Docstoc

joomla - PDF

Document Sample
joomla - PDF Powered By Docstoc
					    BAHAGIAN TEKNOLOGI MAKLUMAT




-Built In Web Development-
DEVISING STRATEGIES

Web site strategy was to provide enough compelling information to get someone from a big
city to come down for the weekend to walk through the house and hopefully buy it. The photos
should be seasonal, to emphasize Vermont's four distinct seasons and the activities one can
enjoy in each season. Therefore, the photos needed changed three to four times per year to
show how the house looked at that particular season. The copy could also be adapted as the
seasons changed, emphasizing skiing in the winter and hiking in the summer.

User strategy. The visitors to this web site had their own agenda. The user strategy was to see
lots and lots of beautiful pictures, get directions, read up on the house specifications, and see
what there was to do in the area to make a weekend trip to see the house.

Based on this information, we built a web site of about 20 pages. We had a professional
photographer take dozens of photos of the house and the grounds and even had a helicopter
fly over the house with the photographer to take impressive seasonal photos of the house and
the surrounding gardens. We had a content writer write all kinds of flowery content, generating
warm, positive feelings about the beauty, serenity, and seclusion of the house, yet how
convenient it was to grocery stores and shopping. We also included a page of information
about regional events and attractions that might be of interest to someone visiting the area for
the weekend. And most importantly, we included contact information to get in touch with the
owner, via phone or e-mail.

We also had to think about a marketing plan for the web site, including how to get the site to
show up in search engines, but we also did some cross-promotional advertising in the New York
Times homes listing and other home listings in Boston and New York. (Remember that when
you market a web site, you don't have to do all marketing on the Internet. Cross-promotional
advertising means advertising in a different media - in this case, the newspaper.)

Eventually, the house did sell, close to his asking price. The site was successful, and we archived
it. Now, had this client simply said he wanted to sell his house and asked how much it would
cost for a web site, I might have come up with some of this information without our having had
the strategic discussion. Obviously, the site should contain photos of the house, along with
some additional information about how many bedrooms, baths, and so on. However, would I
have come up with the idea of including information about the local events and what to do in
the area? Would I have thought to change the photos seasonally? [t's likely I would not have
caught all the nuances of the strategy without our discussion, and perhaps the house would
have taken much longer to sell.

                                                2
Understanding Your Client's Business Strategy

A business strategy is some type of plan that applies to an organization to help it achieve its
goals. Although the term is "business strategy," it is not necessarily limited to businesses. A
non-profit can have a business strategy, as can an educational institution or JKR ;in general, this
plan covers the mission of the organization, its vision, how it conducts business, its plan for the
future, the markets in which it competes, and the people it serves.

If I'm running a web development firm, I might tell you that my mission is to build web sites,
that I sell my services building those web sites to make money, that I'm competing with the guy
down the street, and that I serve the people in my community.
However, I could make that mission statement a bit more targeted. Do I build web sites for just
anyone?
What kinds of web sites do I build? Somehow, I need to differentiate the work that I do from
the web site developer down the street. For example, I might use JOOInla to build my sites,
whereas he builds static web sites. I specialize in web sites for environmentally oriented non-
profits, whereas he designs sites for small local businesses.

The more targeted a business strategy becomes, the more targeted you can make your
marketing plan, and the more of the target audience you can reach. A focused, well-crafted
business strategy converts more people to customers, and you're more likely to make them
happy with what you offer.
For example, if my web development business focuses on environmentally oriented non-profits,
it's less likely the local community website will call me about a web site. Constructing a business
strategy is hard work, takes a lot of thought, and, frankly, many people are too busy running
their businesses to consider their strategy. If they did take the time to think about that strategy,
however, they would find their business runs more smoothly and efficiently. The owners spend
less time running the business, rather than the business running the owners.

To determine a business strategy, usually all you have to do is ask your clients what they do for
a living, and listen very carefully to what they have to say. They should tell you exactly how they
fulfill their mission goals - how they make money, how they recruit membership, how they
solicit donations, and so on. They should talk about a typical customer or client, what this client
needs from the business, and how the business fills that need.
For an established business, this conversation is fairly straightforward. In general, the business
owner has little trouble answering any questions you ask. For a new business or organization,
however, you might ask some questions that are answered with, "Good question!" If your
clients are unclear about their business strategy, encourage them to develop a strategy first,

                                                 3
before putting up the web site. Plenty of local resources specialize in helping with this, such as
SCORE, your local Small Business Administration office, and local and regional programs
targeted at fostering small businesses.

Some business owners will tell you they need a web site because everyone says they do, but
they're not sure why they need it or what they'll get from it. This is not really business strategy.
What you want is something like the following:
   • I want to offer a way for people to discover my store hours and location, plus an easy
       way to contact me by phone or e-mail. I want to reduce the number of phone calls my
       staff gets that deal with these very questions.
   • I want to offer my products online, and offer a way for customers to find out what
       stores are near them that sell the product.
   • I want to establish my expertise in a certain area, which will lead to consulting requests.
   • I want to recruit new dealers for my products.
   • I want people to subscribe to my publication and look up back issues.

Occasionally, while you try to find out the business strategy, the client will want to start talking
about technologies. I've heard everything from the importance of a blog on a web site to how
exactly certain database queries would be made. As soon as you go down the path of discussing
technologies, you're discussing how exactly the site will function, not what problems the site
will solve.
    • Keep the conversation focused on strategy
    • What problems are you trying to solve?
    • The technological solutions to those problems will be much easier to define.

Some Clients Should Not Have a Web Site

Consider how many sites you have visited that felt information-free and perhaps even half-
finished. What was your impression of that organization? (Probably not positive, I'm guessing.)
This type of impression usually is a sign of an ambiguous business owner who got a site because
someone (their spouse, a friend, a relative) urged her to get a site for the business. The owner
wasn't necessarily convinced, and wasn't sure what to do with it, but now she has a web site so
everyone will leave her alone. Perhaps it's the type of small business where everything is done
with paper and a non-computerized cash register. Although this seems impossible these days,
these businesses are still around – and many are thriving.




                                                 4
A neglected-feeling web site might also be the sign of an overstretched owner who simply
doesn't have time to think about updating the site. If you are building a web site, and the owner
doesn't seem particularly engaged in the process, make sure she understands the following
about the commitment she is making by having a site:
   • The owner must commit to checking and answering e-mail every business day. After all,
       websites generate e-mails that must be answered. Visitors find not being able to contact
       the web site owner, preferably bye-mail, frustrating. (Famously, Southwest Airlines had
       no e-mail contact for year, but it had a web site. It finally offered e-mail contact in 2009
       after customer insistence, but it states it has a five-business-day response window to e-
       mails.)
   • The site needs to be updated periodically. How often? Of course, "It depends." Some
       sites can stand to be updated quarterly, whereas others should be updated every day.
       For example, an informational web site about your freelance Joomla business might be
       okay if it's updated quarterly. But if you're CNN, you should update your web site every
       day (perhaps even several times an hour).
   • The site is not a one-time investment. A web site must be updated, redesigned,
       expanded, reworked, pared back, and have new functionality added. Nothing is worse
       than finding web site that look like they were built around 1995 and have not been
       updated since. Rolling rainbow bars, starry backgrounds, spiders in webs, prominent hit
       counters, and little men in hardhats banging the ground with a hammer are generally
       considered "fashion no's" and hallmarks of a site that needs updating. Desperately.
   • Likewise, don't necessarily expect the site to "pay for itself." This theme was common in
       the late 1990s and early 2000s. Site owners expected the web site to directly bring in
       revenue, or they would kill it. The web site is a piece of the overall marketing for the
       organization. Many people will read a web site and then call for more information,
       rather than purchasing a product on the site.

Aligning the Business Strategy with the Web Strategy

After you're clear on what a client wants to do with a site (the business strategy), it's time to
think about how technology can help implement that strategy, meet goals, and solve any
problems.
Some problems are easy. If the client wants to cut down on phone calls about the business
location and operating hours, perhaps putting that information in the footer of the web page
and again under "About Us" can solve the problem. (Of course, you don't know whether this
method solves the problem until you test to see whether your users can find the location and
hours easily.)


                                                5
Other problems are harder. For example, how does a business communicate its depth of
experience in a certain area?
Suppose that you identify the problem you're trying to solve as showing that you are a Joomla
expert on your web site for your freelance business. What are some possible solutions to that
problem? Here are a few:
• You put up a bunch of text explaining your depth of knowledge, degrees you have, and
   awards you've won.
       o Advantage: Cheap! Easy!
       o Disadvantage: Who really reads that stuff? You're telling someone you are an expert,
          but you haven't demonstrated anything. Should you put up the text anyway? Sure, it
          can't hurt, but it shouldn't be the only solution to this problem.
Improvement: Don't just say it yourself. Get testimonials from your clients and colleagues so
you have third-party confirmation of how fabulous you are.

•   You list a bunch of sites that you've built in Joomla.
       o Advantage: Easy! Just a list of links, right? And Joomla has a Web Link Manager.
            Piece of cake!
       o Disadvantage: A list of links shows off the sites, but it doesn't explain why the site is
            so great, what problems you solved for your client, or what the site is doing for your
            client now (increased traffic to the store by 10%, decreased phone calls for store
            hours by 5%, and so on). The Web Link Manager is beside the point, if it's not really
            solving your problem.
       o Improvement: A list of links to the sites you've built, with some explanatory text
            about what problems the client wanted to solve and how you solved them. You
            want a screenshot of the site before and after you redesigned it as well so that
            visitors can see how much you improved the site. If you can incorporate the goals
            the site achieved, such as increased store traffic, even better.

•   You start a series of articles that talk about what problems you solve with Joomla, how you
    solve them, and why.
        o Advantage: It's in your own words, and it's your story. It's an authentic, believable
            voice.
        o Disadvantage: You need to post articles regularly about what you do. Do you have
            time to do that? Who does it? How are the articles reviewed? Are they reviewed?
        o Improvement: Again, including third-party verification of what you did is helpful. If
            you can get a statement from your client about how well your solution worked, it's a
            great thing to include in the articles.



                                                6
Technologies might still spring to mind. It sure sounds like describing a blog in the third bullet.
The second bullet sounds like a series of case studies that talk about a client's problem and your
solution, with a link to the fin al web site. The first bullet is a pretty standard About Us page.

Why do those technologies and solutions spring to mind so quickly and easily? Because
essentially described them by describing the solution to the problem. Rather than stretching
the technology to perform some ill-defined function on the site, technology is now serving the
strategy in a clearly well thought-out way.



There are also identified some potential problems and pitfalls with each of these solutions. If
regular updates are problematic, you might want to think more about the first two solutions. If
you are looking for a solution that's a step beyond the usual, you will look at the third solution
and less at the first. Now that you have thought through the upsides and downsides of each
strategy, you can make a more informed and intelligent decision about which option is the right
one for your web site.

If you're putting up any piece of functionality on your web site, it should go through the same
vetting process. Be sure you can explain what problem it solves for the client. Sometimes that
problem seems very simplistic and/or trivial. For example, clients love slideshows, where
there's a series of really big photos that fade in and out. They're particularly prominent on the
home page of a web site. What function is this slideshow performing? It's "eye candy" for sure,
particularly if the photos are good quality (or it's an eyesore if the photos are not). You might
just be tempted to not ask too many questions about it, because the client asked for
"interactivity" or "sizzle" for the home page.

Could a slide show do more than that? Absolutely! It could set a mood for the site. A series of
happy, smiling people doing various jobs conjures a different mood than a series of New
England scenery photos. Slideshows can also be tied to branding. Think about the imagery
that's used in commercials for companies. They're highly professional, job-focused people
(airline commercials), or they're fun loving, outdoorsy people (outdoor gear commercials), or
they're people who are listening intently to your problems and trying to help you (bank
commercials). Think about your client's slideshow the same way. Could you improve the
message it sends and think about it serving as more than just "sizzle" for the site? Before
adding any functionality to the site, be sure to ask yourself why you're adding the functionality
and what problem it's solving. If you're not sure, or you're putting it up because the client asked
for it, ask your client a few discerning questions. Your client will love you if you suggest a



                                                7
different, "better" solution to the real problem he's trying to solve. You will have elevated
yourself from a "button clicker" to a partner in providing solutions to the business.

Understanding Your Client's Target Audience

Web sites should be built with a certain type of visitor in mind. That person is part of the target
audience. These are the people you want to buy or use your client's product or service. Ask
your client who the target audience is for the web site. Sometimes a client can provide a very
specific answer for you. For example, the site is for men, ages 18-24, who have shoe sizes over
size 12, who live in an urban environment.

Unfortunately, more often than not, your client may not have a clear answer about his
customers. Sometimes the only guidance you get is "anyone who wants to buy our product."
That's really not the answer, though.
Try to determine the following about your client's target audience:
    • Demographics. Who are the site visitors? How old are they? How much money do they
        make? What are their hobbies, their jobs, marital status, or things they have in
        common?
    • Technographics. Do they access the web site through a PC, a mobile phone, or some
        other device? Do they use Internet Explorer or Firefox? Which version(s)? Are they on
        dial-up or broadband Internet connections? Are they using newer or older computers?
    • Environmental factors. Are they surfing at 11 p.m. in their bunny slippers? Or is it 9 a.m.
        and they're at work with a cup of coffee? Are they there for business or are they there
        to explore leisurely? Do they have nearby distractions demanding their attention?
    • Geographics. Are they from only the United States or from other countries? Does the
        client need to serve multiple languages? Are visitors from rural locations or from urban
        areas? The vast majority of small businesses in this country serve a small geographic
        area. A car repair shop doesn't worry about serving customers 1,000 miles away, let
        alone 100 miles away.
    • User goals. After you understand who the client's users are, you'll want to understand
        what they want to do on the web site. Are they there to be entertained? Find a
        product? Get specifications? Buy something? Research something? You'll also want to
        think about what the site owner's goals are for these users, as well.




                                                8
After you understand these factors about the target market, you can create personas describing
key users for your web site. Personas, originally described by Alan Cooper in his book, The
Inmates Are Running the Asylum, are fictitious people with certain characteristics and goals
that reflect the type of people a business wants to attract to its web site. These fictitious people
are composites of certain classes of users you've identified as key audiences for the web site.
Suppose you're designing a site for a men's big and tall store. Historically, this store has served
men who are 40 to 60 years old and are either taller or larger than normal. The clothing styles
have been a bit on the older, more conservative side. You now want to communicate that the
store is carrying clothes for a younger generation as well. The web site should provide a clear
message that younger people are welcome and the clothes are appealing. However, you do not
want to go so far as to alienate the older audience, for whom you'll still be carrying traditional
clothing.
You might develop a handful of personas to help with this process.
    • Mike, a 23-year-old recent college graduate, who is 6 feet 5 inches tall and wears a size
        14 shoe. He needs some new clothes for his new job working at a bank. (This is a very
        typical persona for the site.)
    • Sam, a 46-year-old doctor, who is 6 feet 4 inches tall and wears a size 15 shoe. He has
        shopped at this store for years and buys most of his clothes there. (In this case, Sam
        represents a target audience you do not want to alienate as you try to expand your
        market to the younger crowd.)
    • John, 20, is 6 feet 7 inches tall and works as an assistant manager at a restaurant. He
        wants casual clothes to wear after work. (This might represent part of that new market
        you want to attract.)
    • Sally, 23, is looking for clothes to give her boyfriend, Jack, 24. (Sa lly represents an
        atypical customer, but an important one, because women frequently spend money on
        clothes for the men in their lives.)

You might then develop the following story about each of these personas and what they want
to accomplish on the web site:
Mike finishes up work at the bank at 5 p.m. He looks down at his old, scuffed loafers that he has
been wearing since high school. He really needs some new shoes for this new job, but finding a
size 14 anywhere in the usual stores was so hard. Mike opens Google and types, "men's shoes
size 14 Nashua, NH" into the search box. It pulls up one result, a big-and-tall store a few miles
away. Mike wonders whether this store is like all the other big-and-tall stores, featuring clothes
for his dad. He works at a bank, but he really doesn't want to dress like he was 50.




                                                 9
How would you finish this story? The preceding describes exactly the kind of person you would
like to visit your store. To get him in the store, you must make sure your store can be found in
Google, and you must communicate that it's "not just your father's clothes" at this particular
store.
How can we make this web site appeal to Mike, and therefore, convince him to drive over to
the store after work for a look around?
Show some pictures of some more modern-looking shoes that could be worn to work and
would appeal to younger men. You might have younger models showing the clothes to enforce
the message.

                        Make it clear that large-size shoes are available

Feature store hours, address, and directions (note that Mike is going there after work one
night). Mike's goal is to make sure there's a shot that the shoes he needs are available at this
store. If he sees clues on the site that the store can help him, he's likely to take a look.
On the flip side, think about how this imagery and message would impact Sam, the 46-year-old
longtime customer of your store. If the shoe styles offered aren't classic, will this be a turnoff
for Sam? Is Sam really an important audience for the web site, though? Sam has been going to
this store for years already, and he probably has a good feel for what's offered. Sam probably
won't make buying decisions based on what's on the web site, but maybe you need to keep him
in mind for organizing the store.

MEASURING SUCCESS

Rarely do clients think about how they will measure whether a web site is successful. Many
think that if the web site looks pretty (to them), and it's completed and launched, the visitors
will just come. And if they don't come, the problem is search engine optimization! There's
nothing flawed with the overall premise of the web site, or how it was built, or whether the
technology is really addressing problems that need to be solved. And if visitors do come, well,
the site's successful, isn't it? May be. It depends, doesn't it? Success can be measured in many
different ways. Some ways are very tangible ("we reduced tech support phone calls by 10%,"
"online purchases increased by $500 per week"), whereas others are much less tangible ("I
don't feel embarrassed to send people to my web site anymore"). Some goals might be based
on the web site itself (increasing visitors' time spent on the site, the number of contact forms
completed and sent in, or the number of newsletter subscriptions).




                                               10
Measuring the success of a web site merits a whole book by itself, and I have only a few
paragraphs. Suffice it to say that the success of the site should be defined upfront, as you
define what problems the web site will solve:
    • The problem I'm trying to solve is ...
    • I intend to solve it by ...
    • I'll know it's solved if the following happens ...

Answering these questions now gives you a non-emotional, fact-based method of determining
whether you've achieved your goals. Preferably, it's also measurable, as in the earlier examples.
Sometimes it's not measurable - being able to send people to your web site without making
apologies for how bad it looks is certainly a positive benefit, even if you can't measure it.

Perhaps a goal was to drive more traffic to the web site. Many people decide whether a
problem like this is solved by measuring web traffic via Google Analytics. Clients should have
clear goals as to what kind of traffic they're looking for, though! Getting traffic to a web site is
easy. Just add some talk about the latest pop stars or a few dirty words, and traffic will
miraculously arrive. Unfortunately, these visitors are not likely to buy something, call the
business, or sign up for a newsletter. So be sure that when you talk about "driving traffic to the
web site" with clients you're clear about what kind of traffic they want and what they want
visitors to do when they get there - the goal is qualified traffic that is interested in what the
business has to offer.
To learn more about measuring success and using Google Analytics to help measure that
success, research the field of web metrics. A good place to start is the Web Analytics
Association (www.webanalyticsassociation.org), founded by Jim Stearne, one of the leaders in
the field of web metrics.

ASSEMBLING THE DEVELOPMENT TEAM

Back in the mid-1990s, as the commercial Web was emerging, there was the web master. The
web master did everything where a web site was concerned, including setting up a server,
applying security patches, installing software, writing HTML, and running the web site.

Now, more than 15 years later, sites no longer have a web master. The Internet has exploded,
as have systems and processes pertaining to it. Knowing everything about server configuration,
programming and scripting languages, HTML and CSS, and databases, not to mention graphic
design, project management, search engine optimization, and content writing is impossible.
Web masters have moved to areas of specialization. Every day, newly minted freelancers enter
the marketplace, ready to build web sites for a living. As a freelancer, you can make a

                                                11
reasonable living building small web sites. You probably have an area of specialization. Maybe
you're a Flash whiz, or you do amazing graphic design, or you can make any CSS cross-browser-
compatible.
Ultimately, though, you are not good at doing some things, and some things you do not enjoy
doing. These instances are where the development team comes in. You can find freelancers to
help in a wide variety of areas. I regularly hire help for:
    • Graphic design
    • Content writing
    • Coding with Flex and Flash
    • Coding with PHP and MySQL, particularly Joomla extension creation and modification
    • Search engine optimization
    • Video and audio creation and editing

If a client is looking for a completely custom template (not an off-the-shelf template), some
help getting content written, and a custom contact form, I know that I need to hire a graphic
designer and a content writer. I can probably take care of the custom contact form myself,
using a Joomla extension, and I'll do the coding for the custom template, once the design is
defined . To get that done, I call the graphic designer and the writer, and I get quotes from both
of them for the work. I add a little bit to each price (called markup), because I'll need to do
some project management along the way, making sure they've done their jobs correctly and
completely. Then I add the cost of my own time to that quote and send the whole thing to the
client. The client pays me for all work on the web site. My graphic designer and writer are
subcontractors, and they bill me for the work they complete. I pay them with the money from
the client.

Working with subcontractors means that you can expand the range of services you provide. For
example, if a custom extension is required as part of the job, you don't have to turn the job
down because you're unable to provide that part of the work. It also means you did not hire
this expertise as an employee, meaning you'll have to continually find new work for that
employee and give him or her a steady paycheck. Hopefully, you'll cultivate a relationship
where your subcontractors will also hire you for their own projects.

Cultivating a network of subcontractors does mean you must spend some time networking and
getting to know your fellow web developers and designers. A great way to do that is to attend a
local Joomla user group meeting. Don't have a local user group? Start one up yourself (see
Joomla's community web site, community. joomla.org , for more details). You can also network
online via the Joomla forums or other developer groups around the Web. Your local Chamber of


                                               12
Commerce may sponsor some networking events, or you might have other user groups in your
area (such as an Adobe user group, a PHP user group, or some other computer-related group).

After you hire a subcontractor, you'll want to get a signed agreement in place that defines,
among other things, what he will produce for you, the timeline, and how much you're going to
pay him. Getting a clear specification from the client about what's involved is important, so that
your subcontractor can give you a fixed price for the job. I recommend staying away from open-
ended hourly rates, because they can get out of control quickly. If you go with an hourly rate,
be sure to specify an upper limit for the price charged for the work. Be sure to specify a
schedule for production as well, o the subcontractor knows exactly what he needs to produce
and by what date.



Subcontractor relationships can be risky. Despite their best efforts, people sometimes get sick.
They also sometimes go on vacation or get swamped with other work to do. They have
competing interests in their lives, like families and hobbies. Remember that you, as the
contractor, are ultimately on the line for the work you have agreed to do for your client. Make
sure your subcontractors are reliable and do high-quality work. Be sure to talk to their clients
and get recommendations from other contractors.
Also, you want to have at least two people to work with in each area where you need help.
Sometimes your favorite subcontractor isn't available for one reason or another.


Web Servers
Definition:
A Web server is a computer that is set up with software and networking capabilities to deliver
Web pages on the Internet or an Intranet. Web servers use programs such as Apache or IIS to
deliver Web pages over the http protocol.
What is a web server? Do you know how a web page is appearing in your browser when you
open it in a browser? Do you know from where the images or audio has been appearing in any
web page? They are all from some web servers. A Web server is a piece of computer software
that can respond to a browser's request for a page, and deliver the page to the Web browser
through the Internet. When you call a web page by its address, the URL, for example,
http://www.macronimous.com/default.asp, then what happens exactly between your
computer and the web server where the site is hosted? Let us discuss everything you want to
know about a web server in this article.



                                               13
The Browser - web server communication
    •   If you call the URL(Uniform Resource Locator)
        http://www.macronimous.com/default.asp in your browser, the browser will split-up
        and understand the three parts,
           •   The http (Hyper Text transfer Protocol),
           •   The server name where the site is hosted and
           •   The web page under the site, default.asp.
    •   The browser will communicate with a name server to translate the server name
        "www.macronimous.com" into an IP (Internet Protocol) Address, which it uses to
        connect to the server machine.
    •   Then the browser will form a connection to the server at that IP address on port 80.
    •   By following the HTTP protocol, the browser sent a GET request to the server, asking for
        the file "http://www.macronimous.com/default.asp".
    •   Since the browser can understand only HTML Tags, the web server will interpret the
        server-side scripting and will send the files in HTML format to the Browser. For example,
        An IIS web server can interpret ASP scripting and will send the browser as a HTML file.
•   Then the browser will interpret the HTML tags into formatted web pages, as you see in the
    browser.
Static and Dynamic pages
Web Server helps people to create both static and dynamic pages. All HTML pages (with or
without client-side scripts) are static, means, the html files will be sent to the browser without
any intervention of the web server. But when you write some server side script that can make
the site dynamic, here the presence of web server helps us to achieve the dynamic page. For
example if you write a GuestBook in ASP then a web server, here IIS, is needed to interpret it.
The Web server is actually processing information and generating a page based on the specifics
of the query.


What else a web server can do?
A web server can provide security to your pages to some level. A web server with SSL (secured
Socket Layer) can give you more protected pages, where you can do secured file transaction
like credit card processing. As we previously said web servers can run your server side scripting.
Here is the list of some web servers and what server side scripts they can run.



                                                14
Apache - HTTP Web Server
A free, fully configurable Web server. One of the most popular servers available. These links will
help you install Apache, use Apache, and find other Apache developers.

Microsoft Internet Information Services
Microsoft Internet Information Services or IIS is one of the most popular commercial Web
servers available for the Windows Server OS. IIS offers functionality and scalability on the
familiar Windows operating system.
Internet Information server 5.0- ASP, ASP.NET, CGI, Python, PHP
Apache - PHP, CGI/Perl, Python
Tomcat - CGI/Perl, JSP,Servlets, JavaBeans
iPlanet - JSP, Servlets, Enterprise JavaBeans
Chilisoft - ASP
Go web server - LotusScript

Web Servers List
Here is a detailed and updated list of the most important and popular web servers:
Apache web server - the HTTP web server
Free and the most popular web server in the world developed by the Apache Software
Foundation. Apache web server is an open source software and can be installed and made to
work on almost all operating systems including Linux, Unix, Windows, FreeBSD, Mac OS X and
more. About 60% of the web server machines run the Apache web server - Refer Web server
usage statistics from Netcraft.
Apache Web Server


Apache Tomcat
The Apache Tomcat has been developed to support servlets and JSP scripts. Though it can serve
as a standalone server, Tomcat is generally used along with the popular Apache HTTP web
server or any other web server. Apache Tomcat is free and open source and can run on
different operating systems like Linux, Unix, Windows, Mac OS X, Free BSD.
Apache Tomcat




                                               15
Microsoft Windows Server 2003 Internet Information Services (IIS)
The IIS for Windows Server 2003 operating system has been developed by the software giant,
Microsoft. It offers higher levels of performance and security than its predecessor, the
Windows 2000 server. It also comes with a good support from the company and is the second
most popular server on the web.
Microsoft Windows Server 2003


lighttpd
lighttpd, pronounced "lighty" (don't ask me why), is a free web server that is distributed with
the FreeBSD operating system. This open source web server is fast, secure and consumes much
less CPU power. Lighttpd can also run on Windows, Mac OS X, Linux and Solaris operating
systems.
lighttpd web server


Jigsaw
Jigsaw (W3C's Server) comes from the World Wide Web Consortium. It is open source and free
and can run on various platforms like Linux, Unix, Windows, Mac OS X Free BSD etc. Jigsaw has
been written in Java and can run CGI scripts and PHP programs.
The Jigsaw web server software from W3C


Klone
Klone, from KoanLogic Srl, includes a web server and an SDK for creating static and dynamic
web sites. It is a web application development framework especially for embedded systems and
appliances. No additional components are required when using Klone; thus, one can do away
with an HTTP/S server or the active pages engine (PHP, Perl, ASP).
Klone web server


Sun Java System Web Server
This web server from Sun Microsystems is suited for medium and large web sites. Though the
server is free it is not open source. It however, runs on Windows, Linux and Unix platforms (at
the time of writing the Mac OS X and FreeBSD operating systems were not supported). The Sun
Java System web server supports various server-side languages and technologies such as JSP,
Java Servlets, PHP, Perl, Python, Ruby on Rails, ASP and Coldfusion. Sun Web Server


                                              16
Xitami web server
Xitami is a free, open source web server developed by iMatrix Corporation. FYI, Xitami is iMatrix
spelled backwards. The development has stopped after version 2.5, however, it remains
popular on small networks. The server is not the fastest in the market but has a small footprint
and is available for Windows, Linux and Unix platforms.
Xitami web server


Zeus web server
The Zeus web server runs on Linux and Free BSD operating systems. It has been developed by
Zeus technology Ltd. And is known for its speed, reliability, security and flexibility. The web
server is used on some of the busiest web sites of the world including Ebay. Zeus web server is
not free and costs more than a thousand pounds.
Zeus Technology Ltd. - Zeus web server
For further information, refer Web server comparison on Wikipedia and Basic web servers on
the World Wide Web Consortium web site (this list is outdated - that's why I have this article.




                                               17
XAMPP Installation




        18
2.1 Xampp installation
                                        1. Go to the working file that has already been copied
                                        in your working stations.
                                        2. Double click on an icon xampp-win32-1.6.7-
                                         installer.exe installer icon.

                                               3. Choose English as your selected language and
                                               click OK.




4. A Xampp 1.6.7 win 32 installer window will come out, then click next.




                                              19
5. Select destination folder to C:\ or D:\ or any destination folder required. For today’s class,
select only to drive C:\ or D:\. Then, click Install button to proceed the installation process.




6. Thick on checkbox to install a xampp directory icon, xampp start menu, and also install
Apache and MySQL as service.

7. A Win32 message will appear to check on ports available..




                                                 20
and Apache are installed successfully! Click on Finish Button to continue.




                                               21
8. Click OK to finish configuring setup and Yes button to start the Xampp Control Panel.




9. Make sure The Apache and MySQL services are running. If not, please click on once and the
Start button.




                                               22
10. Click on any of your browser (Internet Explorer, Mozilla Firefox, Opera, etc) and type in
http://localhost and a xampp start up page will be displayed. If the page is not found or there
was an error, do check again your installation settings. This means you are now successfully
running your web without accessing the internet and also what the web developers called local
hosting!




                                              23
Running XAMPP & Configuring
  Database (phpMyAdmin)




             24
1. As previous step, once the Webserver and the database server are running, you can access
your server through your web browser through http://localhost/. Click on English as your
selected language, then you will be directed to the XAMPP Control Panel
Note: You will automatically be directed to http://localhost/xampp after typing in
http://localhost/ the next time running XAMPP (after you have selected your language
selection)




                                             25
3. In any occasion of building a website, the first thing that a web developer should consider is
the security of the database. Therefore, to put your XAMPP Control panel and your
phpMyAdmin without a password is not advisable. Without a password, your database can
simply be viewed by anybody, locally or anybody who knows your IP address simply by typing in
http://localhost/ or http://(IP address) or http://localhost/phpmyadmin/. Try to type in by
yourself!!! Here is the procedures need to be taken care off before we proceed to our next
lesson.
4. At the left column of Tools menu, click on Security, a new Window will pop out showing the
security status of your local server and databases.




3. As you can see, the top three (3) Subjects appeared as “UNSECURE” (in red color) and needs
to be change to “SECURED” for security puposes. The other three subjects is not critical in this
lesson.
4. To fix the problems, click on the link http://localhost/security/xamppsecurity.php just
beneath the security box status.




                                               26
5. MYSQL Superuser is used for the security of entering your phpMyAdmin page and your
database while XAMPP DIRECTORY PROTECTION is for the security for the http://localhost/ or
http://localhost/xampp/ home screen. For class tutorial purposes, Enter the information as
below:-
        New Password: p@ssw0rd
       Repeat Password: p@ssw0rd
       Let the PhpMyAdmin authentication selected as
       cookie
       Thick (√) on “Safe plain password in text file?” box
       Click on Password Changing
You will then get a phrase saying that the password is changed
TIPS: The reason to save your password in a plain text file is an easy way for you to check back
the configured password if let say one day you have forgotten it after you change the password
more than once. The password is saved in .txt file located at C:\ or D:\ drive
eg: D:\xampp\security\security\mysqlrootpasswd.txt

                                               27
6. Repeat the same step for XAMPP DIRECTORY
PROTECTION
        User: joomla1.5
        Password: p@ssw0rd
Let the PhpMyAdmin authentication selected as
cookie
        Thick (√) on “Safe plain password in text
file?” box
        Click on Make Safe the XAMPP directory
TIPS: You can re-access all the particulars saved at these paths:
D:\xampp\security\xampp.users
D:\xampp\htdocs\xampp\.htaccess
D:\xampp\security\xamppdirpasswd.txt

7. Close the Security console MySQL & XAMPP directory protection window. Your
phpMyAdmin and XAMPP Directory is now password protected!




                                               28
Creating a Database




         29
Before Joomla! is installed in your localhost, ine more thing that you need to do is creating a
database so that there is no problem during the Joomla! Installation. Now, let us go one by one
step on how to create a database in the Database Manager.
Tips: You will need to create a new database for separate websites. If the website uses the same
information and database, then you would not need to create a new one.




1.Re-open the XAMPP Control Panel Window or type in http://localhost/ if you have close the
window earlier. You can see this time there is a prompted box popped out asking for a
username and password. Remember the XAMPP Directory protection? Now enter the User :
joomla1.5 and Password: p@ssw0rd to access the page.




                                              30
2. In the left colum Tools menu, click on PhpMyAdmin to launch the database manager.You will
be asked again the password to access the database manager. Remember the MySQL root
password? Enter the Username: root and Password: p@ssw0rd.




3. Figure below shows the phpMyAdmin home screen. In the middle of the page, there is an
option to create a new database. In the first box, type in j15. In the collation drop-down menu
select utf8_bin, because this is the standard that Joomla! Uses.



                                               31
4. Click Create to create a new database.




5. Figure above showing a new database named j15 is newly created!




                                            32
Introduction to Joomla!




           33
Introduction To The Joomla Content Management System
Joomla! is one of the most powerful Content Management Systems on the planet. It is used all
over the world for everything from simple websites to complex corporate applications. Joomla
is easy to install, is simple to manage, and reliable, and offers the perfect balance of power,
flexibility and ease of use. It is Open Source and free. In this, the first in a series of introductory
articles we try to answer some of the Frequently Asked Questions when we first tell people
about Joomla.

What is a Content Management System - How will it help me?
A Content Management System separates the design and management of your website and site
navigation from the process of entering (and displaying) your content. If you have ever built a
website that ran to more than 10 pages you have probably run into the problems associated
with adding new pages, or groups of new pages. It becomes difficult to add to the menu of
every existing page. A Content Management System handles the Menu's, breadcrumbs and any
other navigational aids for you. This leaves you (and your team) free to concentrate on your
writing.
If you ever decide to change the look and feel of the whole site - then you have a really large
job on your hands.With a Content Management System or CMS the site is driven by templates
into which your content is inserted on the fly. In this way the entire look of your site can be
changed with the press of a button.

Any other reasons why a Content Management System like Joomla is the way to go?
Indeed there are. Because a CMS works in a dynamic manner, retrieving your writing from a
database and incorporating it into your current template to build your page, there are other
things it can do while it is at it. Your main content is integrated into the 'central' part of the
page but around the periphery of the page other 'modules' can be carrying out related tasks.
Lists of 'most popular', 'most recent' or 'related' articles can be integrated into your page, polls
allowing people to vote on issues, newsletter sign-up can be integrated. There are modules for
paypal donations, etc.
How much will Joomla cost me?
Until recently a CMS like this would have cost you / your organisation thousands of pounds.
Thanks to the Open Source movement, and to the hard work of a committed bunch of
developers at Joomla.org you can now make use of a fully functioning CMS for FREE. Of course
it will cost you if you pay someone else to build a Joomla powered site, but we are quite
reasonably priced.




                                                  34
My organisation wouldn't dream of using a free product - how can we expect support when
we experience problems with Joomla?
This is a legitimate business concern. Unlike individuals, who generally prefer low cost but can
spare their own time to trouble-shoot problems, we understand that businesses need support
services that are reliable, and offer speedy response times. If you are interested in trying out
Joomla, but need to know that there is help available then we can help. We offer a number of
service contracts that will aim to keep you on top. Our staff are well known on the Joomla
forums - offering free assistance where we can, and building up a reputation for respectful co-
operation and friendly assistance. Many of the FAQs were either written by us or contain
contributions by us, and we participate in testing new Joomla releases as well as developing
components and modules that extend the functionality of Joomla.
Whether you are trying out Joomla with a view to using it for a corporate site or for your own
one man website you will be amazed at the flexibility and control that Joomla affords. Of course
with such power comes a little complexity. People who have never created a website before, or
who have never installed scripts on a server before may find the learning curve is steep.

If I know nothing about HTML, CSS, Javascript, PHP, Apache web servers, FTP, can I still use
Joomla?
The Joomla website contains many helpful resources for anyone struggling.
The documentation section: http://help.joomla.org/
The Support Forums: http://forum.joomla.org/

Can I try it out? Where can I 'play' with Joomla?
There is a demonstration installation that can be 'played' with at
http://demo.joomla.org/ or http://demo.joomla.org/1.5/
username: admin
password: admin
Of course the extent to which you can tweak someone else's installation is very limited. To truly
explore Joomla you would need to install your own copy and take full control.

Where can I find help and support for Joomla?
You could always find help, extensions, tutorials, forums regarding Joomla! on this websites
http://www.joomla.org
http://extensions.joomla.org
http://www.joomla-my.org/
http://www.joomlamalaysia.org/web/
http://www.joomla-my.org/forums/
http://joomlaforbeginners.com

                                               35
Okay, you've got my interest - what is my next step?
Download the latest version of Joomla
Install the latest version of Joomla!




                                             36
Joomla! 1.5 Installation




           37
1. Unpack the Joomla zip given to you in the working file (JOOMLA_KIT) folder on your to an
easy to find folder on your PC. You have two ways on doing this.
A. (Extract to your desktop then transfer to
xampp/htdocs folder)
      I.    >Unzip the package to your desktop
     II.     > There will be a file on your desktop titled
            Joomla_1.5.15-Stable-Full_Package




     III.   >Rename the folder to j15




                              IV. >Cut or copy the folder and paste to where your XAMPP folder is
            installed in.
            For Example: D:\xampp\htdocs\j15

B. (Extract straight away from your working file toolkit to the xampp/htdocs folder)

      I.    >Go to
            D:\xampp\htdocs and
            create a file new file
            and name it as j15
     II.    >Double click on the
            zipped folder of
            Joomla_1.5.15-Stable-
            Full_Package and
            unzipped/extract to
            the j15 folder created
            earlier
            D:\xampp\htdocs\j15




                                                     38
2. Go to the web browser > Type in http://localhost/(foldername). In this class tutorial type in
http://localhost/j15. You will then be directed to http://localhost/j15/installation/index.php
which is the Joomla! Web Installer page. Select English as your language and click Next
Tips: Joomla! Web Installer page will any appear once (The first time you extracted your Joomla!
Package to the htdocs. After installation is successful you can view your installed Joomla!
Website by the path http://localhost/foldername




                                              39
 3. For the Pre-Installation Check, make sure that everything is stable and is Green in color. In
this step, joomla! automatically check your server’s settings to determine if it meets the
minimum requirementsand if it has the recommended settings for optimal performance. If any
of the requirements listed on the top half of the page says “No”, that means your server does
not meet the optimal requirements to install Joomla!




4. Click Next to except license.




                                               40
5. For Database Configuration, insert these pasrticulars to avoid error
        Select mysql as Database Type
        Host Name: localhost
        Username: root
        Password: (Your MySQL Database Password (phpMyAdmin))
                 (In this class it should be p@ssw0rd)
        Database Name: j15

Note: For the Advanced Settings no need to fill in and just leave it as displayed. Advanced
settings are only valid if a website needs its backup from certain tables from any previous
database.

6. Click Next to proceed. If an error occurred, go back an check again the Username, Password
and Database Name key in earlier.




                                               41
7. Click Next for FTP Configuration. This part for configurating FTP is neglected in this class as
the Department does not allowed FTP for Joomla Developed websites.




                                                 42
8. Type in Kursus Joomla for Site Name
>Type In your email address
>Password : n0p@ss
>Confirm Admin Password : n0p@ss

9. Click on Install Sample Data button > Then it will appear Sample Data Installed Successfully
Tips: It is crucial for you to typeI your email address and make sure it is usable. Do not type in
abc@yahoo.com or any dummy email as it will affect your SMTP later on if you have installed
any component/modules/plugins that needs email address.




10. Congratulations! You have now successfully installed Joomla! on your local server with 10
easy steps!!!!




                                                43
11. Note that you have to remember to remove/delete the installation files in the htdocs
directory as this will allow hacking attempt in the future!
To view Your Website > Click on Site or http://localhost/j15/
To View Administration Page > Click Admin (Note that your default ID for Administration Page
is admin)
Or http://localhost/j15/administrator/




                                             44
A fully Installed default Joomla! Website


                   45
                               The Administration Page
To Login >> Username > admin
          Password : n0p@ss




                                         46
Website layout / wireframing

Before create the website, define your objective and need. Imagine your website layout and
wireframing. For example your wireframing as image below.




                                             47
And your website at the end will look like this.




                                                   48
Website Global Menu
   1. Home
   2. Product
           a. Gold
           b. Red
           c. Green
   3. Company profile
   4. Event
           a. News
           b. Activity
   5. Site map

The Administration Page




To Login >> Username > admin
           Password : n0p@ss
Introduction to administration Toolbars




                                          49
User Management
Next, the super administrator can manage web development team, so that assign user can edit
depent on access level that control by super administrator. So that, super admin need to create
logins for them.

1. First, go to http://localhost/kursusjoomla/administrator and log in with the username
“admin” and the password you specified during the installation. If you are already
logged in, go to the “Site” menu and select “Control Panel.”


2. Click on “User Manager:” Click user manager button in control panel.
3. Click on “New” from the Joomla! toolbar.
4. Enter details for each user you wish to create. Hierarchy of the users as follow:




                                                50
5. Press “Save” when you are done creating each user.

**user can also add from login form in website.


Installation Extensions


       When using Joomla you can easily extend the funtionality of your website through adding
Joomla extensions. There many types of Joomla extensions you can add to your Joomla website such as
components, modules, plugins, which allow you to change the looks and/or functionality of your
website.

How to install Joomla 1.5 extensions?
        For the purpose of this tutorial we'll install the VirtueMart component for Joomla 1.5. Follow the
steps below to complete the installation:
          Step 1. Download VirtueMart from the official website. Make sure you download the complete
package for Joomla 1.5.
  Step 2. Go to your Joomla admin area > Extensions > Install/Uninstall.




                                                   51
         Step 3. In the Upload Package File section click Browse and locate the VirtueMart archive.




            Step 4. Click Upload File & Install to upload the file and complete the installation.
  Step 5. Some components, including VirtueMart, need an additional step in order to complete their
installation. In the case with VirtueMart you should choose whether to install sample data or not. Let's
install it by clicking the Install SAMPLE DATA >> button.




                                                   52
         This will complete the VirtueMart installation and you will be able to manage it from the
Components menu > VirtueMart.
You will be able to install any other component/module/plugin/theme for Joomla 1.5 following the
same steps.
              Please note that components built for Joomla 1.0.x cannot be installed on Joomla 1.5 unless
     Legacy mode is enabled. More information on how to install Joomla 1.0.x components to Joomla 1.5
is available in our Knowledge base.

System legacy

Turn on system legacy (1.0 – 1.5)




How to remove Joomla 1.5 extensions

You can remove extensions in Joomla 1.5 from the admin area > Extensions > Install/Uninstall.
Depending on the type of extension you wish to remove, you should click on one of the following -
Components, Modules, Plugins, Languages, Templates.
Then from the available extensions select the one you want to uninstall and click the Uninstall button.
This will remove the extension from your Joomla installation.




                                                   53
Templates Overview

Templates allow you to define the look and feel of your Joomla! website. Joomla! ships
with two default templates, but many more can be found at joomla templates website either it
is free or not. Refer your wireframing to find suitable templates (joomla 1.5 template with 3
column).

1. From the “Extensions” menu, select “Template Manager.” The template selected with the
star is the current template. To change to a different template, select the template you wish to
use and click on “Default.” For this website, the “rhuk_milkyway” template will fit well.

2. To install new templates according to your need. Extensios       install/uninstall




3. Browse file    upload file & install




4. Change default template from rhuk_milkyway to estime_redberry click the radio button
default




   6. Take a look to see how the look and feel of the site has changed:




                                                 54
55
   7. To preview the template click button         . You can preview, edit HTML and CSS code. Try




      click .each button
   8. Preview the website to see the position determine for the website layout.




Edit Template
   1. Manage Banner
         a. Design banner using adobe photoshop using the existing banner size and replace the
            original.
            Check the path D:\xampp\htdocs\kursusJoomla\templates\estime_redberry\images




                                                56
On, off, create and rearrange module




1.    Edit top menu and set home as default
      Menus top menu new Internal page articles front page blog layout Title =
      Home change parameter (basic) Change parameter (system) save set home as
      default




                                        57
          2. Change other menu


Left module
   1. Product menu ( link article)


1.1 click new        custom html radio button                    next   key in as figure
    below save      notice the changes by preview the website.




                                                58
59
1.2 Calendar ( calendar module) – install calendar module
1.2.1 extensions install browse mod_minicalendar_joomla_v1.07.zip       upload file /install




1.2.2 Place the module
2. Off unnecessary module : module manager          position     left   disable module
3. Rearrange the module : order save




Insert media (image / flash )
   1. Define position – user 6
   2. Install module : extensions install   browse      mod_smooth_gallery_camp26_j15.zip
      upload file/install
   3. Manage pd_smoothgalley : module       refer figure below




                                               60
   Advance parameter




4. Copy folder gallery from desktop to image path.
5. Preview by refresh the website. Make sure your flash player are installed to your computer.




                                              61
Top Module
Replace the newsflash with promotion
      1. In module manager        position   top

Click news flash       change to promotion.




      2.

Right Module


 1.        In module manager position choose right
 2.        Disable random image and advertisement
 3.        Create your own poll




           3.1 Component   poll    change poll content   edit / add new




                                                    62
3.2 Preview web to see the changes




Manage news

 1. Menu top menu           click home change parameter basic (1,1,1,0)   change parameter
    system (page title : your company slogan) [see figure]




                                         63
2. Notice the changes
   2.1 Page title



   2.2 2 news publish in front page




                                      64
Site Map (Component)
   1. extensions   install   browse   joomap component   install




   2. component    samSitemap     enable top menu




                                              65
3. Manage site map menu
   menus top menu site map          change type   select menu item type   joomap   save




4. Preview website and click site map menu




                                             66
Media Manager Overview


The media manager is where all images are stored for your site, except for any images you
might choose to associate with your template. It also the place you store other files you might
use on your site, such as PDFs, word-processing documents, spreadsheets, presentations and
more. The media manager is comprised of two tabs: Thumbnail View and Detail View (see
Figure 1).




Figure 1




                                              67
Create Folder
At the top of the main Media Manager screen, you can see a path to the current location as
shown in Figure 2. At the end of that location is a blank field, followed by a Create Folder
button. You can simply fill a name in that blank field and click the button to create a new folder.




Figure 2


Naming Folders, Images and Documents
There is not any restriction in giving names, but giving proper names will makes it easier for you
to search any folders or documents in the server.
Please don’t leave any blank space between two words. The best way to name a file is put a
“__” For example: a file name “ maklumat korporat” should be name as “maklumat_korporat”
before you upload it into server.




                                                68
Uploading Images and Files
At the bottom of the Media Manager screen as shown in Figure 3, there is a box to upload an
image of another kind of document. You can only upload only one image or document at a
time.
To upload a file, simply click the browse button to find the file on your hard drive. Then click the
Start Upload button to start uploading a file to the server.
The file will upload to the folder displayed in Media Manager. So, for example, if you go into
fruit folder and start a file upload form there, it would upload to the fruit folder.
Note that right above the upload box, it tells you the maximum file size for uploading, which is
10MB by default.




Figure 3
Delete Folders, Images and Documents
To delete any folders, images or documents, you just have to click on the delete button (red
colour). You cannot undo this action.




                                                 69
Content Management
Understanding Joomla!’s Content Structure
Joomla! has a fairly rigid content structure. The top level of the hierarchy is a content section.
Sections do not contain articles directly, but rather they contain the next level in the hierarchy-
categories. Categories contain articles, and each article can only belong to only one categoriey.
If an article does not require categorization, it can be set up as an uncategorized article, which
(confusingly enough) simply means that it is categorized in the uncategorized category.


Sections
A section is the highest level in the Joomla! content organization hierarchy. Sections contain
categories, and categories contain articles. For example, a section might be something like
“Automobiles”, and it would contain categories such as “Cars”, “Trucks”, and “SUV”.
Creating a section:
   1. Navigate to the section manager in your Joomla! administrator. You can access the Section
       Manager from the Control menu, as shown in Figure 4.




Figure 4
   2. In the Section Manager toolbar, click New to open the form to create a new section, which you
       can see in Figure 5.
   3. Enter a title for your section. This is a mandatory field.

                                                    70
   4. Enter a alias for your section. This is not mandatory, but if you do not enter an alias, one will be
       generated automatically.




Figure 5
   5. Set the value of Published to Yes if you want the section to be published, or set it to No if you do
       not want the section to be published.
   6. Select the access level of the section. Select Public if you want anyone who visits your site to
       view content in this section. Select Registered if you only want registered users to be able to
       access content in this section. Select special if you want only users with at least author access to
       be able to access this section.
   7. Select an image that you want to be associated with this section. This is not mandatory field.
   8. Select an image position. This determines how the image appears on the section page. This is
       not mandatory field.
   9. Enter a description for the section. This is also not a mandatory field.
   10. Click the save button in the toolbar to save your new section and return to the Section Manager.
       If you want to save your new section, but remain in the section form, click the Apply button.




                                                   71
Categories
Categories are contained within sections, and categories contain articles. As this time, it is not
possible to assign the same category to multiple sections, assign multiple categories to a single
article, or contain categories within categories. Going with the previous example, the category
“Cars” might contain articles such as “Honda Accord”, “Toyota Camry”, and “Nissan Altima”.


Creating a category:
   1. Make sure you have at least one section in the system. Before you create a category, you must
       create at least one section to contain that category.
   2. Navigate to the Category Manager, you can access it from the content menu.
   3. Click New to open the form to create a new category which you can see in Figure 6. The new
       category form is almost identical to the new section form, with the addition of a Section drop-
       down list with which you can select a section to contain the category.




Figure 6
   4. Enter a title to your category. This field is mandatory.
   5. Enter an alias for your category. This is not mandatory, but if you do not enter an alias, one will
       be generated automatically.
   6. Set the value of Published to Yes if you want the category to be published, or set it to No if you
       do not want the category to be published.


                                                   72
   7. Select the section in which you want the category to reside.
   8. Select the access level of the category. Select Public if you want anyone who visits your site to
       view content in this category. Select Registered if you only want registered users to be able to
       access content in this category. Select special if you want only users with at least author access
       to be able to access this category.
   9. Select an image that you want to be associated with this category. This is not mandatory field.
   10. Select an image position. This determines how the image appears on the category page. This is
       not mandatory field.
   11. Enter a description for the category. This is also not a mandatory field.
12. Click the save button in the toolbar to save your new category and return to the Category Manager.
   If you want to save your new category, but remain in the category form, click the Apply button.

   Articles
   Article is the main way that content is displayed in a Joomla! site. Articles can be organized
   into categories and sections, or they can be uncategorized.
   Creating an article:
   1. Navigate to the Article Manager in your Joomla! administrator.
   2. Once you are in Article Manager, click the New button in the toolbar to open the new article
       form. You can see the new article form in Figure 7, 8,9 and 10.
   3. Enter a title to your article. This field is mandatory.




   Figure 7

                                                    73
4. Enter an alias for your article. This is not mandatory, but if you do not enter an alias, one will be
    generated automatically.
5. Set the value of Published to Yes if you want the article to be published, or set it to No if you do
    not want the article to be published.
6. Set the value of Front Page to Yes is you want the article to display in the Front Page view of the
    content component, or set it to No if you do not want it to display in the Front Page view.
7. Select the section to which you want the article to belong. You must select a section before you
    select a category, because selecting a section will pre-propulate the Category drop-down list
    with categories that belong to that section. Selecting a section is mandatory, although you could
    select “Uncategorized” as your section.
8. Select the category to which you want this article to belong. Selecting category is mandatory. If
    you select “Uncategorized” as for your section, then “Uncategorized” is automatically selected
    as your category.
9. In the main text editor, begin to enter your content.
10. Click the Read more button below the content editor to add a breaking point in the article that
    separates introductory text from the rest of the text. You can add only one Read more separator
    per article. This is useful if the article is going into blog or news-style category or section
    because on the category or section page, only the introductory text is displayed and a Read
    more link is included to direct the reader to the rest of the article.




                                                 74
Figure 8
11. Add pictures to your article using the Image button below the main text editor. This button will
   pop-up a window that gives you access to the media manager, and thumbnails of each image in
   your images directory. With that, you can select an image, set it alignment, and add alternate
   text, a title, and a caption to the image, and the image will be then added to your article when
   you click the Insert button.




                                              75
Figure 9
12. To add page breaks to your article, click the Page break button. You can add as many pages as
   you want.
13. In the right column, set your parameters and metadata information however you need them to
   be set. You can see an explanation of each parameter and metadata information in the Article
   Parameters, Advance Parameters, and Metadata Information tables.




                                             76
Figure 10
14. Click the save button in the toolbar to save your new article and return to the Article Manager. If
    you want to save your new article, but remain in the article form, click the Apply button.



Uncategorized Articles
An uncategorized article is an article that has been categorized in the Uncategorized
category. Uncategorized articles are content items that do not fit into hierarchy, but stand
alone in and of themselves. For example, you might have a simple About Us page that
doesn’t really fit neatly into a category. In that case, you would just leave it as
uncategorized.
Creating an uncategorized articles is exactly the same as creating categorized article except
that you categorize the article in the Uncategorized category.




                                                77
Security of a Website




          78
Security Checklists Table of Contents

   1)   Getting Started
   2)   Hosting and Server Setup
   3)   Testing and Development
   4)   Joomla Setup
   5)   Site Administration
   6)   Site Recovery

Security Checklist 1 - Getting Started

Security matters
Internet security is a fast moving challenge and ever present threat. There is no one right way
to secure a website, and all security methods are subject to instant obsolescence, incremental
improvement, constant revision. All public facing website are open to constant attack. Are you
willing and able to invest the time it takes to administer a dynamic, 24x7, world-accessible,
database-driven, interactive, user-authenticated website? Do you have the time and resources
to respond to the constant flow of new Internet security issues? The Top 10 Stupidest
Administrator Tricks is a comic/tragic look at what can go wrong. Don't learn these tricks the
hard way! Depending on your own experience, reading the Stupidest Tricks will either make you
laugh or cry. Luckily, there are some well-established principles upon which to base your
defensive plans. The following checklists point you toward current best practices for Joomla
security.

How to read these documents
Not all techniques are appropriate for every level of experience. Apply the techniques you
understand and read up on the ones you don't.

Not all techniques are appropriate for every server. If you use a shared server, you must
depend on the settings established by your hosting provider. If you are using a virtual or
dedicated server, you can apply more creative security tactics.

Not all security tactics are appropriate for all versions of Joomla. Where a technique applies to
only one version it is noted by one of the following icons:

The most important guidelines
These checklists are long and growing because the full plot is thick, complex, and expanding,
but don't despair! Here are a few essential guidelines for securing any website. Following them
will protect you from most catastrophes.

Backup early and often: Setup (and use and test) a regular backup and recovery process. When
done well, this ensures that you can recover from almost any imaginable disaster.


                                                79
Update early and often: Promptly update to the latest stable version of Joomla! and any
installed third-party extensions. This ensures that your site is protected from the newest
vulnerabilities as soon as a fix is released and from the latest attack methods as soon as a
defense is developed.

Use a secure host Use a high-quality Web host. Do not be fooled by offers of 'unlimited
bandwidth, unlimited hard drive space, unlimited databases, etc.

Use the community Don't forget the truism, "If a deal is too good to be true, it is." It seems that
nothing on Earth is unlimited--except perhaps the gullibility of fools and the greed of those who
prey upon them. Consider hiring professional assistance if you have inadequate experience or
knowledge in this area. One of the advantages of GNU software is that user support is free.
Take good advantage of this by asking good questions within the Joomla! Forums. When doing
so, be sure to use the the most appropriate board, such as Installation, Migration and Updating,
Administration.

The most helpful posts in the Joomla! Security Forum are converted into Security and
Performance FAQs. Many of the items on this list are explained in much greater detail in the
FAQs.

You may want to read the excellent Absolute Beginners Guide to Joomla! It has wealth of tips
and tricks presented in an easy to understand format. Even experienced Joomlaists find great
ideas here.

Hunt down the many nuggets of wisdom found in the Joomla! Forums, in particular the Joomla!
1.5 Security Forum and the Joomla! 1.0 Security Forum.

To receive all Joomla security announcements, subscribe to Joomla Security News. There are
several ways to subscribe:
Automatic Email Notification
RSS feed.

The bad news
There is no perfect security on the Web! As economists would say, "There's no free lunch."
Don't be fooled by Joomla's award winning ease-of-use. Maintaining a secure Web site on the
open Internet is not easy. Maintaining adequate security requires a wide and ever-growing
range of skills and knowledge, constant watchfulness, and a robust backup and recovery
process.
There's no one right way! Due to the variety and complexity of modern web systems, security
issues can't be resolved with simple, one-size-fits-all solutions. You (or someone you trust) must
learn enough about your server infrastructure to make valid security decisions. Strong security
is a moving target. Today's expert might be tomorrow's victim. Welcome to the game...



                                                80
There's no substitute for experience! To secure your Web site, you must gain real experience
(some of which will be bitter), or get experienced help from others. If you haven't invested the
considerable time it takes to learn how to maintain a secure Web site, be sure you can consult
with someone who has. Read this tongue-in-cheek description of the Top 10 Stupidest
Administrator Tricks which illustrates typical, blow-by-blow examples of how to learn Web
security the hard way.

The good news
Even a beginner can start at the head of the herd User forums for many systems are clogged
with Help! I've been hacked posts by people who did NOT follow standard security practices. If
you are studying this checklist before your site is attacked, congratulations, you're already
ahead of the herd.
It's not as hard as it looks If this is one of your first websites, security issues may seem
overwhelming, but you don't have to deal with all of them at once. Start with the most critical
issues. As you become more familiar with GNU tools and techniques, including GNU/Linux,
Apache, MySQL, SQL, PHP, HTTP, CSS, XML, RSS, TCP/IP, FTP, Subversion, JavaScript, and
Joomla!, you'll add refinements to your set of security tactics.

You can get help If you believe your website was attacked, do not simply post an
announcement with full details in the Joomla! forums. If you are dealing with a new
vulnerability or new form of attack, publishing that information could put other websites at
risk. Instead, report possible security vulnerabilities to the Joomla! Security Task Force.

Security Checklist 2 - Hosting and Server Setup

A. Choose a Qualified Hosting Provider

The most important decision
Probably no decision is more critical to site security than the choice of hosts and servers.
However, due to the wide variety of hosting options and configurations, it's not possible to
provide a complete list for all situations. Check this unbiased list of recommended hostswho
fully meet the security requirements of a typical Joomla site. (FAQ)

Shared server risks
If you are on a tight budget and your site does not process highly confidential data, you can
probably get by with a shared server, but you must understand the unavoidable risks. Most of
the tips listed below are appropriate for securing sites on shared server environments.

Avoid sloppy server configurations
For a real eye-opener, read this report on thousands of sites that allowed Google to index the
results of phpinfo(). Don't make this mistake on your site! The report includes alarming
statistics on the percentage of sites that use depreciated settings such as register_globals ON or
that don't have open_basedir set at all: By the way, if phpini and register_globals are unfamiliar
terms you are probably not ready to securely manage your own site.
                                               81
B. Configuring Apache

Use Apache .htaccess

See also .htaccess examples
Block typical exploit attempts with local Apache .htaccess files. This option is not enabled on all
servers. Check with your host if you run into problems. Using .htaccess, you can password
protect sensitive directories, such as administrator, restrict access to sensitive directories by IP
Address, and depending on your server's configuration, you may be able to increase security by
switching from PHP4 to PHP5.
Joomla ships with a preconfigured .htaccess file, but *you* need to choose to use it. The file is
called htaccess.txt; to use it rename it to .htaccess and place it in the root of your webpage.

Consider following the "Least Privilege" principle for running PHP using tools such as
PHPsuExec, php_suexec or suPHP. (Note: These are advanced methods that require agreement
and coordination with your hosting provider. Such options are enabled or disabled on a server-
wide basis and are not individually adjustable on shared servers.)

Use Apache mod_security
Configure Apache mod_security and mod_rewrite filters to block PHP attacks. See Google
search for mod_security and Google search for mod_rewrite. (Note: These are advanced
methods that usually require agreement and coordination with your hosting provider. Such
options are enabled or disabled on a server-wide basis and are not individually adjustable on
shared servers.)

C. Configuring MySQL

Secure the database
Be sure MySQL accounts are set with limited access. The initial install of MySQL is insecure and
careful configuration is required. (See the MySQL Manuals) Note: This item applies only to
those administering their own servers, such as dedicated servers. Users of shared servers are
dependent on their hosting provider to set proper database security.)

D. Configuring PHP

Understand how PHP works
Understand how to work with the php.ini file, and how PHP configurations are controlled. Study
the Official List of php.ini Directives at http://www.php.net, and the well-documented default
php.ini file included with every PHP install. Here is the latest default php.ini file on the official
PHP site.




                                                  82
Use PHP5
Currently, both PHP4 and PHP5 are maintained, and both are often available on servers. Before
PHP4 becomes obsolete, upgrade your custom scripts to PHP5. Don't worry about core Joomla
code; all current versions are PHP5 compatible.

Use local php.ini files
On shared servers you can't edit the main php.ini file, but you may be able to add custom, local
php.ini files. If so, you'll need to copy the php.ini files to every sub-directory that requires
custom settings. Luckily a set of scripts at B & T Scripts and Tips can do the hard work for you.


There are a few important things to keep in mind.

1. Local php.ini files only have an effect if your server is configured to use them. This includes
   a php.ini file in your http_root directory. You can test whether or not these file affect your
   site by setting an obvious directive in the local php.ini file to see if it affects your site.
2. Local php.ini files only effect .php files that are located within the same directory (or
   included() or required() from those files). This means that there are normally only two
   Joomla! directories in which you would want to place a php.ini file. They are
   your http_root(your actual directory name may vary), which is where Joomla's Front-
   end index.php file is located, and the Joomla! administrator directory, which is where the
   Back-end administrator index.php file is located. Other directories that don't have files
   called via the Web do not need local php.ini files.
3. If you have a php.ini file in every directory, some script probably did this for you. If you
   didn't intend it to happen, you probably should root them out, but given #2 above, you
   probably only have to panic about the php.ini files in http_root and
   the administrator directories.



    Use PHP disable_functions
    Use disable_functions to disable dangerous PHP functions that are not needed by your site.
    Here is a typical setup for a Joomla! site:


           disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open




                                                    83
Use PHP open_basedir
open_basedir should be enabled and correctly configured. This directive limits the files
that can be opened by PHP to the specified directory-tree. This directive is NOT affected
by whether Safe Mode is ON or OFF.
The restriction specified with open_basedir is a prefix, not a directory name. This means
that open_basedir = /dir/incl allows access to /dir/include and /dir/incls if they exist. To
restrict access to only the specified directory, end with a slash.


   open_basedir = /home/users/you/public_html


In some system configurations, at least with PHP 4.4.8, the use of the trailing slash to
restrict the access to only the specified directory may cause Joomla to
warn JFolder::create: Infinite loop detected when saving the Back-End Global
Configuration. This warning is triggered because PHP file_exists() function fails, for
example, when asked if/home/user/public_html/joomla_demo exists
and open_basedir is set to /home/user/public_html/joomla_demo/ (see the trailing
slash).


Additionally, if open_basedir is set it may be necessary to set
PHP upload_tmp_dir configuration directive to a path that falls within the scope
of open_basedir or, alternatevely, add theupload_tmp_dir path to open_basedir using
the appropriate path separator for the host system.


 open_basedir = /home/users/you/public_html:/tmp



PHP will use the system's temporary directory when upload_tmp_dir is not set or when
it is set but the directory does not exist, therefore it may be necessary to add it
toopen_basedir as above to avoid uploading errors within Joomla.




                                         84
Adjust magic_quotes_gpc
Adjust the magic_quotes_gpc directive as needed for your site. The recommended
setting for Joomla! 1.0.x is ON to protect against poorly-written third-party extensions.
The safest method is to turn magic_quotes_gpc off and avoid all poorly-written
extensions, period.
Joomla! 1.5 ignores this setting and works fine either way.


   magic_quotes_gpc = 1



Don't use PHP safe_mode
Avoid the use of PHP safe_mode. This is a valid but incomplete solution to a deeper
problem and provides a false sense of security. See the official PHP site for an
explanation of this issue.

   safe_mode = 0



Don't use PHP register_globals
Automatically registering global variables was probably one of the dumbest decisions
the developers of PHP made. This directive determines whether or not to register the
EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables where
they become immediately available to all PHP scripts, and where they can easily
overwrite your own variable if you're not careful. Luckily, the PHP developers long since
realized the mistake and have depreciated this 'feature'.


If your site is on a shared server with a hosting provider that
insists register_globals must be on, you should be very worried. Although you can often
turn register_globals off for your own site with a local php.ini file, this adds little security
as other sites on the same server remain vulnerable to attacks which can then launch
attacks against your site from within the server.


  register_globals = 0




                                          85
       Don't use PHP allow_url_fopen
       Don't use PHP allow_url_fopen. This option enables the URL-aware fopen wrappers that
       enable accessing URL object like files. Default wrappers are provided for the access of
       remote files using the ftp or http protocol, some extensions like zlib may register
       additional wrappers. Note: This can only be set in php.ini due to security reasons.


                                                                                 allow_url_fopen = 0




E. Setup a backup and recovery process
The most important rule:'
Thou shalt at all time be able to return your site to a previous working state through regular use
of a strong, off-site backup and recovery process. Be sure your backup and recovery process is
in place and tested BEFORE you go live. This is the single best way (and often the only way) to
recover from such inevitable catastrophes as:
A compromised/cracked site.
Broken site due to a faulty upgrade.
Hardware failure, such as dead hard drives, power failures, server theft, etc.
Authoritarian government intervention. (More common than some think.)
Needing to quickly relocate to a new server or hosting provider.

Security Checklist 3 - Testing and Development
A. Secure Testing and Development
Develop locally, deploy globally
Develop and test your site on a local machine first. Installing Joomla locally is not as hard as it
may sound, and the exercise will greatly boost your confidence.
Use an IDE
Consider using an Integrated Development Environment (IDE). One free IDE that many Joomla!
developers use is Eclipse. See Setting up your workstation for Eclipse development for
instructions on installing Eclipse.
Use a versioning system
Be able to roll back to an earlier version of your site using a modern version control system,
such as CVS, Subversion, or git. The Eclipse IDE indicated above includes a Subversion plugin.
This allows you to work with the Joomla! source repository as well as other projects hosted on
JoomlaCode.




                                                86
More suggested tools
Check out the Joomla! community's list of popular Developer Software and Tools

B. Setup a backup process first
The most important rule
Thou shalt at all time be able to return your site to a previous working state through regular use
of a strong, off-site backup and recovery process.
Be sure your backup and recovery process is ready and tested BEFORE your site goes live.
This is the single best way (and often the only way) to recover from such inevitable
catastrophes as:
    •        A compromised/cracked site.
    •        Broken site due to a faulty upgrade.
    •        Hardware failure, such as dead hard drives, power failures, server theft, etc.
    •        Authoritarian government intervention. (More common than some think.)
    •        Needing to quickly relocate to a new server or hosting provider.


Security Checklist 4 - Joomla Setup
A. Configuring Joomla!
Install official versions of Joomla!
To avoid breaking your site, search the forums for reports of incompatible extensions before
upgrading to a new version of Joomla.


Upgrade to the latest stable version of Joomla! as soon as possible.
Download Joomla! from official sites only, such as JoomlaCode.org, and check the MD5 hash.
Use Joomla Diagnostics to ensure that all files were installed correctly. (Note: the version of
Joomla Diagnostics made for the initial release of 1.5 does not work for 1.5.3.)




                                                87
Change the default administrator username
Change the user name of the default admin user. This simple step effectively increases the
security of this critical account 50% by modifying one of the two variables attackers must know
to gain access. The password is the other variable. Change it early and often. (FAQ)


Protect directories and files
Increase the security of the critical configuration.php file by moving it outside of
the public_html directory. For more information visit (FAQ)
Ensure that all configurable paths to writable or uploadable directories (document repositories,
image galleries, caches) are outside of public_html. Check third party extensions such as
DOCMan and Gallery2 for editable paths to writable directories.


            In the Back-End Global Configuration, change the log path. Some extensions use the
built in JLog class. This will, by default write logs to http://yousite/logs. Change this to a place
that a casual browser cannot find (and don't pick /tmp/), or lock it down with http
authentication. Because we are dealing Open Source software, attackers can read the code of
third-party extensions and may be able to guess log file names.


            In the Back-End Global Configuration, change the temp folder path.
If the log and temp paths are changed and PHP open_basedir configuration directive is set,
make sure that the new paths fall within the scope of open_basedir.
There is currently no easy way to move the Joomla! /image and /media directories. This is
because thousands of third party extensions expect to find these important directories at the
current location. The best plan is to make sure open_basedir is properly set for all the user
accounts on your server. Check with your host if unsure.


Adjust file and directory permissions
This option no longer appears in Joomla. On Older versions of Joomla : Once your site is
configured and stable, write-protect critical directories and files by changing directory
permissions to 755, and file permissions to 644. There is a feature in Site --> Global
Configuration --> Server to set all folder and file permissions at once. Test third party extensions
afterwards, and carefully review the code of any extension that has trouble with such settings.
Note: Depending on your server's permissions, you may need to temporarily reset to more
open permissions when installing more extensions with the Joomla! installer. This option no
longer appears in Joomla. But is included for historical purposes.

                                                  88
Remove unneeded files
Remove all design templates not needed by your site. Never put security logic into template
files.


            Disable the XML-RPC server if you don't need it.
Clean up after installs. The installation process will require you to delete the installation
directory and all its contents. Do this; do not simply rename it. If you upload files to your site as
compressed archives (xxxx.zip for example), don't forget to remove the compressed file. Check
the /temp/ directory as temporary files may remain there after a failed installation attempt.
In general, do not leave any unneeded files (compressed or otherwise) on a public server. Each
unused (and perhaps long forgotten) file is a potential security hole.


Turn Register Globals Emulation OFF
            Turn Joomla's Register Globals Emulation OFF. Although this setting is somewhat
safer than PHP register_globals, you are much better off avoiding such settings all together (as
well as any applications that require them). On pre-1.0.13 versions of Joomla, this setting is
found in the globals.php file. As of version 1.0.13, it can be turned off in the Back-end, under
Global Settings.
            Joomla 1.5 and greater, does not use register globals, and in fact has smart code to
defeat this setting even if it's turned on at the PHP level. Note that although this makes Joomla
itself safer, any server with register globals turned on is potentially vulnerable. Any shared
server with register globals turned on is more than likely a sitting duck. Any hosting provider
that insists register globals should be turned on is ignorant, incompetent, or worse. Was that
blunt enough?




                                                 89
B. Installing Joomla! Extensions

Backup before installing
Before installing extensions, always backup your site's files and database. This follows a very
basic principle:
Thou shalt at all times be able to return your site to a previous working state.
Therefore, it's smart to set up a simple and fast backup script to automate this task. If you don't
set up an easy process in advance, you'll be sorely tempted to do a quick upgrade without
backing up first. This very understandable tendency is however one of the chief causes of
premature hair loss, sudden career changes, and even death.

Check for extension vulnerabilities
Most security vulnerabilities are caused by third party extensions. Before installing extensions,
check the Official List of Vulnerable 3rd Party/Non Joomla! Extensions. There's an entire forum
dedicated to vulnerable third part extensions. Subscribe to it.

Download from trusted sites
The fully qualified and official definition of a "trusted site" is one that YOU trust.

User beware! Check the code quality
Third party extensions come in all flavors of quality and age. Although Joomla! coding standards
exist, third party developers are not required to follow them. Extensions listed on the official
Joomla! site are not reviewed for compliance, however if verified vulnerabilities are reported,
they will be removed from the list until they are fixed.

Test, test, test...
Test all extensions on a development site before installing on a production site. Then test on
the production site. Don't forget the check the logs for runtime errors and warnings.

Remove junk files
Remove all unused extensions and double check that related folders and files were actually
removed by uninstall scripts. Note that during uninstall, many third party extensions will leave
related files on your site, and related database tables complete with data. This is either a
feature or a bug depending on your point of view. Any files left on your server remain
accessible from the Web via direct URLs, such as http://yousite.com/modules/bad_module.




                                                  90
Avoid encrypted code
Joomla is (and dispite disinformation campaigns, always has been) a GNU GPL project. This
means that all extensions to Joomla must also be free (as in freedom) and open (as in readable
code). Encrypted code may be safe, but you can't determine this for yourself, and so you must
trust the developers. Using others' encrypted code puts you back in the world of proprietary
software where you must wait for security patches from the developer, hoping that attackers
don't find your site first before a fix is released.
You are often not free to modify, improve, or share encrypted code. These restrictions make
encrypted code less valuable to the community as a whole, and reduce the overall viability of
the Joomla project which depends on open sharing among all participants.
Of course, code that is not distributed to others is exempt from GNU GPL distribution
requirements. Thus you can encrypt Joomla-related code your own servers providing you do
not share it with others.

C. Additional Joomla! Hardening Tips and Tricks

Avoid shared servers if possible
For maximum security, avoid a shared server on which you don't know or can't trust all the
other users or their code quality.

Use an SSL server
This more to do with secure payments and administration, and is not joomla core or server
security, but have been included here for advice
SSL servers are currently the only way to securely process confidential transactions and secure
user authentication. SSL works by encrypting all HTTP communications between the Web server
and Web clients. Thus, even if a transmission is intercepted, it cannot be read.
Joomla! 1.0.x does not allow you to assign an SSL server to individual sub-directories. Search
the forums for "Tommy Hack" for one way to deal with this. Joomla! 1.5 has greatly improved
SSL options.

Use Apache's .htaccess
For an additional layer of password protection, you can use .htaccess to password protect
critical directories. This is usually adequate for blocking the typical script kiddie, but be aware
that .htaccess password protection alone is not a highly secure method. It MUST be combined
with an SSL server for maximum protection. An SSL server is required for protecting your site
from more sophisticated attacks, such as packet sniffing.

Switch to Joomla! 1.5
            The most significant upgrade in Joomla!'s history includes powerful security and
performance enhancements.

Add Joomla! Security Announcements to your site
The Joomla! Security Team supports and RSS feed that provides the latest Joomla security
information. The following FAQ explains how to add this feed to your site.

                                                 91
Remove unneeded files
Remove all design templates not needed by your site. Never put security logic into template
files.


            Disable the XML-RPC server if you don't need it.
Clean up after installs. The installation process will require you to delete the installation
directory and all its contents. Do this; do not simply rename it. If you upload files to your site as
compressed archives (xxxx.zip for example), don't forget to remove the compressed file. Check
the /temp/ directory as temporary files may remain there after a failed installation attempt.
In general, do not leave any unneeded files (compressed or otherwise) on a public server. Each
unused (and perhaps long forgotten) file is a potential security hole.


Turn Register Globals Emulation OFF
            Turn Joomla's Register Globals Emulation OFF. Although this setting is somewhat
safer than PHP register_globals, you are much better off avoiding such settings all together (as
well as any applications that require them). On pre-1.0.13 versions of Joomla, this setting is
found in the globals.php file. As of version 1.0.13, it can be turned off in the Back-end, under
Global Settings.


             Joomla 1.5 and greater, does not use register globals, and in fact has smart code to
defeat this setting even if it's turned on at the PHP level. Note that although this makes Joomla
itself safer, any server with register globals turned on is potentially vulnerable. Any shared
server with register globals turned on is more than likely a sitting duck. Any hosting provider
that insists register globals should be turned on is ignorant, incompetent, or worse. Was that
blunt enough?

Security Checklist 5 - Site Administration

A. Site Administration
Use well-formed passwords
Change passwords regularly and keep them unique. A strong password has a random
combination of letters, numbers, or symbols. Avoid using single names or words found in a
dictionary. Never use the names of your relatives, pets, etc. Search the forums for a script
supplied by Wizzie that automatically changes passwords. This is a great tool for administrators
or multiple sites. There are numerous handy websites that have strong password generators.



                                                 92
Follow a password leveling scheme
Most users may not need more than three levels of passwords and webmasters no more than
five. Each level must be completely unrelated to the others in terms of which usernames and
passwords are used. Learn how to do this: How do you setup a powerful password scheme?

Maintain a strong site backup process
Never rely on others' backups. Take responsibility for your backup procedures. Many ISPs state
in their contract that you can not rely solely on their backups.

Monitor crack attempts
VPS and dedicated server users can run TripWire or SAMHAIN. These applications provide
exhaustive file checking and reporting functionality, and can be installed in a stealthy manner to
help protect themselves in the event of a serious infiltration. (Note: Users of shared servers can
not use this technique.)

Perform automated intrusion detection
Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests.

Perform manual intrusion detection
Regularly check raw logs for suspicious activity. Don't rely on summaries and graphs.

Stay current with security patches and upgrades
Apply vendor-released security patches ASAP.
Review the vulnerable extensions

Proactively seek site vulnerabilities
Perform frequent web scanning.

Proactively seek SQL injections vulnerabilities
Use tools such as Paros Proxy for conducting automated SQL Injection tests against your PHP
applications.

Use shell scripts to automate security tasks
Search the forums for these popular scripts:
Joomla! Version Checking
Joomla! Component/Module Version Checking
Exploit Checking

Learn about security software
There is not a single tool that can protect your site. If there were, it would be so heavily
targeted that it would probably become a liability.




                                                 93
Don't reinvent every wheel
Every now and then hire a professional Joomla! security consultant to review your
configurations. Do you remember the adage, "Anyone who acts as their own lawyer has a fool
for a client." The same goes for Web development. Don't expect to catch all of your own
security mistakes.

Security Checklist 6 - Site Recovery
   A.      Site Recovery

Get help the right way
If you believe your Web site was attacked, do not create yet another oh-so-boring post in the
Joomla! forums with the title, "Help! I've been hacked." This tells us nothing of importance. The
vast majority of compromised sites were not setup correctly or were using obsolete versions of
Joomla! or third-party extensions. This is what you need to investigate.
If you discover a real vulnerability, publishing the information could put other Web sites at risk.
Instead, report possible security vulnerabilities to the Joomla! Security Task Force.

Follow a logical and rigorous recovery process
Know the important steps to follow when your site has been compromised. Once your site has
been cracked, there are few shortcuts.

Reset your administrator password
Many attackers take pleasure in locking you out of your site. They often do this by changing
your administrator password. If you are locked out, don't panic! There is a simple procedure for
resetting your administrator password.

Find exploit attempts using the *NIX shell
Know how to check for suspicious and/or modified files. Know how to check the raw Apache
logs for suspicious activity on your site.
Source: Joomla! Documentation http://docs.joomla.org/Category:Security_Checklist




                                                94
   Installing jSecure Plugin
(A Third Party Security Plugin)




               95
jSecure Authentication

Joomla has one drawback, any web user can easily know the site is created in Joomla! by typing
the URL to access the administration area (i.e. www.site name.com/administration). This makes
hackers hack the site easily once they crack id and password for Joomla!. Information: jSecure
Authentication module prevents access to administration (back end) login page without
appropriate access key.




1. Login to your administration Account : http://localhost/j15/administrator
2. Type in your account ID :admin (or any if changed)
                        Password: p@ssw0rd




                                              96
3. Proceed to > Extensions >> Install/Uninstall




4. Choose the plgSystemJSecure-1.0.9.zip file > Click on Open Button.




5. Upload File & Install > If the Plugin is successfully installed, a message in blue color will
appear.




                                                  97
6. Go to Extensions > Plugin Manager.
In Plugin Manager, in the filter box type in
 jSecure >> Clik Go




7. Click on Edit Plugin

Note: The next part is very important! Make sure you do the tutorial correctly!




                                               98
8. Make sure you understand the meaning of these parameters:-
Key : The Keyword where you are going to create after the administrator path.
For Example : http://localhost/j15/administrator/?jSecure (The word jSecure is your
              KEY to login to administrator login page!)

REMEMBER: If you lost or forgotten you KEY, you may not be able to log in to your
administrator account.. EVER!

Redirect Options: You can choose whether to redirect to a custom path or back to your index
page (It is recommended that you use custom path to allure and to make user/hacker confuse
and did not know you are using Joomla!’s CMS)

Custom Path: If you choose to use Custom path, here are the path for the CMS to check the
location of your file.

Now it is your turn to make your administration Secure!


9. Follow exactly these steps for class tutorial purposes:




Change your Key : KuRsuS (Case Sensitive! Make Sure You Remember the exat Key!)
Redirect Options : Custom Path
Custom Path: Do not Change (Let it be plugins/system/404.html)
Change the Plugin From Disable to Enable
>Save and >> Logout from Administration                                Page




                                                99
Note: Custom Path can be change anytime and you can create a new html page and place it in
a different location anytime(Does not have to be in D:\xampp\htdocs\j15\plugins\system

NOTE: Once you are logged out a custom path of Page 404 Not Found will appear, this means
that the jSecure Plugin is already running and protecting your Website. But it is always
advisable that if you choose to use the Custom Path base, PLEASE CREATE A NEW HTML FILE
and do not use the default html that has been given.




10. Now, try to log in using http://localhost/j15/administrator, the same page (404 Error) will
occur. Log in again by typing http://localhost/j15/administrator/?KuRsuS, you administration
will appear back again!!!




                                               100
11. Try to Edit again the jSecure Plugin by using Redirect Options: Index Page > Save and se the
difference.


                                                                                  Exercise:




Do an exercise by yourself:
Key: Use a new Key (Create Yourself)
Redirect Options: Custom Path
Custom Path: Create New HTML file and place it in a new location




                                              101
.htaccess and .htpasswrd




           102
1. Copy your .htaccess and .htpasswrd file in your JOOMLA_KIT/security/htaccess .
2. Paste it in D:\xampp\htdocs\j15\administrator
3. Edit the .htaccess and follow as below




What you are doing is actually changing the path of the .htaccess file to make sure it is running

4. Edit the .htpasswrd




User1: Is the User ID
p@ssword: Is the password

NOTE: You can create more than one ID and password in the .htpasswrd file. AND MAKE SURE
                               YOU OPEN AND SAVE THE DOCUMENT IN NOTEPAD NOT
                               WORDPAD!!!! This is because if you save in Wordpad
                               document, it will convert the file to .txt where it will no
                               longer creates authentication for you anymore!




                                               103
   5. Now type http://localhost/j15/administrator/?KurRsuS, a pop window will occur before
      giving you the permission to login to your administration page.




Type in the Username and Password as you create in the .htpasswrd file.
Username: user1 (Case Sensitive)
Password: p@ssw0rd
       Clik OK

Now You have three (3) layers of authentication
before you can passthrough and login the
administration page!




                                             104
Backup Database




      105
(Managing and the Importance of Backups)

Importance of Database Backups and Recovery Plan

By : Ashish Kumar Mehta
Oct 03, 2008
Source: http://www.sql-server-
performance.com/articles/dba/Importance_of_Database_Backups_and_Recovery_Plan_p2.asp
x
In this fast moving world, data is the heart and soul of any enterprise. It has become an
essential task for organizations around the world to protect their data. Database
Administrator's have a tough job to implement database backup and disaster recovery plans.
Backing up your databases can protect an organization against the accidental loss of data,
database corruption, hardware/operating system crashes or any natural disasters.
Unfortunately if you don’t have proper database backups then you are left with nothing to fall
back on. As a DBA you need to make sure that the databases are backed up regularly and the
backup tapes are stored in a secure location.

Identifying a good database backup plan
It takes time for the Database Administrators to identify an excellent database backup and
recovery plan. DBA’s need to understand what data needs to be backed up, and how often the
databases should be backed up. The below mentioned points will help a DBA to create a plan
which will be suitable to their organizations.

How important is the data
Database Administrator’s needs to understand the importance of data as it will help determine
when and how the databases should be backed up. For mission critical databases, you should
have redundant backup sets that can even extend for several backup periods. There are
scenarios in which organizations keep databases backups for years to meet the legal
compliance. Those are databases which are very critical for the organizations.
What kind of information does the database store?
There are chances that the data which you think is important may not be important to
someone else in your organization. So it becomes very important to know from business what’s
important and what’s not important to them. The type of information stored in databases will
let you decide on the database backup and recovery plan to be kept in place.

Analysis how often the data in the database is getting changed
As a DBA you also need to understand how often the data in the database is getting refreshed,
this is one very important parameter which will help you to plan and decide on the right backup
approach. If the data in the database is getting modified more frequently then you need to plan
to take the database backups may be hourly or once in few hours. The frequency of the
database backups depends on the volume of changes and the amount of data loss acceptable

                                             106
to the business if they backup are not available.

How fast you need to recover the database
This is one of the most important and a critical factor in deciding a right backup plan. Database
Administrators needs to understand how critical the database is for the organizations. You need
to know how much downtime is affordable to the business and how a prolonged downtime can
affect the company’s revenue. DBA needs to alter the backup plan according to the business
requirement. Most organizations require 99.9% uptime. Better the backup plan the lesser will
be the downtime faced to recover in case of any disaster. Backup and Restore takes time
depending upon the size of the database. DBA needs to have a fair idea on the average time
taken to backup and restore database.

Do you have sufficient hardware
DBA needs to have sufficient hardware available to take the database backups. In order to
perform backs on time, you need to have several backups’ drives and several sets of backup
media available. Hardware which is required to take backups includes tape drives, optical drives
and removable disk drives. It’s faster to take the backups first on the local disks on the server
and then copy it to the external media like tapes. Once the backups are done they should be
verified to see that the backups are valid else it will defeat the purpose altogether.

Identify Resources who will be performing the backups and recovery
In an organization there should be a team of DBA’s who will be the primary contacts for all the
database backups and recovery activities. The primary responsibility of this team should be to
perform the actual backups and to perform the restore operations. They also need to verify
that the databases backed up are valid. The DBA’s should also plan for mock disaster recovery
drills once in a month or once in a quarter to understand and document the best practices to be
followed during the time of disaster. This is something which is not practiced by the DBA quite
often and that’s a big risk for the organization.

Identity the best time to perform the backups
DBA need to find the time during the day when the servers are less used to take the full
backups. The differential and transaction backups need to be planned depending on the
business requirements. It’s not always possible to schedule backups during the off peak hours.
DBA also needs to backup all the system databases on the servers once in a day at least; these
backups will help you rebuild your environment from scratch during disaster.

Importance of having backups stored at offsite
Storing copies of database backups in offsite locations helps organizations to recover quickly in
case of a natural disaster. The offsite location should also have information for each and every
server and there configurations, this will help DBA to build new servers if required. Any changes
to the existing servers needs to be noted down in the disaster recovery documents available in
offsite. A copy of all the software installs needs to be made available in the offsite location. As
that will be mandatory to build the servers and reestablish the business quickly.


                                               107
A. EXPORTING YOUR BACKUP
1. Login to your phpMyAdmin using your root account.




2. Click on the chosen database that requires backup. In
this class tutorial, select j15




                                             108
3. This will display the whole database of j15 website.



4. At the top of table list, click on Export Tab




                                                   109
5. Mark thick √ in the
Save As File box, Let
the File name template
be as __DB__

6. Click GO

7. A Pop Up Message
asking for file
download and Click
Save to save the
document in your
selected file.




                         110
8. Create a file named backup in your JOOMLA_KIT folder. Make sure that the type of file is SQL
File. For this class, rename the backup database as j15_backup. Click Open > Save




                                             111
   9. Once the Download completed, Click Close.

> You will see a j15_backup.mysql file in you JOOMLA_KIT/backup folder




   10. You have finished creating backup for your database!

   11. To backup other parts of your website Copy all of j15 file in ..:/xampp/htdocs/j15

Note: If you do only certain changes to your website, i.e. images, documents, etc you could
just copy the files you needed in the j15 folder and paste it on your local sever or to the web
server (through Database Administrator)




                                              112
IMPORTING A DATABASE

1. Let say you need to transfer a new DB on the server. The j15_backup.mysql is the backup
provided from you local server (PC) that needs to be transmitted to the server.




2. Login to your phpMyAdmin and choose your j15 database. Click Drop to delete all database
in j15.




                                             113
3. A pop up window will appear asking whether to delete the whole database. Click OK




   4. The j15 will no longer be in the Databases list. And there will be a message saying
      “Database ‘j15’ has been dropped”

Note: At this point your website will not be available to others because there is no available
database in the Server.




6. Create a new database named j15 again > Click Create




   6. A database j15 is re-created in the webserver. To back up click on Import Tab




                                              114
8. Choose the file to import > Click Browse
                            > Choose the ../ JOOMLA_KIT/backup/j15_backup.mysql
                            > Click Open
                            > Click Go




                                          115
9. There you have it! You successfully imported a new database!




                                             116
Configuring Config.php file




            117
When you Transfer your files from local server to the real time server (web server), the
configuration is different as the password of your admin and phpMyAdmin’s password is not
the same. Therefore, there are ways where the Database Administrator will amend on your
config.php file

The config.php file is located at ../xampp/htdocs/j15/configuration.php




1. Right click > Edit




                                             118
2. These are the files that you need to check (Highlighetd)

<?php
class JConfig {
/* Site Settings */
var $offline = '0';
var $offline_message = 'This site is down for maintenance.<br /> Please check back again
soon.';
var $sitename = 'Kursus Joomla';
var $editor = 'tinymce';
var $list_limit = '20';
var $legacy = '0';
/* Debug Settings */
var $debug = '0';
var $debug_lang = '0';
/* Database Settings */
var $dbtype = 'mysql';
var $host = 'localhost';
var $user = 'root';
var $password = 'p@ssw0rd';
var $db = 'j15';
var $dbprefix = 'jos_';
/* Server Settings */
var $live_site = '';
var $secret = 'T2aFJFuT6xl5x1zg';
var $gzip = '0';
var $error_reporting = '-1';
var $helpurl = 'http://help.joomla.org';
var $xmlrpc_server = '0';
var $ftp_host = '127.0.0.1';
var $ftp_port = '21';
var $ftp_user = '';
var $ftp_pass = '';
var $ftp_root = '';
var $ftp_enable = '0';
var $force_ssl = '0';
/* Locale Settings */
var $offset = '0';
var $offset_user = '0';
/* Mail Settings */
var $mailer = 'mail';
var $mailfrom = 'edafatima@jkr.gov.my';
var $fromname = 'Kursus Joomla';
var $sendmail = '/usr/sbin/sendmail';

                                               119
var $smtpauth = '0';
var $smtpsecure = 'none';
var $smtpport = '25';
var $smtpuser = '';
var $smtppass = '';
var $smtphost = 'localhost';
/* Cache Settings */
var $caching = '0';
var $cachetime = '15';
var $cache_handler = 'file';
/* Meta Settings */
var $MetaDesc = 'Joomla! - the dynamic portal engine and content management system';
var $MetaKeys = 'joomla, Joomla';
var $MetaTitle = '1';
var $MetaAuthor = '1';
/* SEO Settings */
var $sef       = '0';
var $sef_rewrite = '0';
var $sef_suffix = '0';
/* Feed Settings */
var $feed_limit = 10;
var $feed_email = 'author';
var $log_path = 'D:\\xampp\\htdocs\\j15\\logs';
var $tmp_path = 'D:\\xampp\\htdocs\\j15\\tmp';
/* Session Setting */
var $lifetime = '15';
var $session_handler = 'database';
}
?>




                                           120

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:941
posted:8/10/2011
language:Malay
pages:120