Finding a web design/development shop that has your best interests at heart can be a real chore today. I'm reminded of this simple fact in an especially vivid way today because of a potential customer we spoke with. Seldom have we run across a single client so badly abused by our fellow web vendors, but apparently they're out there.
With that in mind, I've decided to take some time and focus on the sort of things you can do to help narrow down whether the vendor your speaking with is a good fit for you or not. The following questions are designed to help narrow you field of prospective vendors. I've explained the reasoning for the questions as much as possible, and also what potential pitfalls are associated with them.
1.) Do you do your own hosting?
This is a really difficult question because you can never really get the answer you want out of the vendor. I've spoken with some of our competition who I knew good and well didn't do their own hosting, and it took me 15 minutes to get the answer I wanted out of them. The rationale behind this question is pretty simple. Everyone has different needs in a design firm. It's not uncommon for a design firm to outsource their hosting to someone else, in fact, in many cases, this can be a good thing as most design/development shops don't have the bandwidth to handle such a feat. The downside to this scenario is that many times the design firm's clients (not to mention their own websites) are at the mercy of the host. If that host goes down or any number of other potential issues, the design firm can be completely powerless to fix the problem. That said, there's a down side to hosting for yourself as well. I've spoken to countless individuals (usually non-profits and churches) who have found themselves hosted on someone business cable or business DSL out of a house, and this is certainly not a good position to be in either.
As a hosting firm of over 10 years of age, we've seen just about everything there is to see in this market. Ultimately what's important is for a client to find a vendor and establish a relationship that will continue to thrive long-term for everyone involved. We choose to do our own hosting for this very reason as it gives us the ability to handle a customer's needs no matter what they may be.
2.) Do you do your own design work?
Believe it or not, a lot of "design" firms actually outsource their design work to someone else. This again isn't necessarily a bad thing, but they are playing middle man to you and you might be able to find a product of the same quality or higher for a better price. If the work looks good and you feel comfortable with the firm's ability to maintain what someone else has developed then this is definitely not a deal breaker, but it's good to be aware.
3.) Is your code proprietary?
I deal with this almost every day. If you've been reading my blog at all, chances are you've seen me harp on this particular thing. Proprietary code is really a one-way ticket to internet-hell. Maybe not today... true, but trust me, the chances of it biting you eventually are much greater than the chances that you'll escape unscathed. The answer you're looking for is that they develop using open source (pre-existing) platforms and that the code they develop can be hosted anywhere (i.e. they aren't requiring that you continue to do business with them from now until forever). Believe it or not this is a real possibility in today's web development market, and the effects are NOT pretty. That customer I mentioned at the beginning of my post has seen this first hand and I had the unhappy privilege of telling them that we would have to start over... AGAIN with their project just to get it to a workable state. It's to avoid exactly these sort of circumstances that we develop with Open Source standards.
4.) How often will the CMS running the site need to be updated?
This is an important question no matter what sort of system your vendor may be running. Proprietary and Open Source solutions alike both have updates made to them fairly regularly (for the sake of security at the very least) and you need to know how often this happens, if it's mandatory for you to upgrade, what it might cost, and if the vendor offers any sort of service plan to keep you up-to-date automatically. As I said, any solution will probably require this to some extent, so it's good to know the answers to this going in.
5.) Do you have an in-house security department?
I love this question because almost everyone will tell you "No." if they're being honest. This isn't to say that no web development firm has anyone who is security minded internally, just that seldom do they have anyone who actually focuses specifically on this job. This is going to be an uncomfortable question to answer and so they may do their best to stretch the truth, or answer a different question. Largely it'll be the same song and dance as the hosting question, but if you'll educate yourself on sql injection attacks and cross site scripting hacks (xss) you can sit down and ask them some pointed questions about standards and development and prevention. Most companies are going to flunk right out right here, and that's really an amazing thing considering the fact that these are VERY important issues today. You wouldn't want someone with a little knowledge and the ability to google to pull a list of all the users of your website... you wouldn't want that same person to have the ability to redirect all the traffic from your site to a, shall we say, less than appropriate website. These are the very things that sql injections and xss allow, and so you as a potential website owner should be interested in anything being done to prevent it (or perhaps the lack-there-of).
Most of the time open source development platforms have an entire team of individuals who are focussed on preventing sql injections and xss on their system, as others adopt that platform they can generally continue coding to the standards set out by the security team, and prevent the vast majority of these sorts of attacks. No system is perfect, but when you have thousands of individuals testing your system and looking at your source code, as opposed to dozens, it helps to eliminate errors much more quickly. This is one of many reasons we've chosen to adopt Drupal as our open source solution internally.
Remember, it's not necessarily that anyone is out to take advantage of you. Individuals can be quite sincerely convinced that their solutions are fantastic, but you really need to take a little time, educate yourself, and make a decision beyond what the typical client might. You owe it to yourself to be sure that the vendor and the platform are both the right place for your site before you commit yourself to it.