hi @geoffaire , I am a novice when it comes to blogging. However, you may want to refer to this post which has over 70 posts. I learned a lot from the discussion.
For myself, I started from using medium.com, then micro.blog, tried ghost.org and write.as, now using my own domain to host a WordPress site , so far so good I guess (and hope).
As a side issue, I learned about security, like this story from tidbits. Based on advice from the forum, I have installed wordfence plug in. Not sure that is adequate. At least I am not asking for paid contribution on my site
Dealing with a Card Testing Attack
It was a Sunday, and I was sitting in a comfortable chair with the MacBook Air in my lap and the cat at my side (she’s a right-hand cat, so I sometimes have to resist the temptation to use her head as a pointing device). A notification appeared, telling me that someone had created a TidBITS account in WordPress and signed up for a membership. Such notifications aren’t unusual, but what was strange was when another one appeared, and then another, and another. Curious, I loaded the Users page on our site and realized that a bot was creating accounts with random Gmail addresses, all of which were TidBITS members with $2 custom monthly accounts.
It was clearly not a good thing to have TidBITS memberships created at the rate of about one every 10 seconds. By the time I figured out what was happening and stopped the attack by turning off the Custom Monthly Amount option on our membership page, 70 accounts had been created. I then texted our developer, who enabled Cloudflare’s Bot Fight Mode as well. I had some other things to do, but when I returned a few hours later and enabled Custom Monthly Amount as a test, the attacking bot created a new account within 15 seconds. I shut it off again.
The next day, I contacted Stripe support to see what to do about all the $2 subscriptions. They were all on legitimate credit cards, though many of the accounts used the same card number. Stripe told me that this was likely what’s called “card testing,” a process designed to identify which stolen credit card numbers are still active. I refunded all 71 of the fraudulent charges, and Stripe asked for a report of the refunds; although they aren’t promising anything, I think they may refund me the $25.84 in transaction fees that I would otherwise pay.
After my developer added a reCAPTCHA (which theoretically prevents bots from submitting forms) to the TidBITS membership signup page, I again turned on the Custom Monthly Amount option. No further accounts were created, so I’m hoping the reCAPTCHA does the job.
There’s no great moral to the story here, apart from noting that the Internet has become a place where constant vigilance is necessary for those who try to roll their own services.