LittleBITS: Website Changes for Speed ​​and Security

0

During our week away from a TidBITS email issue, we did a little work on our website. The site has become complex enough that there are often unexpected side effects to the changes, so we continue to find and smooth out the rough edges. Let me know if you see anything not working as expected.

Faster performance

First, we’ve been tackling various issues related to image optimization, caching, and content delivery networks over the past few months. Our final effort to address them is to use Cloudflare’s Automatic Platform Optimization service, which caches even more of our site on Cloudflare’s CDN. I ran some performance tests on our site, and they seemed mostly ok, so I was skeptical it would make much of a difference, but it was worth a try for $5 a month.

I was wrong to doubt. If you now go to tidbits.com and browse, you’ll find that the pages load almost instantly. The performance wasn’t bad before, but now it’s even better.

Even though this change was easy to implement, we still find small things to tweak. Most notably, searches were failing earlier today, but now seem to be working – hope this is fixed.

Membership payment more resistant to attacks

Completely unrelated to Cloudflare APO’s move, there is a noticeable change to our membership system. As I wrote in “LittleBITS: Issue 1600, Card Test Attack, Preventing Inadvertent Unsubscribes” (February 28, 2022), we inadvertently activated a card test attack, in which an attacker used a bot to create accounts and register to see if the stolen credit card numbers he was using were active or not. We blocked it with a reCAPTCHA that prevents bots from submitting forms, but the reCAPTCHA also caused random issues with accepting Apple Pay. We were never able to fix them, so I took a chance and disabled the reCAPTCHA.

Bad idea. Several months later, another attack occurred, again using the custom monthly amount membership tier, which defaults to $2 per month and is therefore attractive for card testing because people are less likely to notice a $2 charge. This happened at a particularly busy time, so I fixed the issue by disabling the custom monthly amount tier in hopes the attacker was only testing small amounts. This was again a bad idea, and a third attack happened with our TidBITS contributor level at $20. Stripe blocked the vast majority of attempts in both cases, and I refunded everything else immediately, but participating in such criminal behavior is unacceptable, so I re-enabled reCAPTCHA.

Rather than completely disabling Apple Pay to fix these issues, our developer suggested switching to Stripe Checkout, which adds a Stripe-hosted checkout page to the opt-in process. It’s an extra step, but the hope is that Stripe will have much stronger bot protections than we can muster. We’ve made this change, so you’ll see the page below when checking out.

In the ongoing saga where no good deed goes unpunished, the process powered by Stripe Checkout accepts payments, but there is a disconnect with Paid Memberships Pro in WordPress, so accounts do not reflect payments and change of membership. membership – something about a pending webhook response. Our support assistant, Lauri Reinhardt, identified the issue, and we reported it to our developer, so hopefully it will be fixed soon. In the meantime, if you’re renewing or joining TidBITS and your account doesn’t reflect your payment, that’s why.

TidBITS Chat and Navigation Bars

Finally, I changed the interface a while ago in response to requests from TidBITS Talk attendees. There is a new top-level TidBITS Talk menu item on the main navigation bar of our site. It contains links to article reviews and general discussions on our companion site Discourse, as well as a link to SlackBITS. This allowed us to remove those items from the Get TidBITS menu, where they seemed somewhat out of place, and this hopefully makes TidBITS Talk more visible.

TidBITS navigation bar with added TidBITS Talk menu

On the other side of the equation, the TidBITS Talk site now has a TidBITS Home link in its navigation bar for those who find themselves on TidBITS Talk and want to return to the main tidbits.com site. I struggled a bit with the wording because “Home” by itself didn’t seem descriptive enough, but “TidBITS Home” seemed like a reasonable, if slightly wordy, way to differentiate the sites.

TidBITS Talk Navigation Bar

None of this will drastically change your experience using the site, but once the dust settles, it should be faster, easier to use, and better protected against attacks.


Source link

Share.

Comments are closed.