Mark Maunder co-founded Wordfence in 2011 after his WordPress site was hacked and he learned how hard it was to clean and secure. Today the team has grown to over 35 members world-wide and Wordfence protects over 3 million WordPress sites. On the Think Like a Hacker podcast, we cover interesting topics related to WordPress, security and innovation. Episodes alternate between security news and interviews with innovators from WordPress and information security communities.
The Future of WordPress with PHP 8 and WordPress 5.6
With WordPress 5.6’s imminent release and the recent release of PHP 8, we talk about the rapid changes affecting the future of WordPress with new security features and new functionality available to both WordPress users and developers. We also review a recent vulnerability found in iPhones and a social engineering attack on GoDaddy that targeted numerous cryptocurrency exchange sites.
Hosting Provider Failures and Incident Response Preparedness
Two hosting providers experienced outages this week. GoDaddy had a brief outage affecting numerous systems on Tuesday, November 17. Managed.com had an extensive outage due to ransomware that affected all systems. We discuss what types of incident response preparations site owners should consider when events beyond their control occur. We also discuss an attack targeting themes using the Epsilon Framework, the new head of security at Twitter, and an Android chat app exposing private messages.
Critical Privilege Escalation Vulnerabilities Affect Over 100K WordPress Sites
Three critical privilege escalation vulnerabilities in the Ultimate Member plugin put over 100,000 sites at risk. We also talk about the Page Experience metric to be added as a ranking signal for Google search and what this means for WordPress sites using page builders or Gutenberg. Microsoft warns against using telephone/SMS-based multi-factor authentication, and a number of zero day vulnerabilities were patched in Google Chrome and Windows.
Hosting Provider Exposed 63 Million Customer Records
A hosting provider exposed 63+ million customer records via an open elastic search database containing exposed username/password credentials for numerous WordPress, Magento and other sites. We also talk about the security updates in WordPress 5.5.2/5.5.3, about object injection vulnerabilities like the one discovered in the Welcart e-Commerce plugin, and how POP chain attacks work. And Google's Project Zero finds a high-severity vulnerability in GitHub Actions not fixed within the disclosure grace period.
Nitro Documents on the Dark Web and Botnets Targeting Older Vulnerabilities
We cover a couple of breaking stories this week, including the emergency release of WordPress 5.5.3 on October 30, with a number of sites autoupdating to version 5.5.3-alpha. We also look at the the defacement of the Trump Campaign website, and how 2FA could have prevented it. We also look at the implications of a massive Nitro database impacting large organizations. A botnet is targeting a number of content management systems, including WP sites. AdWare is found on the Google Play Store targeting kids.
WordPress Forced Security Autoupdate Protects Sites from Loginizer Vulnerability
An easily exploitable SQL injection vulnerability was discovered in the Loginizer plugin installed on over 1 million WordPress sites, causing the WordPress team to force an update to sites using the vulnerable version. The Justice department is filing antitrust suit against Google for allegedly monopolizing search and search advertising markets. Google Chrome gets an update to fix an actively exploited zero-day vulnerability. And a new feature in Jetpack allows users to post Tweetstorms through WordPress.
Customer ReviewsSee All
What an informative Podcast for the WP community. Loving the new format! Keep up the good work.
Just enough geek, just enough intrigue, just enough business
I’ve been listening since episode 1 and have really been enjoying it... and they are really hitting their stride (especially after episode 21 when Mark declared the podcast ‘of legal drinnng age’ LOL 😂 ) Technical discussion of risks and breaches. Storied discussion of real impacts to real people and real businesses. Practical discussion of actions to take and/or what to watch for. Real conversations with experts in the field and real business owners.
Such a great show!!
I love this podcast. It's super interesting and super informative, with a great format. Keep up the great work, Wordfence crew!