It was a late Friday afternoon, and I was leaving the dentist's office. As most of us do, I already mentally checked out for the weekend. I happened to glance at my phone in the parking lot and noticed a bunch of emails. They were site downtime notifications. Great. 😫 So I decided to skip errands and rush home to investigate why our ecommerce site was crashing.

In the first few minutes of troubleshooting, I could see that the entire website was crawling. The downtime notifications were probably due to timeouts. We hadn’t updated anything on the site recently, so it was pretty safe to rule out bad code, WordPress core, etc., right away. That left two things. Either the hosting provider was having an issue, or we were under attack.

The first thing I did was launch Kinsta’s (our hosting provider) Application Performance Monitoring (APM) tool in MyKinsta. I let it run for about 30 minutes while checking with Kinsta to ensure there wasn’t anything wrong with the server. There wasn’t.

After I had a good amount of data in the APM report, I started digging through it. I noticed thousands of spam URL requests, nothing that actually existed on our site. And, of course, they were formatted in a way that was uncacheable (perhaps intentionally). And therein lies the performance problem.

With the APM data in mind, I next went to the IP analytics in MyKinsta. I was able to quickly pinpoint an IP that was generating all of the requests. I then used the IP Deny tool in MyKinsta to block it.

I checked the access logs in MyKinsta and could see they were still attempting to hit the site, but this time they were forbidden. Or rather, they would no longer be getting far enough to impact it. You can see the result below, where the transactions immediately dropped off.

The strange thing was that Cloudflare was already claiming to block the offender’s IP via their managed ruleset, but weren’t. So not sure if that was a bug, but I manually blocked them in Cloudflare with a separate rule. Cloudflare works great in 99% of cases to automatically block things, but in this case, they got past them. They also got past Kinsta, which I think was due to the fact that they were hitting the site right under the limit that they have in place with their firewall.

I just wanted to share my approach, as it might be helpful if you run into a similar issue (especially if something gets past Cloudflare). I’ve used this same workflow a few times over the years, and it works great. APM + IP Analytics + IP deny saved me a lot of time. New Relic is another excellent alternative if your hosting provider doesn’t have their own APM tool. What could have been an entire night of troubleshooting only took about an hour to fully resolve. 👍

Updates ✍️

We pushed out an update for our Perfmatters WordPress plugin. Here are a few of the changes:

• Added new tools option to disable optimizations for logged in users. We actually had quite a few requests for this. It really depends on your optimization workflow whether or not you might use this.

• Made some adjustments to classes dealing with cache directory files to support non-traditional folder structures such as Bedrock.

• Added support for targeting figure elements to CSS background images.

• Added REST route exception for Litespeed.

• Added and updated Delay JS quick exclusions for Gravity Forms, Mediavine Trellis, Modula Slider, SHE Media Infuse, Thrive Leads, and WP Recipe Maker.

• Removed deprecated Universal Analytics options which are no longer available and renamed remaining script type labels. If you still haven’t updated to Google Analytics 4, make sure to create a new profile and input your new measurement ID.

• Fixed an issue where picture elements were not getting excluded from lazy loading when fetchpriority high was set on a child image.

• Removed unnecessary script type attribute from our Delay JS inline script.

• Added generic customizer request parameter to excluded page builders array.

Interesting things 🔎

Misc.

• Raymond Wong wrote an interesting piece on Apple’s push to transform the Mac into a gaming paradise.

• InVision, a UX trailblazer, is shutting down in the era of Figma.

• Friendly reminder that in about 18 months, the EU Accessibility Act will go into effect.

• Ever quit a job when you didn't have another one lined up? Fun thinking about this question from Anthony. My answer was yes, and it turned out to be the best decision I’ve ever made.

• This SNL skit about the Alaska Airlines fiasco is hilarious. I haven’t watched SNL for years; maybe I need to start watching it again. The scary thing is my brother and his family had to fly out on the same airline and airport a week later.

• Gen Z is prioritizing living over working because they've seen the legacy of broken promises in corporate America.

WordPress

• WordPress is creating guides for migrating away from page builders like Divi and Elementor, even Wix. I fully support this, but I know some might not like it. 😅

• WPKitchen is on a mission to share 1000 subsidized homemade lunches daily with WordPress freelancers, mainly using co-working spaces in Pakistan. This is pretty cool!

• W3Techs is now classifying Elementor as a CMS. This is just downright not the correct terminology. They also got community noted for it on X.

• Raise your hand if you’ve updated a plugin or theme on production without testing on staging first. 🤭

• Jonathan and Kurt at WP-Tonic interviewed Matt Mullenweg. They asked him some good questions.

Performance

• Looks like they are starting to roll out some of the Lighthouse scoring calculator UI and data to PageSpeed Insights! Slightly improved colors too. I like it.

• The WordPress performance team's 2024 roadmap is live. I appreciate the work Felix and his team are doing on improving WordPress core.

• Always love seeing new Perfmatters reviews. Kudos to GrabHosts for their write-up.

• When your WordPress site’s performance is this bad, that’s when I tell you to start over. Check this out! 😨

• This is a great article about saying goodbye to sliders and why they have become an obstacle to the modern web.

• Chrome DevTools put the request types under a dropdown. Not cool. But enough users complained, and they are bringing back the old filter bar.

• PHP 8.3 is now available at Kinsta! Benchmarks show it’s 10.46% faster than PHP 8.1 and 6.96% faster than PHP 8.2. However, this is definitely something you want to test thoroughly before upgrading.

Marketing

• Should you focus on zero search volume keywords? A good write-up. In short, only if they are relevant to your business.

• Fun fact: Between 01/22/23 and 01/22/24, I took 11,907 screenshots. Snagit is one app that I can’t live without.

• Deck.blue brings a TweetDeck experience to Bluesky users. I’ve tried it, looks and works great.

• Google and Yahoo are rolling out new inbox protection rules for bulk email senders in February 2024. Mailgun and MailerLite have good posts about the changes.

• Confluence now has databases. It's nice to see more functionality like this added.

• Here’s how to turn off that annoying highlight feature on Facebook.

• Google says they don’t use Google Analytics data for ranking, even when in Search Console.

• I have four more invite codes for Bluesky. First come, first serve.

  • bsky-social-kgokp-v5ppp

  • bsky-social-3vmt2-na242

  • bsky-social-3mqyo-f4foa

  • bsky-social-smn4n-yc7hf

AI

• AI will transform the global economy. Let’s make sure it benefits humanity. Not a huge fan of the IMF, but it’s important to think about this.

• Elon Musk's Neuralink implants brain chip in first human. This is pretty crazy! Imagine down the road having access to something like ChatGPT with simply your thoughts.

Bitcoin (not financial advice)

• We finally have them! The SEC officially approved bitcoin ETFs in the US. While I always encourage self-custody, this is a big step in mainstream adoption.

• In the last 12 trading days, the new ETFs have scooped up ~150,000 bitcoin, worth $6.5 Billion USD.

• Bitcoin surpasses silver to become second largest ETF commodity in the US. Gold here we come.

• The SEC’s bitcoin ETF approvals have forever altered the global monetary system.

• Bitcoin's hash rate hit an all-time high of 500 exahashes this month. Check out these fascinating facts.

• Bitcoin is not a hedge. A great presentation from Parker Lewis.

• In-person businesses accepting bitcoin nearly tripled in 2023.

• Strike is officially live in Puerto Rico with their full suite of services. 🇵🇷 Buy and sell bitcoin, tiered on-chain payments, Lightning wallet, fiat-over-Lightning, and more.

If you're in the Scottsdale, AZ area, hit me up, and we can grab lunch! 🥗👋