LittleBITS: Website Changes for Speed and Security
During our week away from an email issue of TidBITS, we did a little work on our website. The site has become sufficiently complex that there are often unexpected side effects to changes, so we’re still finding and sanding down the rough edges. Let me know if you see anything that’s not working as expected.
First, we’ve been grappling with various issues surrounding image optimization, caching, and content delivery networks over the past few months. Our latest effort to resolve them involves using Cloudflare’s Automatic Platform Optimization service, which caches even more of our site on Cloudflare’s CDN. I ran some performance tests on our site, and they seemed generally fine, so I was skeptical that this would make much difference, but it was worth trying for $5 per month.
I was wrong to doubt. If you go to tidbits.com now and browse around, you’ll find that pages load nearly instantly. The performance wasn’t bad before, but now it’s even better.
Even though this change was easy to implement, we’re still finding little things that need tweaking. Most notably, searches were failing earlier today but now seem to be working—I hope that’s resolved.
More Attack-Proof Membership Checkout
Completely unrelated to the Cloudflare APO move is a notable change in our membership system. As I wrote in “LittleBITS: Issue #1600, Card Testing Attack, Preventing Inadvertent Unsubscribes” (28 February 2022), we inadvertently enabled a card testing attack, whereby an attacker used a bot to create accounts and sign up for memberships to see if the stolen credit card numbers it was using were active or not. We blocked it with a reCAPTCHA that prevents bots from submitting forms, but the reCAPTCHA also caused random problems with accepting Apple Pay. We were never able to resolve those, so I took a chance and disabled the reCAPTCHA.
Bad idea. Several months later, another attack happened, again using the Custom Monthly Amount membership level, which defaults to $2 per month and is thus attractive for card testing since people are less likely to notice a $2 charge. It happened at a particularly busy time, so I dealt with it by disabling the Custom Monthly Amount level in the hope that the attacker was testing against only small amounts. That was once again a bad idea, and a third attack happened with our $20 TidBITS Contributor level. Stripe blocked the vast majority of the attempts in both instances, and I refunded all the rest right away, but it’s unacceptable to be party to such criminal behavior, so I turned reCAPTCHA back on.
Rather than disable Apple Pay entirely to solve those problems, our developer suggested switching to Stripe Checkout, which adds a Stripe-hosted payment page to the membership process. That’s an extra step, but the hope is that Stripe will have significantly stronger protections against bots than we’ll be able to muster. We’ve made that change, so you’ll see the page below when checking out.
In the ongoing saga of no good deed going unpunished, the Stripe Checkout-powered process is taking payments, but there’s a disconnect with Paid Memberships Pro in WordPress, so accounts aren’t reflecting the payments and membership change—something about a pending webhook response. Our support wizard, Lauri Reinhardt, has identified the problem, and we’ve reported it to our developer, so I hope to have it fixed shortly. In the meantime, if you renew or join TidBITS and your account doesn’t reflect your payment, that’s why.
TidBITS Talk and Navigation Bars
Finally, I made an interface change a while back in response to requests from TidBITS Talk participants. There’s a new top-level TidBITS Talk menu item on our site’s main navigation bar. It contains links to article comments and general discussions on our companion Discourse site, plus a link to SlackBITS. That allowed us to remove those items from the Get TidBITS menu, where they felt somewhat out of place, and it hopefully makes TidBITS Talk more prominent.
On the other side of the equation, the TidBITS Talk site now has a TidBITS Home link in its nav bar for those who end up on TidBITS Talk and want to get back to the main tidbits.com site. I struggled a little with the wording because “Home” on its own didn’t seem sufficiently descriptive, but “TidBITS Home” seemed like a reasonable, if slightly wordy, way to differentiate between the sites.
None of this will radically change your experience of using the site, but once the dust settles, it should be faster, easier to use, and better protected against attacks.
Congratulations on all the updates, Adam @ace. Now please take a break!
I hope so soon! We got a little overzealous with a bot-blocking rule in Cloudflare, which broke some RSS readers and images in Facebook posts. That’s now fixed, I believe, as is the connection between Stripe Connect and Paid Memberships Pro. The only thing left to fix, I think, is our connection to the VaultPress backup service that’s part of Jetpack.
The very last bits you mentioned, concerning the cross-links between TidBITS and TidBITS Talk, are so welcome. I noticed the “TidBITS Home” link as soon as it appeared in the header.
I did wonder, @ace, what was the thought process that led to the two sites not having easy passage from one to the other over these four years? I know you’ve always approached TidBITS with much intentionality and purpose, so I always presumed it was a design decision rather than an oversight.
My interest stems from curiosity rather than criticism, even as I’m really happy for this development. (Also for the tip on Cloudflare!)
This is merely our latest effort to link the two sites. Previously, the main site had a TidBITS Talk link in the Get TidBITS menu, and the TidBITS Talk site had Articles and Issues links in the nav bar. This discussion was what prompted the latest approach.
I’ve never been all that perturbed about the linkage because article comments are appended to the articles themselves, which is the primary goal. Someone who’s just reading doesn’t even need to know that the Discourse site exists as a separate entity.
Those who do want to contribute get bounced over to Discourse, of course, and once they’re here, they’ll see the general TidBITS Talk discussions as well, and Discourse will ensure they continue to be alerted to new stuff. We mention TidBITS Talk enough in articles that I’ve always assumed people would find it if they wanted, and I have no inherent goal of growing TidBITS Talk—it can grow organically. It goes up and down, but we’re hitting roughly 200,000 pageviews per month on TidBITS Talk alone now.
Thanks Adam! I’ve gone the “getting bounced over to Discourse” route any number of times, and then found myself staying for other stuff posted here. Getting back to TidBITS always required me to think more than I wanted to.
I’m not shocked that you’re getting that many page views on the Talk site. At least for me, this site helps satisfy my need for Mac info and troubleshooting tips, plus there’s some great folks here.
@ace, is it possible recent changes you made to the site also resulted in any brand new posting I make leading to an unread message badge on its parent thread in the latest list? Didn’t use to be that way and I think that was correct. My latest post is not ‘unread’ to me.
No, nothing we did would affect that, which is entirely within Discourse. We’re running the latest 2.9b4, and I don’t see anything about that in the release notes or in the settings. It might be worth waiting until we install b5, whenever that comes out, and see if it’s just a bug in the latest version.
If you mean what you say (the badge is on the thread in the list of threads for a forum), then I don’t see what you’re seeing.
I do get a notice on the forum page that the forum has a new message in some thread (“See 1 new or updated topic”) when the only change is what I just posted, and that has been the case for a long time, but I believe that’s not what you’re reporting.
Join the discussion in the TidBITS Discourse forum