This has definitely been one of those months where you wish you could move on to the next one. 😅

It was early in the morning, and I woke up to my doorbell ringing and banging on my door. I was still in bed, so I was out of it. My phone then started going off as well. I was getting texts from my neighbors saying, “Get out now, gas leak!”

I immediately rush outside, still in my PJs, and am met with a bunch of my neighbors and firetrucks pulling up. 🚒 You could smell the gas and the landscaping crew had alerted our HOA person. 📣

Fast forward a couple of hours (standing on the curb), and we were let back into our homes. Evidently, gas had been leaking from a pipe (something to do with an old valve, which they immediately replaced). Let’s just say, I’m thankful for the landscaping crew, my lovely neighbors, the HOA, and the fire department! 😄

The next week, I woke up to one of our ecommerce websites crawling. It was still up (barely), but the performance had tanked (both front-end and backend). After looking at the server logs/analytics, I immediately knew we were under a DDoS attack. 💥 There were millions of requests coming in from thousands of different IPs.

Most DDoS attacks aren’t usually someone intentionally coming after your specific website or brand (especially if you're small). It could be, but that’s quite rare. Most of the time, you simply get caught up in a massive attack based on your IP block.

We have our sites behind Cloudflare, and 98% of the time, it does an excellent job at mitigating attacks on its own. However, in the first quarter of 2025, Cloudflare saw a 358% year-over-year increase in DDoS attacks, which is massive. And this time, Cloudflare’s automated mitigation rules didn’t help us. 😨

The attackers were sneaking in just under our already in place rate-limiting rules, and when I went to update them, they would immediately change them. I’ve been in the middle of a few DDoS attacks before, but never one that was constantly evolving as fast as this one. I’m pretty sure it was an algorithm based on how rapidly it was adapting.

It actually took me the better part of a day to get it under control, and then I was closely monitoring things and making slight adjustments over the following days. I thought it might be helpful to share a few things I learned, including some resources. I’m not a security expert by any means, so some of this was trial and error. But you can see in the image below where I finally got Cloudflare to mitigate the attack successfully. 💪

One of the first things is that if you ever run into security issues, the Cloudflare Pro plan or higher is definitely worth the money. We actually learned this the hard way a few years ago during a much smaller DDoS attack.

On the Pro plan, you get an additional rate-limiting rule with more expressions, counting periods, and mitigation timeout periods. While these might sound trivial, they make all the difference (see the comparison). You can even stagger multiple rules and change the order in which they fire.

Another huge difference is that you get 20 custom rules instead of 5, which come in super handy if you need to block different IPs, ASNs, etc.

You also get way more analytical data, around 20+ more filterable data points in the Pro plan versus the free plan. This was invaluable in hunting down the sources of the attack. Especially when it comes to where they are attacking, such as your homepage, login page, random string in search results, etc.

And finally, you get a more robust WAF with customizable rulesets and Super Bot Fight Mode. However, for the most part, these didn’t help much. Honestly, the best part of the Cloudflare Pro plan is the additional rate-limiting rules, extra custom rules, and a lot more filterable analytics data. 🛡️

Here are some resources that were extremely helpful:

• Mitigating an HTTP DDoS Attack manually with Cloudflare

  • Each group of IP networks (data centers, ISPs, etc.) has a unique identifier called an ASN. In this instance, we were getting attacked by 4-5 different ASNs. Adding a managed challenge rule along with rate limiting based on the ASN helped us mitigate the attack faster (see how to block ASN).

• Both AbuseIPDB and ipgeolocation come in very handy when dealing with individual IPs. You can see past threats and activity around the IP, security scores, etc. If you’re getting hammered from a single IP, these tools can help confirm that they are most likely malicious. I utilized Cloudflare rules to then block IPs, as well as blocking them at the host level with MyKinsta’s IP Deny Tool.

Here is a snapshot of our Cloudflare dashboard, where you can see the requests drop off almost completely after finally mitigating everything successfully. I appreciate Cloudflare’s product even more after this! It’s pretty incredible what you can do. 👍

Updates ✍️

We pushed out an update for our Perfmatters WordPress plugin. Here are a few of the changes:

• New Speculative Loading options for sites running WordPress 6.8 or higher. You can change the mode and eagerness. ⚡ We use “Prerender” and “Moderate” on our sites.

• We are deprecating Instant Page for anyone running WordPress 6.8 or higher. Speculative Loading is ~78% less JS code, and no additional HTTP request. 🚀

• Added a REST API exception for Slider Revolution.

• Updated delay JS quick exclusions for ShortPixel and Slider Revolution to be more compatible.

• Fixed an issue where mobile event handlers were sometimes preventing the delayed click from firing.

We also pushed out an update for our Novashare WordPress plugin. Here are a few of the changes:

• New share button support for the Nextdoor network. 🏠

• New total share count and network share count options for the share button section with additional frontend styles to display the total share count at the top of the share window.

• Adjusted total share count calculations to display the combined total regardless of network selection if the share button is being used. 🔢

• Deployed a secondary API that can be used when the client has issues communicating with our licensing server (usually due to firewalls).

Interesting things 🔎

Misc.

• Apple TV+ is starting to earn its new HBO reputation. I would agree with this post. I’ve really enjoyed many of the Apple shows. Severance, Silo, Slow Horses, Dark Matter, For All Mankind, Foundation, and Black Bird are a few of my favorites. Apple shows feel more like Netflix content in the early days. 🍿

• You can now use Cash App on the web.

• If you like stand-up comedy, this sketch about a crazy Facebook marketplace deal is hilarious.

• Support for text-wrap: pretty just shipped in Safari Technology Preview. This is pretty cool!

WordPress

• Manage a lot of WordPress sites? I had an insightful chat with Phil over at Get Glow. Think of it like a ManageWP alternative on steroids. If you manage a lot of sites, it's worth checking out.

• Newsletter Glue has been sold to Tyler Channell of PaywallProject, and aThemes is joining the Awesome Motive family.

• How to get great with GenerateBlocks 2.0. Kyle does an excellent overview of some of the newer features. I definitely learned a few things, as even I can’t keep up with all the changes. 😅

• Gravatar got some updates: card customization, email signature generator, smart redirects, and a private messages feature.

• Kyle surveyed 1,233 WordPress professionals, and I thought some of the results were interesting. For example, 57.3% said they are embracing AI.

• Imagify has removed the UI option to hide its admin bar menu. This is a very odd change and one I’m not happy about. Developers, please don’t do this! 😫

• Automattic is laying off approximately 16% of its workforce.

• WordPress 6.8 is the last major WordPress core update for 2025. Note: There will still be minor releases for bug fixes/security.

• Had fun chatting with Roger from Kinsta about some of my background. From NetZero dial-up internet to WordPress. ☎️⚡ Once my family bought our first computer (Compaq Presario), I was hooked when I discovered you could make money online.

• SSL/TLS certificate lifespans will be reduced to 47 days by 2029, from their current 398-day lifespan. This will create a lot more overhead for providers. Note: Let’s Encrypt certificates are already at 90 days (and probably mostly automated already), so the bigger change is really for custom SSL certificates.

• I’m subscribed to very few WordPress newsletters, as I don’t have much time. But I always read Loop WP from Simon Harper. I love his short summary approach, unlike mine, where I’m just rambling. 😅

• Kinsta has added a new feature that allows you to add additional SFTP users in MyKinsta. Change permissions, root directory, etc.

Performance

• There are a lot of awesome performance improvements in WordPress 6.8 (released this month):

  • Speculative loading API. ⚡

  • Interactivity API push for asynchronous handlers to reduce INP. 🔥

  • Warning for devs overusing useSelect. 🐌

  • Multiple block type registration.

  • Improve cache generation in WP_Query class.

• GTmetrix is moving its default testing location from Vancouver, Canada, to Seattle, USA. 🗺️

• Purging cache just got a little faster for everyone at Cloudflare.

• Need to warm your cache? There’s a new plugin on the block called Warmer. 🔥 We’ve actually been using it on a couple of our sites. The developer is great!

• Advanced Custom Fields version 6.4 is now available and supports WooCommerce’s High-Performance Order Storage.

• Andy put together a great overview with some tips on how to make photos load faster on your website.

• Microsoft Edge 134 is now up to 9% faster as measured by the Speedometer 3.0 benchmark.

• Squeeze is a newer image optimization plugin that might be worth checking out. It utilizes the same libraries as the Google Squoosh app (which I use often). ⚡

• The Insights sidebar in Chrome DevTools Performance panel is getting a lot of improvements to better analyze metrics like LCP, INP, image delivery, etc.

• The performance plateau is the point at which changes to your website’s rendering metrics cease to matter. Great post from Tammy at SpeedCurve.

Marketing

• If you’re an avid Confluence and Trello user like me, they are in the middle of a massive overhaul to the design, and I like the changes so far!

  • In Confluence, they’ve changed the fonts, menu navigation, and are adding live doc collaboration.

  • In Trello, they are moving the comments box to the right-hand side instead of below. At first, I didn’t like this. But after a week or two of using it, I realized it’s much faster with less scrolling. The beta version is also snappier. Although I hope they make the floating switcher optional (or have a way to hide it).

• Bluesky has added a blue checkmark verification feature.

• Google won’t ditch third-party cookies in Chrome after all.

• Threads has moved to a new domain: from threads.net → threads.com.

AI

• I'm late to the party, but did the whole Ghibli thing. 😄

• ChatGPT will now remember your old conversations. Grok also added this.

• ChatGPT also rolled out an image library. This is actually pretty handy to grab old image creations.

• Grok released Grok Studio, adding code execution and Google Drive support. Although I would be careful about just hooking up Google Drive to Grok. 😅

• AI has taken over customer service, but consumers want humans back. 👨‍💻 Some interesting data points in a survey from Kinsta. The results aren’t really surprising. I really dislike AI support bots and always prefer a human. Will this change in the future? Perhaps. But nothing wrong with a hybrid approach at the moment.

• Midjourney 7 is out, and the results are insanely impressive!

• Geoffrey Hinton, the "Godfather of AI," shares his prediction for the future of AI.

• AI-assisted development is transforming how we build software, but it’s not a free pass to abandon rigor, review, or craftsmanship.

Bitcoin (not financial advice)

• Breez announces launch of new wallet, Misty Breez.

• Tether announced its intention to deploy both existing and future hashrate on OCEAN.

• The Federal Reserve Board announces the withdrawal of guidance for banks related to their crypto-asset and dollar token activities.

• New Voltage Platform (Voltage Payments) enables one of the fastest ways to enable bitcoin and soon stablecoin transactions.

• T.J. Miller on Hollywood's bitcoin blind spot, celebrity vs wealth, and why there's no second best. A more comical discussion about bitcoin. 😄

• Twenty One is expected to launch with over 42,000 bitcoin and a mission to maximize bitcoin ownership per share. Co-founder Jack Mallers (from Strike) will lead as the CEO.

• Cambridge released their updated report on Bitcoin mining. Their report shows that most (52.4%) of the bitcoin network is now powered by zero-emission energy sources (up from 37% in their last report).

If you're in the Scottsdale, AZ area, hit me up, and we can grab lunch! 🥗👋