Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


               LittleBITS: Website Changes for Speed and Security

   Adam Engst

   During our week away from an email issue of TidBITS, we did a little
   work on our website. The site has become sufficiently complex that
   there are often unexpected side effects to changes, so we're still
   finding and sanding down the rough edges. Let me know if you see
   anything that's not working as expected.

Faster Performance

   First, we've been grappling with various issues surrounding image
   optimization, caching, and content delivery networks over the past few
   months. Our latest effort to resolve them involves using Cloudflare's
   [1]Automatic Platform Optimization service, which caches even more of
   our site on Cloudflare's CDN. I ran some performance tests on our site,
   and they seemed generally fine, so I was skeptical that this would make
   much difference, but it was worth trying for $5 per month.

   I was wrong to doubt. If you go to [2]tidbits.com now and browse
   around, you'll find that pages load nearly instantly. The performance
   wasn't bad before, but now it's even better.

   Even though this change was easy to implement, we're still finding
   little things that need tweaking. Most notably, searches were failing
   earlier today but now seem to be working'I hope that's now resolved.

More Attack-Proof Membership Checkout

   Completely unrelated to the Cloudflare APO move is a notable change in
   our membership system. As I wrote in '[3]LittleBITS: Issue #1600, Card
   Testing Attack, Preventing Inadvertent Unsubscribes' (28 February
   2022), we inadvertently enabled a card testing attack, whereby an
   attacker used a bot to create accounts and sign up for memberships to
   see if the stolen credit card numbers it was using were active or not.
   We blocked it with a reCAPTCHA that prevents bots from submitting
   forms, but the reCAPTCHA also caused random problems with accepting
   Apple Pay. We were never able to resolve those, so I took a chance and
   disabled the reCAPTCHA.

   Bad idea. Several months later, another attack happened, again using
   the Custom Monthly Amount membership level, which defaults to $2 per
   month and is thus attractive for card testing since people are less
   likely to notice a $2 charge. It happened at a particularly busy time,
   so I dealt with it by disabling the Custom Monthly Amount level in the
   hope that the attacker was testing against only small amounts. That was
   once again a bad idea, and a third attack happened with our $20 TidBITS
   Contributor level. Stripe blocked the vast majority of the attempts in
   both instances, and I refunded all the rest right away, but it's
   unacceptable to be party to such criminal behavior, so I turned
   reCAPTCHA back on.

   Rather than disable Apple Pay entirely to solve those problems, our
   developer suggested switching to [4]Stripe Checkout, which adds a
   Stripe-hosted payment page to the membership process. That's an extra
   step, but the hope is that Stripe will have significantly stronger
   protections against bots than we'll be able to muster. We've made that
   change, so you'll see the page below when checking out.

   In the ongoing saga of no good deed going unpunished, the Stripe
   Checkout-powered process is taking payments, but there's a disconnect
   with Paid Memberships Pro in WordPress, so accounts aren't reflecting
   the payments and membership change'something about a pending webhook
   response. Our support wizard, Lauri Reinhardt, has identified the
   problem, and we've reported it to our developer, so I hope to have it
   fixed shortly. In the meantime, if you renew or join TidBITS and your
   account doesn't reflect your payment, that's why.

TidBITS Talk and Navigation Bars

   Finally, I made an interface change a while back in response to
   requests from TidBITS Talk participants. There's a new top-level
   TidBITS Talk menu item on our site's main navigation bar. It contains
   links to article comments and general discussions on our companion
   Discourse site, plus a link to SlackBITS. That allowed us to remove
   those items from the Get TidBITS menu, where they felt somewhat out of
   place, and it hopefully makes TidBITS Talk more prominent.

   On the other side of the equation, the TidBITS Talk now has a TidBITS
   Home link in its nav bar for those who end up on TidBITS Talk and want
   to get back to the main tidbits.com site. I struggled a little with the
   wording because 'Home' on its own didn't seem sufficiently descriptive,
   but 'TidBITS Home' seemed like a reasonable, if slightly wordy, way to
   differentiate between the sites.

   None of this will radically change your experience of using the site,
   but once the dust settles, it should be faster, easier to use, and
   better protected against attacks.

References

   Visible links
   1. https://www.cloudflare.com/pg-lp/speed-up-wordpress-with-cloudflare-apo/
   2. https://tidbits.com/
   3. https://tidbits.com/2022/02/28/littlebits-issue-1600-card-testing-attack-preventing-inadvertent-unsubscribes/
   4. https://stripe.com/payments/checkout

   Hidden links:
   5. https://tidbits.com/wp/../uploads/2022/06/Stripe-Checkout.png
   6. https://tidbits.com/wp/../uploads/2022/06/TidBITS-Talk-menu.png
   7. https://tidbits.com/wp/../uploads/2022/06/TidBITS-Home-menu.png

.