During our week away from an email issue of TidBITS, we did a little work on our website. The site has become sufficiently complex that there are often unexpected side effects to changes, so we’re still finding and sanding down the rough edges. Let me know if you see anything that’s not working as expected.
First, we’ve been grappling with various issues surrounding image optimization, caching, and content delivery networks over the past few months. Our latest effort to resolve them involves using Cloudflare’s Automatic Platform Optimization service, which caches even more of our site on Cloudflare’s CDN. I ran some performance tests on our site, and they seemed generally fine, so I was skeptical that this would make much difference, but it was worth trying for $5 per month.
I was wrong to doubt. If you go to tidbits.com now and browse around, you’ll find that pages load nearly instantly. The performance wasn’t bad before, but now it’s even better.
Even though this change was easy to implement, we’re still finding little things that need tweaking. Most notably, searches were failing earlier today but now seem to be working—I hope that’s resolved.
More Attack-Proof Membership Checkout
Completely unrelated to the Cloudflare APO move is a notable change in our membership system. As I wrote in “LittleBITS: Issue #1600, Card Testing Attack, Preventing Inadvertent Unsubscribes” (28 February 2022), we inadvertently enabled a card testing attack, whereby an attacker used a bot to create accounts and sign up for memberships to see if the stolen credit card numbers it was using were active or not. We blocked it with a reCAPTCHA that prevents bots from submitting forms, but the reCAPTCHA also caused random problems with accepting Apple Pay. We were never able to resolve those, so I took a chance and disabled the reCAPTCHA.
Bad idea. Several months later, another attack happened, again using the Custom Monthly Amount membership level, which defaults to $2 per month and is thus attractive for card testing since people are less likely to notice a $2 charge. It happened at a particularly busy time, so I dealt with it by disabling the Custom Monthly Amount level in the hope that the attacker was testing against only small amounts. That was once again a bad idea, and a third attack happened with our $20 TidBITS Contributor level. Stripe blocked the vast majority of the attempts in both instances, and I refunded all the rest right away, but it’s unacceptable to be party to such criminal behavior, so I turned reCAPTCHA back on.
Rather than disable Apple Pay entirely to solve those problems, our developer suggested switching to Stripe Checkout, which adds a Stripe-hosted payment page to the membership process. That’s an extra step, but the hope is that Stripe will have significantly stronger protections against bots than we’ll be able to muster. We’ve made that change, so you’ll see the page below when checking out.
In the ongoing saga of no good deed going unpunished, the Stripe Checkout-powered process is taking payments, but there’s a disconnect with Paid Memberships Pro in WordPress, so accounts aren’t reflecting the payments and membership change—something about a pending webhook response. Our support wizard, Lauri Reinhardt, has identified the problem, and we’ve reported it to our developer, so I hope to have it fixed shortly. In the meantime, if you renew or join TidBITS and your account doesn’t reflect your payment, that’s why.
TidBITS Talk and Navigation Bars
Finally, I made an interface change a while back in response to requests from TidBITS Talk participants. There’s a new top-level TidBITS Talk menu item on our site’s main navigation bar. It contains links to article comments and general discussions on our companion Discourse site, plus a link to SlackBITS. That allowed us to remove those items from the Get TidBITS menu, where they felt somewhat out of place, and it hopefully makes TidBITS Talk more prominent.
On the other side of the equation, the TidBITS Talk site now has a TidBITS Home link in its nav bar for those who end up on TidBITS Talk and want to get back to the main tidbits.com site. I struggled a little with the wording because “Home” on its own didn’t seem sufficiently descriptive, but “TidBITS Home” seemed like a reasonable, if slightly wordy, way to differentiate between the sites.
None of this will radically change your experience of using the site, but once the dust settles, it should be faster, easier to use, and better protected against attacks.