Choosing a web platform

I am trying to pick a set of tools for building web sites.  Please help me avoid spending a lot of time messing around with tools that won't work out.  Here are my relevant details:

1. My coding experience is mostly with Delphi (which, because it is amazingly similar in language and rules, allows me to work with C# quite easily).
2. I am not very familiar with HTML, CSS or JavaScript
3. I like the .NET MVC URL readability and I have no experience with code behind pages
4. I have Windows hosting at HostGator
5. I do not know php
6. I am good with databases but I've avoided SQL so far
7. I know a great deal about security technologies but I have little experience knowing all the doors I need to lock on a web site.  I need the sites to be secure by default so that I just focus on not creating security holes rather than doing an exhaustive security audit.

Here are some of the details of the various sites I need to build:

1. Most will require authentication
2. Some will require a shopping cart, credit cards, etc.
3. The sites will all need to look sharp and seem modern
4. The security of the sites will need to be solid because real spending gets triggered when a sale is made.

That's pretty much the essentials.  Here are some thoughts I've had in case the above is not clear or complete:

1: I like the fact that Joomla! let's me install a site with authentication and a cart yet I don't have to know HTML in order to get a gorgeous site. BUT, I don't like Joomla! because I don't know how to integrate my own code for custom logic (i.e. I comb the product database and put a list of items on a page based on identity or a query or a click).
2. I like code builders like Parallels Plesk CodeBuilder but I'm not sure how to integrate my own code, I am not sure it would end up secure without me bringing in an expert to close the holes and I won't get something as pretty as, say, Shape 5's Design Control Joomla! template.
3. I love the easy code integration is CMSes like Composite's C1 and I feel like I could manage identities well with it.  It does, however, seem like it will force me to become an HTML+CSS+Razor veteran.  I don't mind learning things and I do it fast BUT looking at the forums there makes me think that the veterans are always being forced to work around lots of little implementation issues that differ from the conceptual model.  Effectively, they have to become experts in the idiosyncrasies of the CMS.

1. End up with a site that works and I'm confident is secure
2. Minimize the learning curve. I know I have to do a lot of learning therefore I cannot do a lot more than necessary.
3. Avoid spending more than $2000 on tools, prefer free until sites have revenue
4. Access to freelancers who can save me when I get in over my head
5. Do not talk to me about Linux. I go way back with it but I am not going there.

So... what should I build my first site on? What should I invest my time and effort in learning?

Thank you.
Kenny HoptonAsked:
Who is Participating?
Scott Fell, EE MVEConnect With a Mentor Developer & EE ModeratorCommented:
Wow, there is a lot to do.

1) Spend a day on webfundamentals 
Even if you don't wan to do a lot of coding, spending some time getting basic html, css under your belt is essential.   Learning a bit of javascript/jquery is helpful.  But get familiar with html and css.

2) Realize you are great at being technical.  This means you probably will not be such a hot designer.  For the front end, start with templates.  

3) Decide if you want a stand alone traditional site or CMS.  There is going to be a learning curve either way.  If your is going to be mostly ecommerce, don't reinvent the wheel here, there are other options.  

One option is  It can run on your windows server if you have php installed and I believe it will work with mysql or mssql.  Even  if you don't  know php, this is fine, you are not programming the thing, just using it.  Being technical, it is easy to figure out.

If you go the cms route such as wordpress, there are plenty of options for plug ins and themes.  You can use sites like with your wordpress.  You can also use opencart in a different folder or subdomain for that matter.

If you really don't want to get up to speed coding html and go right away, consider an all in one solution like or or  These 3 sites do all of your handholding.  All you need to do is add content and there are themes ready to go.  They all have ecommerce available.

>I like code builders like Parallels Plesk CodeBuilder
Stay far away

4) It is good that you understand security.  When it comes to ecommerce, you will not be storing any customer data.  You only capture name, address, items purchased etc.  The CC number will go to your 3rd party gateway/merchant account.  A popular gateway is but it will primarily be up to your merchant account as which gateway you can work with.  When searching merchant accounts, it is good to make sure the can work through as integrations for them are already baked in to most shopping carts.  There are plenty of others too.  I have a lot of answers here on ecommerce, carts and payments

If you use wordpress, your biggest security threat will be in your ability to upgrade WP and now the newest version upgrades itself. Make sure plug ins are always updated as they are the number one reason for hack attacks.  Research the plug ins as well.  Look at the changelog and notice if the last time it was updated was 2009 or Jan 2014.

Overall, I think you should take look at squarespace or wix as a hosted solution to get you up and running the fastest.  

My 2nd choice is going with open cart.  There are plenty of cart systems out there where you pay a monthly fee;, and are also options for paid.  They all have themes/templates and also will happily take your money for custom design.   If you take  a look at the layouts vs opencart, you will see the visual experience can be similar.

There are open cart themes too.

I am sure there will be a lot more input on this.  If you like something you heard or not, please feel free to comment.
Dave BaldwinFixer of ProblemsCommented:
If you are going to be taking credit cards and doing financial transactions, you will be Required to do periodic security audits.  If you fail them, credit card processors will stop doing business with you.  And you have to hire an approved auditing service to do it.
Kenny HoptonAuthor Commented:
To Scott -

Thanks for the thoughtful response.  Some specific comments:

"get familiar with html and css"
I have done some online tutorials and understand the syntax and most of the tags.  I get through most things but it takes longer than it would for someone who has ingrained familiarity. I know I have to develop that but I guess that will happen as I build and maintain these sites.

"start with templates"
I completely want to do this. It minimizes the html/css-intensive part of the work and all that mobile/responsive expertise.  I feel, however, that this kinda disqualifies everything except WP, Joomla! and Drupal.  C1 and other .NET CMSes seem to have a dearth of templates and focus on "customized websites and content." If I had the html/css expertise, I might be able to cook up something nice looking to use with C1 but that extends my schedule to put on that expertise.

"Prallels Plesk CodeBuilder                     Stay far away"
I tried Weebly and like it but it is Linux-only.  I have Plesk because of HostGator. I've not used it enough to discover the reason to run away but I am not married to it.  You've provided a lot of leads around builders and carts and payments so it will take me some time to run them down so that I know how to utilize your advice.

The thing that jumps out at me reading this is "are there builders (meaning Weebly competitors) that run on Windows, allow me to ring fence content for logged-in users and which allows me to somehow drop my own logic in?"  I'll start my reading with the ones you mentioned.

Again, I greatly appreciate your sharing this knowledge with me.
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Kenny HoptonAuthor Commented:
To Dave -

Your information about mandatory audits is very helpful, thanks.  Have you had an experience that taught you that transactions should be done off-site by a third-party? Or is it reasonable to integrate a cart into my site and just deal with the audit requirements as they come?

I am happy to learn from people like you who know the trade-offs and know how to avoid hassles.
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
It does not matter what platform weebley, wix or squarespace use as you don't have direct access anyway.  They are cloud services that would either take the place of your hosting with hostgator or you would use them in tandem in a case where you wanted to have some of your own function run as a webservice of sorts.  

I would embrace the squarespace or wix.

One of the first things you should do is sketch out the process of what you are doing.  See if you can make a compromise to what you have planned vs what you can do out of the box.  It will be a matter of getting up and running in a week vs months.  

If you like having your own server, make it a subdomain.  Let's say you know how to run your own email program and you want to play with that.  Then tinker with that on  your hostgator account.  By the way check out and I use them both but mandrill is free for the first 11,000 monthly emails if you don't get a dedicated IP.  The dedicated IP is $30 per month and will help keep you white listed.    You can also use mailchimp as well.

Getting out of your .NET comfort zone a little may allow the process to go faster.
padas mentioned OpenCart and another one to look at is PrestaShop

Accepting credit cards directly on your site would be a no go for you - it requires a level of expertise well beyond basic knowledge of html - there are serious implications for mismanagement of this.  Stick with PayPal, Moneybookers etc, check out the list here
Some of them offer a transparent payment methodology (like Moneybookers and Stripe) so it doesn't look like the visitor is leaving your site.  And this moves the PCI compliance away from you.

Most of the popular shopping carts have a rake of plugins available, chances are if you want something then someone has already written it.
And if no one has written it they usually have several companies they will recommend for ad hoc programming.

Sticking with shared hosting will take care of security holes in regards to hosting.
Do not use Wordpress.
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
If you are on a fully managed site like wix/squarespace, they should already have the PCI compliance taken care of as far as the quarterly scans go.   If you have your own dedicated box, you will need to do quarterly scans.  The merchant provider will either take care of this for you or in some cases insist on somebody like  

This is not something to worry about at this stage unless you are going to use dedicated hosting and have some old programs that are out of date on your server.  

Part of this depends on how you integrate your payment processing. If you temporarily send the customer to the processors site (like paypal) the pci compliance is on their end. If you accept the card data and it transfers through your server, then it is on you as well.
Moneybookers is now Skrill
(Their old name just keeps sticking in my memory)
Kenny HoptonAuthor Commented:
I will definitely want to have the cart and IPC be external but look local.

Cathal, I actually came across that list when I was trying to familiarize myself with the basics and thought Stripe looked like the most attractive.  It sounds like they might be able to achieve the above.  Thanks.
Kenny HoptonAuthor Commented:
Scott, I looked at Wix and found a knowledgebase note that shows that I could add a user login for controlling content access.  I couldn't find something that directly addresses that issue at squarespace but they mention that you cannot add an SSL cert to your site so perhaps that is their way of denying user logins.

I understand that Wix and others self-host and in that regard are agnostic to my hosting. The interface is shifted from the OS API to the wire API but I guess I can still create the appearance I want. I agree that a builder like Wix could save me a ton of time and work and I'm practical enough to go there.

I do have to create some custom logic and the means by which I could use a Wix-based user identity to filter results from my custom logic is not looking obvious to me right now.  Some sort of mutually validated token scheme? Hmmmm....
One other thing...
You are saying no to Linux - problem is most of the good software (meh at free .net software) is written for PHP running on Linux and you tend to have jump thru hoops a bit to make it work as good on Windows (running PHP).
So don't rule it out - and the hosting costs are far cheaper...
Linux may seem harder to work with but soon you realise CLI is actually still a good thing (I would never go back to Windows hosting unless it was a .net project and then I would be convincing the third party against it...)
Rowby GorenConnect With a Mentor Commented:
Hello  khopton,

If you decide to use Joomla...

I've only run Joomla on linux servers, but Joomla can run on a windows server per this link:  Jooml technical requirements

For security you would use admintools PRO version.  Admin tools pro

And to customize the visitors experience based on certain criteria (google search, etc), you would consider using the joomla extensions "Chameleon". Here's a link to Chameleonand this video  which describes Chameleon's capabilities.  Chameleon video #1  and Longer video on Chameleon

And for a shopping cart, Hikashop is pretty good!  Tons of plugins for customizing Hikashop hikashop on JED

Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
Here is the website for the PCI Security Standards Council which was founded by "American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.".  They have written a set of Data Security Standards that you are expected to comply with.  They are actually fairly stringent which is why companies like Authorize.Net and Paypal take care of credit card transactions so you don't have to store credit card info on your servers.

Their standards cover not just the web site but also servers and computers in your office and the physical security that is required to limit access to private information.  In the process of setting up credit card processing, you have to agree to pay fines for any loss of credit card information.
Kenny HoptonAuthor Commented:
Thanks rowby, the Chameleon extension is really powerful.

I can see that WiX is powerful enough to get me functional with a short learning curve.  That is a big deal to me.  Joomla! seems to offer me more impressive UI but at the expense of a bit more learning curve.

I think I'll try building my first site in WiX and see when and if I discover limits that would justify my shifting to Joomla!

Now I have to sort out the cart stuff from within WiX. Not sure where to start on that one.
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
It is somewhat backed in

I'm sure cathel can comment more on  

Anytime you are posting to a 3rd party site, the ssl is required on their side.

Sounds like you have a good direction now.
Kenny HoptonAuthor Commented:
Thanks for the thoughtful advice.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.