Think Like a Hacker with Wordfence

This week, we talk about our corporate trip to DEF CON, the WordPress security team's proposal to backport security fixes to fewer releases, a new feature proposal called WP Notify that has a number of very positive implications for WordPress users, Cloudflare's decision to terminate service for 8Chan, and a European court's ruling that companies using the Facebook "like" button are liable for data collection.

Jem Turner was one of the security researchers that found malicious code in Pipdig's P3 plugin. Both Jem and Wordfence's Mikey Veenstra found the P3 plugin to contain a number of suspicious or malicious features. At WordCamp Europe, Mark sat down with Jem and asked about her process of finding this malicious code. Jem also talks about the unexpected reaction from the Pipdig developer and their users, and how the community of bloggers banded together to help each other.

This week we talk about the Capital One breach affecting over 100 million customers and some important takeaway lessons from that case. We also look at news with the the Equifax settlement, a spearphishing campaign targeting ProtonMail users, the conclusion to Marcus Hutchins' legal woes, and Facebook's $5 billion fine and new regulation from the FTC, amongst other stories.

David Jardin is the Security Strike Team Lead for Joomla, an open-source content management system powering more than 2.5 million websites. At WordCamp Europe, Mark and David sat down and talked about the workflow for Joomla security reports and why a proper proof of concept makes fixing vulnerabilities easier for security teams. They also discussed the improvements in cryptographic code signing expected in Joomla 4, its next major release.

This week, we cover WordPress vulnerabilities targeted by a malvertising campaign and an important iOS security update. We also look at Equifax's $700 million settlement and a recent uptick of new breaches added to Have I Been Pwned. Along with other news and a summary of WordCamp Boston, we talk about the film project we've worked on since late last year. Open | The Community Code will premiere November 2019. We talk about how and why we created this film about the open-source WordPress community.

At WordCamp Europe, Mark chats with Chris Teitzel, CEO and founder of Lockr. Lockr is a key management system for websites using CMSs like WordPress and Drupal. Chris talks about the challenges of securing sensitive information and how Lockr makes secure key management affordable. Chris speaks on security topics at WordCamps and DrupalCons around the world. You can find Chris on Twitter @technerdteitzel and learn more about his company at www.lockr.io.

This week we review a critical vulnerability in the Ad Inserter plugin, currently installed on over 200,000 WordPress sites. The vulnerability, discovered by our Director of Threat Intelligence Sean Murphy, was patched quickly by the developer. We also cover Google's decision to remove Chrome's built-in XSS protection, a researcher's discovery of vulnerability in Instagram's 2FA, updates to the Gutenberg editor and hackers that created an Android app that can kill to prove a point amongst other stories.

At WordCamp Atlanta, Mark sat down with Chris Wiegman, creator of Better WP Security. Now known as iThemes Security, it is installed on over 900,000 WordPress sites. Chris talks about being a flight captain flying over Hawaii & what happened when an earthquake occurred shortly after takeoff. He also describes creating Better WP Security, selling the plugin to iThemes & the tools he's created in his new role at WP Engine. He describes his move to WP Engine as "the move I didn't know I needed to make."

A security researcher found vulnerabilities in the Mac client for Zoom, a popular video conferencing application. After 90 days and two weeks, the vulnerability still exists. We also cover the WP Engine acquisition of Flywheel, cPanel's new pricing, removal of caps on .org domain names, critical security vulnerabilities in Magento, WP Statistics XSS vulnerability, a hacked ad server pushing out SEON ransomware, British Airways landmark GDPR fine, breaches & leaks of the week, amongst other stories.

Liquid Web COO Carrie Wheeler chatted with Mark at WordCamp Atlanta about her path from developer to leadership in the tech field. She talks about the three things all people look for in their jobs and how to provide context so they feel connected to an organization's mission. She also talks about the competitive hosting space and how Liquid Web positions themselves for success. You can connect with Carrie on LinkedIn or at liquidweb.com.

Ryan Dewhurst is an ethical hacker & penetration tester who has developed tools that make finding vulnerabilities in WordPress easier. Ryan is 1 of 3 contributors to WPScan, a command line tool that streamlines this testing. Ryan also maintains the WPScan Vulnerability Database, used by many services including Wordfence to alert WordPress users to the vulnerabilities on their site. Ryan & Mark talk about these services, how they work, how they're used & how you can use them to test your own site's security.

From Berlin we talk about our experience attending the largest WordCamp in the world and then dive into the news. We discuss 2,600 hacked WordPress sites being used for a free proxy service, Iranian cyber attacks, an attack at JPL affecting NASA and a WeTransfer security incident. A phishing breach at Oregon DHS affects over 645,000 Oregonians, 2.9 million Canadians affected by a leak at Desjardins Group and the bankruptcy filing of the collections firm behind the Quest Diagnostics and LabCorp data breach.

Mark sat down with Frank Robinson at WordCamp Atlanta a few weeks ago. Frank started Studio Media 22 in 2008, an agency focused on building sites and digital media in the beauty industry. Frank is a software designer and entrepreneur growing his business. We talk about why he focused on the beauty industry and how that gives him a competitive advantage, the opportunities for business, film and technology in Atlanta as well as why security and Wordfence is such a critical part of his business.

This week, we're at WordCamp Europe in Berlin & there is a lot of news to cover. We talk about a WordPress VIP outage, WordPress version 5.2.2, vulns in two Facebook WordPress plugins, a Google Chrome Suspicious Site Reporter & a Chrome extension hijacking search results. We talk about Troy Hunt's Have I Been Pwned project as he preps its sale, a Firefox 0Day and 2 more American municipalities affected by malware amongst other stories.

Ninja Forms is used on over 1 million WordPress sites. In this episode, Mark interviews James Laws, the co-founder of WP Ninjas, the developers behind this powerful form builder. James & Mark talk about revenue models that work, how to find new opportunities, experimentation with new products & learning from your customers. They also discuss how to choose your next project when you have too many ideas, & new businesses WP Ninjas are exploring in eCommerce.