You can certainly design and test the site offline before getting a domain name and hosting (i.e., you can start with steps 3 & 4 above).
Also, when you're ready to upload via FTP, make sure the host name in all your source files gets changed! For example, if you've been testing offline with "http://localhost/" but have uploaded your scripts to "http://yourdomain . com/", make sure you change any references to localhost in your code! Some editing environments can do this for you automatically when you use their built-in FTP features.
You're missing a couple of steps in "get web hosting". Signing up is the easy part; initial site configuration (which also comprises part of your "get it secure somehow" task) will take more time. You'll need to set up DNS (and reverse DNS) for the domain name, create email accounts (and then configure your client-side software to access them), set up spam filtering, etc. etc.
Depending on what kind of site this is you might need to enable FTP uploads, configure SSL (a secure socket layer --"https"-- for secure credit card transactions), etc. Or not. I don't know what the site is for, so I can't assume.
Also, "get it secure somehow" is somewhat vague. Do you mean get your web hosting account secure or make sure that your site scripts are secure? This isn't a line item as much as an ongoing process.
thanks for the info. rightnow i have a template and some domain names. im thinking of using joomla for my first site b/c ppl say it is simple. are there any additional steps requiered when using a CMS like joomla? are there less steps? also, im leaning towrds hostgator webhosting. so i will research the DNS once i get to it.
Joomla's fine. One of the better CMS systems out there (or, as considered by many, the best). I've never used hostgator, but they seem to have a good reputation here on WHT, with an active and responsive representative in the forum. Also, they use CPanel and Fantastico, which means that (a) setting up Joomla is a very easy point-and-click affair, and (b) configuring DNS, email, etc. will be trivial.
Just make sure you keep Joomla patched and up-to-date. Sign up for their email newseletter/security alerts/whatever so that you know about exploits and upgrades the moment they happen.