158 - Keeping WordPress secure with Ryan Dewhurst from WPScan

Interview - Keeping WordPress secure with Ryan Dewhurst from WPScan

Who wants a hacked website. Anyone... anyone... Bueller! No? It's something that nobody wants, to wake up to discover that your WordPress website(s) have been breached and that unexpected things are now happening. Perhaps it's benign, but it might be serious. Data has been downloaded and you've got to spend time ameliorating the situation.

Why people hack websites is something that I'll never fully understand. Sure, I know that hackers can hitchhike on your SEO, they can get users of your site to mine cryptocurrency for them, or they can do it just for kicks - I know that all. All that being said, it still amazes me that people do it and turn their obvious intellect to these nefarious pursuits when they could be being helpful instead. I'm naive... I know!

Anyway, people are trying to take over your site, whether I like it or not, and so it means that we all have to worry about.

Some people, like me, worry about it a little bit. I read articles about internet security, but don't actively participate in creating solutions to the problems that I read about. Others though are really, really keen on online security and devote hours of their time into trying to keep the rest of us hack free and happy.

Ryan Dewhurst is one such man. He's dedicated many years to protecting the WordPress community from bad actors online. He's behind WPScan, a free to use vulnerability scanner.

We have a detailed chat about what people gain from attacking your website, as well whether or not the bad guys are winning at present. We also get into the topic of how there are increasing efforts to make it profitable for people to become 'white hat' hackers. Programs like HackerOne (which WordPress uses) and other, slightly more shady, platforms like Zerodium are making it possible to make a living from find and disclosing vulnerabilities so that they can be patched before they find their way into the hands of the bad guys.

From that more general start we get into what WPScan is and what it can do. It's a pretty comprehensive tool, but might not be for the feint of heart as it might need a significant understanding of things like Ruby and Docker before you can get started.

We find out just how much of a labour of love this has been for Ryan. Many, many hours have been spent on this project for no financial gain, and whilst this is certainly laudable, it's not something that Ryan can keep doing ad-infinitum, and so we also talk about WPScan.io, the paid for, easy to use version of WPScan.

We also talk about the WPScan Vulnerability Database, which is a constantly updated list of discovered vulnerabilities which you really ought to look at from time to time to see if any familiar (to you) plugins pop up and reinforce in you the idea that you should be updating your WordPress websites as often as is humanly possible.

Great episode if you're into WordPress security, and certainly worth a listen even if you're not.

Mentioned in this episode:

WPScan

WPScan.io

WPScan Vulnerability Database