromised. You can have the greatest security system in the world for your home, but if you don't lock the door it is only a matter of time before you are broken into.

There is a good article about protecting your database username and password by moving that information out of mainfile.php and out of your web root - this is a good thing to do. There is also another article about protecting the administrator admin login by restricting access to specific IP addresses.

Other things to do:
Be sure files and folders have the correct permissions (in the FAQs)
Make sure there is an index.html in every folder (also in the FAQs)

Modules
Just like the core, make sure you are using the latest versions of the modules. The module, XoopsInfo, helps you keep track of this, too. (See why I had you install it?)

User Security
If you allow people all over your site and don't limit some activities to trusted people, you will end up with problems later. During our installation steps, I recommend you create another group for the management of the site, separate from the administrator group. Be selective which people are allowed to manage and moderate on your site. Also, be careful about allowing anonymous posts without approval. Don't let anyone create a user called 'user' with a password 'user', stuff like that makes it easy for malicious visitors to mess with you.

This is a rather long post, but there is a lot to securing your site, which makes your life easier. There are more specifics available in the information linked below.

--- More Information ---
Xoops-tips : Protecting DB information
Xoops-tips: Protect Admin Login
XOOPS FAQ: Protecting your site
Xoops-tips: Webmaster Security Guide

Day 22 - Moving Up

You may be wondering what to do with your site after all this time - you now need to prepare to upload your local copy to your web site host and that will take some additional software, in most cases.

You have been doing all your preparation on your local computer, which is always best because you can test things out before you put them online. But, now you need to move files to your online web server. I am going to assume you have already done this, but if you haven't, visit the XOOPS hosting forum.

The process to move your files to your server will be accomplished using FTP (File Transfer Protocol). This is similar to copying files to a new location on your computer using your browser (in fact, you can use your browser in some cases), but there will be some differences. Your web host should have provided you with FTP access information for your site. This will include a username, password, URL address and, in a few cases, a port (if they are not using the default port of 23). For best results, I recommend the use of an FTP client - I have tried several and I prefer FileZilla. The Useful Programs FAQ listed below has a link to this program and to several others. One thing I like about FileZilla is I can copy it to my USB drive and always have my FTP client with me (just like the local copy of my web site). Download and get one of the FTP clients running on your computer and then connect to your site using the information provided by your web host.

In addition to the connection information provided by your host, you will need to know how your site is structured. As I mentioned as we were setting up XAMPP, there will be a root folder where you will place your site's files and folders. You web host should also provide this to you. Web browsers will always be directed to this folder, while your FTP access will include additional folders outside your web root folder. Some of the common folder structures are

/public_html/ (the web root)
/public_ftp/ (the FTP root)

on another host - the web root is /var/www/html/

Take some time to get familiar with your FTP client and the structure of your site before you start uploading files. Also - find how your client allows you to change permissions on files and folders. In FileZilla, just right-click on the file or folder on your server (Remote Site list on the right), then select 'File attributes...' from the context menu. You can change the settings by using the check boxes or by typing a new value in the Numeric value box and then clicking the OK button. Specific file and folder permissions will be discussed in a bit more detail later.

Another important piece of information you will need will be the physical path to your web root.

The most direct way to do this is to get the information from your web host. Another alternative is to upload a fresh copy of XOOPS, like we did at the beginning, and go through the installation process. Being new to XOOPS, this is good practice and reinforces what you've learned so far. But, by following this series, you have done a lot of work and added several modules to your local install, so the quickest way to find your physical path and get your full site online is to create a new text file using a general text editor (also found in the Useful Programs FAQ). In that file, type the following -



Save that file with a name like path.php (use a different name!). Upload this file to your web root using your FTP program. Then open your browser and type http://www.yoururl.com/path.php (or, whatever your filename was). You should get a page full of information - scroll down the page to the section labeled 'Apache Environment'. Look for the variable DOCUMENT_ROOT, the value of that variable will be your physical path for XOOPS_ROOT_PATH. Once you have that information, DELETE PATH.PHP (or whatever filename you selected)

You will not be able to do the same for your XOOPS_TRUSTED_PATH value, but if you followed the instructions in this series, the pattern should match XOOPSS_ROOT_PATH, with only the last folder name being different. Refer to post #14 for more information.

I'm going to stop here and have your review this carefully! The next steps will be your final steps to moving online, which requires creating another database backup of your local site so you can import that to your online site.

--- More Information ---
XOOPS FAQ - Useful Programs for Web Sites

WOW!!!
What a piece of code...

That is very enlightening.

BlueStocking

Day 23 - Moving Day

Today's the day! We're transferring the files and folders and importing our database information to our web host. There will be a few things to sort out once that is done, but basically, your site will be ready for visitors

Here's a high level summary of what needs to happen today -
1. You need to adjust your mainfile.php for the proper XOOPS_ROOT_PATH, XOOPS_TRUST_PATH and XOOPS_URL on your web host
2. All of your local files and folders need to be transferred to your web space at your host
3. You need to set the proper permissions on your files and folders
4. You need to import the information from your local database to your online database
5. You start your browser and see that everything works

Step 1
You should already have your physical path information for XOOPS_ROOT_PATH and XOOPS_TRUST_PATH, open mainfile.php with your text editor and adjust the lines that define those values and save the changes in a new copy, so you can continue to use your local site.

Step 2
Next, lets do some administrative preparation for moving the site (make sure you have all your belongings packed up).

How do we do this? Make a backup of the database, of course! This time, it is important to know the size of your database. How do you find that information? 2 ways - use phpMyAdmin in your local install, or in your XOOPS site administration menu go to the XoopsInfo module I had you install, and click the MySQL info tab. In the section 'Tables to be controlled', there is a list of tables and a total at the bottom. The first number in each pair is for the tables you see listed. The second number is the entire database. Look in the Size (Ko) column. The number is the size in KB of your database. For example, mine currently shows - 964,86 / 5 750,21. The format is European, so for me (in the US), that indicates my DB is 5,750.21 KB, or just over 5MB. That is larger than the maximum file size phpMyAdmin will allow for importing (2MB), so I need to make the file smaller.

So, how do we make the file smaller? Again, there is more than 1 way. Let's take this approach - still in your administration menu, go to the DB Backup & Restore module and into the preferences for that module. Set the 3rd option (Save as file) to gzip and make sure the 10th option (Split file) is set for None. Save your preferences. Now, backup your database. The file size on my compressed database backup turned out to be 1034 KB, or just over 1MB, well under the size limitation for phpMyAdmin. The other option would be to set the Split file option to All, giving you separate files for each table in the database, but importing them would be very tedious

So, now the database is backed up, what next? Clear out any temporary files (cache and templates_c) that don't need to be uploaded. In your cache/ directory, delete all files, except for index.html. Same thing in your templates_c/ directory. This can save you a tremendous amount of time uploading your site!

OK - start your FTP client and connect to your web space and start uploading everything! Just like when we were copying files into your local web server, the placement of the root folders are important. mainfile.php and index.php should be in the main folder of your site, everything else is relative to that position. Be patient and watch for errors - FileZilla and most ftp clients will retry if a file fails, but sometimes files don't get uploaded or you get disconnected before everything gets uploaded. If you experience trouble, break it down and just upload in smaller batches (1 folder at a time, if you have to).

Upload your trusted folder to the proper location on your server, or Protector won't work.

Step 3
Once the files are uploaded, be sure to set permissions on mainfile.php (444), cache/ (755), templates_c (755), uploads/ (755), uploads/backup/ (755).

Step 4
Now, to import your database. In your web host's control panel, go to phpMyAdmin. You need to have a database ready - be sure you have one using the same name as your local install and you have a database user that matches what you used in your local install. Select your database, then click on the Import tab at the top of the page. You will find a box to locate the file to import and a Browse button. Use the button and file dialog to locate your most recent backup of your database. Be sure your backup size is under the limit (2048KB) and press the Go button at the bottom of the page. If all goes well, you should have a fully populated database in just minutes!

Step 5
Open your browser and point it at your new web site! Again, if all has gone well, you should see your new web site online. Log in, look around a bit and make sure all the areas are working the same as they did offline.

--- More Information ---
XOOPS FAQ: How do I backup and migrate my site?
XOOPS FAQ Category: The Database and Site Migration
Migration Tutorial at WarPigW2

I need help. I am willing to pay $30.00 (which I estimate will be an hour) for the actual advice and ability to change my user's profile as a default setting - with a girly lay out for it. The program is the myspacephpgold/xoops....

Greetings-

I am new. And I have found this site by default. I appreciate the site very much. I am a novice. I have a XOOP/Myspace Gold type of database powered by XOOP. I am trying to find out two things:

1)Is there anyway that I can change ALL user's profiles to have pictures on them when they register? If so "is it in the "edit user" file? I am having difficulty. I have very little programming experience.

2)Is there a way that the users can add a myspace layout using this program? Thank you again...

yeas a verry great idee, it will helps me for my first XOOPS site

Hi Skenow!

In your "Day 2 - About the Core", you have given few links from where we could download Add-Ons for XOOPS Core. I could not download the Editors. The site said it was "temporarily closed". Is there any other link from where I could get them? Please Advise.

Thank you