Hosting a company website on our own?
Edit: I appreciate everyone's suggestions and recommendations! After speaking with my co-worker, I think we'll got with a Managed WordPress solution. Still have a lot more to discuss and figure out, but I suspect that'll at least put us on the right footing. Thanks!
Hello Tilderinos. I need your knowledge and advice.
The organization I work for wants to build a new website. Traditionally, we've used an AMS, which is an Association Management System. These are typically used by non-profits, which is what we are, a voluntary regulatory non-profit. It combines a CMS with a CRM in a proprietary package. It's also entirely hosted and managed by the AMS developer, which is typical for these platforms. Basically a turnkey solution.
We have a web designer/developer-yet-doesn't-want-wear-the-developer-mantle and me, who's really more of a desktop support/low level sysadmin for our small organization. I'm jack of all many trades, master of none.
Our web designer is really interested in either self-hosting WordPress or even looking into a headless CMS. He wants more creative and functional control over our website than what we currently with our AMS. We are very limited to what we can do right now, since we're playing in the AMS' sandbox with only some HTML/CSS and light JS use. Anyway, from there, we'd use API calls to query the new CRM that's currently being built out (it's a proprietary one, akin to Salesforce) to generate dynamic content.
I could go out and get webhosting at like a GoDaddy (I wouldn't use GoDaddy) or somewhere like that. I've done that before for some smaller auxiliary sites. Sites that, if they go down for a day or two, it's kinda NBD, while I try to figure out what's going on and reach out to the webhost for assistance. I literally just did that earlier this week on one of those sites.
But this would be our main website. And we have a global customer and stakeholder base. People are always on our website 24/7. I'm hesitant to commit to doing it this way because I feel like there's so much that would drop into our laps that we don't know how to handle. What happens when the site goes down for some reason? Is there a failover? How do I even set that up? How do we do backups and rollbacks? How about security issues? How do I harden the site and system? What happens if we do get hacked? We've discussed the issues with WordPress, which are many. How do we deal with all those issues on our own? I don't know the answer to any of these.
Like I said above, we don't have to deal with any of those questions right now. Our AMS provider deals with all that. I'm sure they have a team in a NOC or similar that watches the infrastructure 24/7. Part of what we pay them is so they can handle all that. No way in hell my co-worker and I are willing or able to do all that. And it's not that I'm not willing to learn how to do all this stuff, but to me, this seems like the wrong venue and time to be learning on the fly.
Idk. Are my concerns overblown? Is it really just as easy as getting some webhosting space somewhere and installing WP or some headless CMS and letting my web dev go to town? I know my co-worker could build the site out. I'm just not sure if I could support it all during and afterwards.
Any advice or suggestion would be appreciated. Because right now, him and I are going around in circles trying to figure this out, ha. Thanks.
No, your concerns are very valid. I would not do that unless 1) it comes with a substantial increase in compensation or 2) the team grows a lot. You’re increasing your workload by a massive amount.
2 is the only option, and that team would have to include a senior engineer that OP would work under, because he’s right, he cannot and should not be expected to learn this on the fly as part of a new mission critical deployment, no matter what his compensation is.
Yeah, I would love to learn how to do this under someone who's done this before, ideally many times. Working in small biz, I'm used to having to learn things on the fly. In small biz, we never have enough resources. And there are certainly times I'm willing and able (and even required) to cobble things together into a solution. But this is too important. As you said, mission critical.
I appreciate the vote of confidence. Even if it's technically no-confidence!
Your concerns are on-point.
What’s the objection to managed Wordpress? That seems like the common-sense option for getting around the limitations of your current system without opening yourself to major headaches.
There are options to make the self-hosted route easier: spin up a DO droplet and lean on their disk-image backups, setup unattended upgrades, put up some sorta WAF or aggressive Cloudflare filtering, etc. But you’re 100% right that it’s still a lot to take on and none of those options are bulletproof.
So my dev has a lot of experience with WordPress from past jobs. But his main concern, self-hosted or managed, is just the level of care one has to take with WP. WP updates breaking things, plugin or theme updates breaking things like other plugins, etc. And then I guess WP being unsecure, depending on what's being done? And he mentioned the same of Joomla, Drupal, etc.
I know very little about the depths of WP. I have a personal WP blog, but I don't do anything crazy with it.
This is a risk management and resourcing question that should involve your unit head. Right now all the risk of traffic spikes, backups, data loss, data disclosure, etc, is managed through a services contract. You would be bringing all of that risk into the organization. Taking on that risk isn't necessarily wrong depending on what your organizations growth plans are, but it's something that should be done deliberately and resources appropriately.
There are hosted CMS services out there that will handle all the traffic, data backups, etc, but the will cost more and have some restrictions on the plugins/customization, but will allow more than your current hosting. Again though, let's say you find a hosted WordPress service that handles everything and allows a custom template. At the least you are now obligated to maintain your template and plugins as WordPress upgrades and is upgraded according to a schedule by your provider.
It doesn't really sound like you're organization is ready to invest the resources to be responsible for security, data loss/retention, etc, or at least hasn't planned out the resourcing to do so.
Additionally further to your concerns about outage please also consider security in the context of data breaches. Especially if you have personally identifiable information hosted there may be strick reporting requirements in your jurisdiction. Your current host almost certainly handles this for you. If at all possible you do not want to be managing this.
We'd likely be pulling some PII over from our CRM. Contact information almost exclusively, but PII nonetheless.
Certainly a BIG consideration in all this.
Hi @JCPhoenix
I think some of the feedback from others here is really good, and i encourage you to review and absorb their comments if you haven't already...because i think what is being asked by your org might be bigger than they realize (and certainly comes with big risks and headaches for you/your team)...or maybe the org asking for this are not exactly understanding what they need from you, or maybe they don;t exactly know what they want either. Here's what i mean: why do they want a website? Is it because they want to what amounts to a marketing website that is mostly static content, and simply promotes activities and tries to stir up signups for newsletters, or maybe pushes visitors to a separate donation capture web portal, etc.? Or, do they legit want to re-platform everything from CRM, donation capture, marketing/promo content, etc.? I think ultimately understanding what really is the goal/intent of the website from the org's perspective may help you tons.
If the goal - for example - is to NOT replace the AMS, and instead have new website be used as "marketing website", then pick a provider like managed WordPress or others and then just proceed. I know you stated that you have a web designer, but then you mentioned they could handle API calls...? If this person does not want to be a developer, and their strengths are designer, then stick to managed wordproess or something similar....this allows your designer to stick to what they like/what they're good at, and maintenance is minimal - since your focus would be upgrading (or temporarily disabling!) any plugins, and worrying less/nothing about underlying hosting stack/environment. Or, another example could be that maybe the org has 2 websites - one for marketing which can be based on a managed service like Wordpress or the like - and this website merely allows for users to navigate to the separate/secondary website which might be the AMS provide one or maybe some other managed provider that supports directly - i don't know - functions like donation capture, etc. In other words split up and somewhat outsource the functions of the web experience and associated goals to different managed providers; your team handles the marketing site (via providers like wordpress), and AMS or other providers manage the other website, and so on. If this sounds expensive, its not. Well, that is, they are plenty of reasonably priced managed providers for non-profits - depending entirely on the ultimate goals that the org has for the desired website(s). Basically, a discussion on the ultimate needs/goals of the org should drive any further discussions.
After almost 3 decades of work in technology and almost all of it working for medium and big enterprises, i spent about a year and a half working at a non-profit - directing a regional United Way non-profit through their entire digital transformation during the pandemic...so whatever type of non-profit you work in, i assure you there are plenty of options for you. ;-)
If you wish, feel free to reach out to me privately (send me message within tildes), and i'd be happy to answer any other questions you might have. Good luck!
I very much appreciate your comment!
Generally speaking, yes. It'll be a marketing website with mostly static content. We don't do any fundraising (we're technically non-charitable), but we do want them to attend various events at the national/intl level, we as well as other events put up by the "regions" (like sections, but based on geography instead of interests/topics).
We're not planning to replicate the whole CRM functionality on the website. I believe the point is to, at the very least, be able to direct people to those appropriate regional events, once they sign-in. Most our our members don't know their region (for ex, there's 7 in the US alone), so it's a way to better funnel them to those appropriate events. And also to use SSO with our CRM and other platforms we use, such as CVENT, so that our members don't have multiple sign-ins for platforms related to us. We do also want to capture some of these activities that they're doing on our various platforms, so that we can appropriately market to those people. If we see that so and so is opening emails we send them, that they're on CVENT submitting a presentation proposal, and we see that they've attended events, we can approach them in a different manner, as an active, participating member. Right now, we have this information, but it's all siloed. We have an idea who are active members are, but we can't say for certain that they're active because that information is all over.
I think there's also a desire to have prospective members apply on our website, but then we transfer them and the data they've input over to the CRM for final processing and payment. Also, if members need to update their profile, they should go directly to the CRM. If they need to pay their dues, they go directly to the CRM. Need to start a certification process? Directly to the CRM. So yeah, not entirely replicating it, but at least driving some dynamic content and allowing us to track behavior
My preference would actually be two separate sites. One static, one CRM, with no data connection between the two. Kinda how a lot of US schools and universities seem to manage their web presences. There's the information/marketing site, but if you need to pay tuition, registry for classes, see grades, you go to a completely separate site for that. But I'm not sure if I'd be overruled on that or not.
The managed WP might be an opportunity for us. I know my designer/dev is somewhat hesitant to do WP at all for the all maintenance purposes, with plugins and themes and updates breaking things, but maybe that is the way to go. I'm familiar GoDaddy, Namecheap, Wordpress itself, but are there better managed WP providers out there?
Have you looked into WebFlow? That's the standard tool in Silicon Valley for these types of sites - even for companies with 10 software engineers on payroll WebFlow will get used for the marketing site.
Thanks for this info...and apologies for the length of my response below...
So what i understand from the above is very roughly:
If i've captured the rough goals accurately, this is great because you seem quite clear on what is needed. Please don't take that the wrong way. Its surprising how many highly intelligent people i work with who miss the whole point of efforts/projects, and then after lots of time, money, and effort are expended find ourselves heading in wrong direction. Glad to see you're laser-focused, and of course this (hopefully) makes your discussions with your leaders and peers easier; that is, by keepoing everyone's "eyes on the prize". :-)
Allow me to address the easier question you asked about managed providers for WordPress. They very much exist, and the benefit of course is that your org would be paying them to handle almost all maintenance for the lower half of the tech stack. That leaves the top half like design, template, plugins, and user management (assuming other folks maybe in marketing might eventuall handle the content, etc.), and maybe a few tiny other things. While there could be ongoing work involved in admin and plugin updates, the design stuff might be work up front, but very little thereafter...which is to say, leveraging a managed provider is a bunch of setup work, and lots less work thereafter....that's the money your org is paying to them. Years ago WP Engine (https://wpengine.com/) were considered the gold stanard of managed WP providers...I honestly do not know if they;re still the tops, or where they fit in quality-wise. I'm sure there are plenty others nowadays, but i can'd recommend one off the top of my head. But a quick search engine scan can manifest a few i'm sure. Also, Wordpress.com actually has paid plans that sort of provide the same service as WPEngine - in that you pay them money to not have to manage the bottom half of the stack. Again, a quick search could help you find other equally good and well-priced providers.
As far your preference to having 2 separate sites....without me knowing other aspects of the effort (e.g. budgets, preferences of other stakeholders, peers, etc.) its hard for me to fully 100% advise...but at glance from your notes, i agree with you that 2 sites would be the way to go....to start with. I'm going to disclose my bias here. I'm the type of person who at the start of all projects inform everyine that we will produce "good enough" outcomes in order to achieve faster delivery dates...Why? Because ALL conventional projects are always late and over budget in the digital world...and if we arrive at end of first phase faster, we can know exactly what direction to pivot to next for phase 2, and we have budget leftover to spend for phase 2. But if orgs try to spend too much time to "get things perfect" on the first laucnh...then get ready for circa 1970s/1980s project management and low quality outcomes. This "good enough, but fast" approach has become my preference after almost 30 years of working on web and digital projects at big companies, and seeing so many failures doing it "the perfect way"...so mileage may vary if my assumptions do not apply to your org's stakeholders, etc. But my experiences across all areas - and especially when i spent the year in nonprofit world - is to get something good enough out into the world, reflect and review how it does, then start short and sweet further iterations going forward - this helps with people feeling good that stuff got done, and it lowers volume and complexity of work (which helps avoid team burnout). If i'm going to "win" or fail, i want to know as soon as possible, and then react quickly and accordingly. The startup world uses this to respond quicker to market conditions, i have used it successfully to get stuff done faster, and cheaper, with less effort, and be nimble for any issues that come up.
Anyway, back to the 2 site approach. This would be a good idea to start with because it makes any integration easier, or as you noted mayb not at all - if can convindce them to keep the sites separate. Then after launch and some time of review, can look at how that separate site approach helps achieve the org's goals, or not.
Now, for the tracking of activites, platforms like Google analytics and other related web analytics services would be the basic building block. There are numerous mechnaims such as inserting pixels in emails that tie back to webpages on either sites, or using special links (like those that have all those characters at the end of the URL) in email that "ping" google analytics to show that a visitor clicked a link from an email, and on and on, etc. Google analytics and all other similar services have countless tutorials on how to set these things up and manage such campaigns...However, i'm going to stop here and state that while i know you might like to be a tech jack of all trades...this "campaign setup and tracking" is really something that needs to be thought through way in advance in collaboration with someone, say, in marketing - assuming your org has someone who handles that. Why? Because a rookie mistake with ttracking is that some tracking mechanism gets added to some steps in flow, but then one step is missed, and the measurements produce lots less value, or maybe the wrong reports are setup, etc. For exampe, if there is an email campangin that is setup, and then the email body is set to track the clicks, and the landing page is set to track activity, but then some button to register for an event is NOT tracked...well, sure you can collate this web tracking data with the CRM registration data, but now you've created manual work or a possible gap in between steps in the overall snapshot of the visitor. Is it the end of the world? No, though many orgs have you believe its horrible. But, it does in fact create gaps in future reporting...so it behooves whomever wishes to track activity to talk through all the steps that are desired to be tracked. Think of it like a director for a film talking everyone through all the story boards to explain the difference movie scenes, etc...and then everyone comments on what should/could be added in, etc. Here again, while discussion and planning should be had, you can still plan things in a way to deliver only steps 1, 2, and 3 for launch, but later after launch subsequently add additional tracking after steps 4, 5, and 6. This keeps the initial sequentioal steps of tracking in tact and avoids gaps there, and only later in those secondary fast phase 2 iterations can more latter tracking steps be added.
By the way, Google analytics and other similar service often have tons of report options - its quite silly really, and most business do not need that much data or reports. These services often also allow for setting up reports and then automatically having them emailed to relevant stakeholders. It might actually be worth it to play with any free offerings on a test website, and see what stuff looks worthwhile, etc...and again, there are a plethora of tutorials for you or for your designer or better yet for the marketing folks in your org. The more fiolks in the org that can see the value - and by consequence think what they might want to track - the better everyone will be aligned for the overall "new website" project.
I should mention also that if your CRM provider already has some sort of mechanism that can be used as an equivalent og google analytics but via some plugin of theirs...maybe consider engaging in discussion with them to see if they have an offereing for a separate marketing website. I don't know if this is a sensitive topic, but worth an ask if only to see what tracking options might exist with them.
Finally, i can't stress enough about the way of working, preferring smaller scopes of projects in order to get something good enough out the door. The older ways of trying to get all scope and details included in the first launch, and getting them all perfect for that first launch is no longer good for many orgs. When i worked at the local United Way, they operated like this, and being a nonprofit their bugets are always massively constrained for projects...But when i showed them how to think like this smaller and more frequent deliverable style project managemrnt (yes, yes, its a variation of "Agile" and "lean" management but no one cares about these names except for big money consultants)....Well, this approach fit them perfectly....it helped cope with the small budgets, it made everyone involved empoewered that they were involved in an exciting effort, and seeing something come to fruition faster (or pivot quicker and with less damage/problems because issues are encountered much sooner that traditinal ways)...made everyone fell, well, happier! Is it perfect, and does it work for every org? No, definitely not, and maybe its not appropriate for every single project or org...but i've been hard pressed to see this approach fail for anyone. Of coures, you know your org, and could be the best judge here. :-)
I'll stop here, because i threw so much out here. Happy to keep answering questions, providing feedback. If its easier via email for you (instead of via Tildes), here's my name and email address:
I hope this helped! Thanks!
Sorry for the delay in response. But thank you for all this!
Luckily my web designer/dev is pretty on the ball with a lot of this. He's come up with a lot of the plans here, while I'm just relaying the info. He is also one of our marketing people, so all the stuff you said about Google Analytics and automated email reports to various stakeholders...he's had up and running for a few years now! I even "reversed doxxed" myself and just gave him the link to this thread so he can see what you all have been suggesting and recommending. This thread and responses like yours are a gold mine!
He did come across WPEngine as we were looking for hosts, so we'll certainly check them out.
There's another part of this hold project that we didn't mention, because it's not particularly germane to this discussion. And I'm thinking we -- me and others involved with that side of the project -- kinda got it wrong, because we tried for an "all-in-one solution" in an attempt to go for the "perfect solution." Now we're regretting it somewhat because we're having to make a lot of decisions about things we never even considered, with little information and time. In retrospect, I wish we would've gone with the step-by-step, focused, perhaps piecemeal approach. Luckily, this website is a separately scoped project. So I think we're seeing the missteps we made with this other thing, and trying to do better over with how we approach this side, this site, this time.
Anyway, thank you again. If I have any questions, I'll be sure to reach out!
It is great to hear that your web designer/dev has been thinking and planning some of the same stuff! Also, it is really helpful that they are part of marketing; so they can understand both sides of the coin so to speak.
As far as the ways of working, hey, we've all gotten bit by project "gotchas". The only reason i know enough even to suggest such ways of working is because i have tons of scars from the past. Some times we get so deep into something that we don't lift our heads to see what might work better for some circumstance, etc. We're all human. But, as my dad would say during my time playing little league baseball: "no worries; just shake it off, and get back in there"! :-)
Happy to take any other questions along the way! :-)
I have no specific advice, but I think you do want something managed by vendors and picking the vendors is important to get right.
You mention CMS which to me sounds like “people who aren’t the web designer need to post and edit articles” along with CRM which I see as “a front end for a database that holds customer data.”
They could possibly be different websites with links between them.
I would like to echo what others are saying in that your concerns are valid.
Maintaining a fast, highly available, global website is a much larger challenge than using a managed service.
In your case, having mentioned a global audience, you might also need to consider replicating to CDNs so that people far away from the host will experience quick load-times. This can be further complicated if visitors need to interact with APIs (Say, if there's a login/profile module on the site, or if you provide dynamic data).
You also say people are on the site 24/7 which I interpret as 'high traffic'. In those cases, typically you would put your web server behind a load balancer which (depending on the service) can spin up more instances of the web server if traffic starts to spike.
All said - there are managed options like netlify and vercel which iirc do a lot of the above. I have no experience with managed wordpress but I assume the features would depend on the hosting provider.
Trying to answer some of your specific q's:
What happens when the site goes down for some reason? Is there a failover?
How do we do backups and rollbacks?
How about security issues? How do I harden the site and system? What happens if we do get hacked?
It all seems a bit scary at first, but there are tons of tools/docs out there to assist and if there is a good enough business reason to roll your own it does afford a huge level of flexibility.
Is the website a core competency of your non profit?
Would a more tailored website allow the non profit to better achieve their objectives by 10x?
Is there any way to achieve most of the benefit of a tailored website in a way completely separate from the web portal that has access to your CRM?
Because there is substantial cost and risk to going the custom path. If the hacker compromises your site, and your site has access to your CRM, now the hackers have access to all your donors info. Which when the news breaks, would severely impact your ability to raise funds. And while I doubt your vendor is completely secure, or even mostly secure, if your vendor gets hacked and a bunch of non profits info gets taken the. that is a vendor PR nightmare, if you get hacked then that is a you problem.
That said, if you are seriously building out a proprietary CRM system that will drive dynamic external content, perhaps this risk is entirely unavoidable.