At Wordfence I’m really proud of the team we have. Our team are all amazing people who work hard every day to help secure WordPress websites. A few months ago we published the first installment in a series of posts where we introduce you to a few of the incredible people who work here and give them an opportunity to share with you a bit about themselves, how they became interested in information security and some of their knowledge.
Today’s interview is with Panagiotis “Pan” Vagenas, a security analyst at Wordfence. Pan is known for discovering vulnerabilities in Easy Forms for MailChimp, WP Fastest Cache and All in One SEO Pack among others. Besides Pan’s public contributions, he has made significant contributions internally at Wordfence to our research and our products.
As you know, Wordfence runs as a completely remote working team. Most of us are based in the USA and we also have team members in Sweden and several other countries. Pan is based in Athens, Greece. When Pan isn’t discovering security vulnerabilities and doing security research, he is a passionate motorcycle rider who loves exploring high mountain roads and steep hills.
What attracted you to information security?
I love solving problems, so information security seemed to me like the ultimate problem to solve. I also care a lot about online privacy, love breaking code, I like cryptography and of course I saw WarGames at a very young age.
Besides that I believe that what we do in information security is protecting real people’s lives and that intrigues me a lot. So who doesn’t want a job like this one?
Can you describe some of your early adventures when you started playing or working with information security?
Back in the 90s we had these dial-up modems that dial a number and connect to a server. They were servers that were like forums and/or chatboxes and this was where all the cool kidz were hanging around at that time. So I was trying to connect to a server, but that required a username and a password. Fortunately there was this chatroom that anyone could connect before getting in the subscribers area so it only took a macro. Unfortunately it didn’t take long before my telephone number got banned.
Why did you become interested in the WordPress space?
Some years ago I had this project involving an e-zine and I was looking for a platform that would be flexible, extensible, secure and easy to code with. So I had to try this WordPress thing that I had heard so much about and it seemed like a perfect fit for the project. I guess programmers can fall in love with a program (after all code is poetry) and this was love at first sight.
You have developed a reputation for finding zero day vulnerabilities in WordPress plugins. Can you talk about how you choose which plugins to focus your energy on and your process for finding 0 day vulnerabilities?
There are some cases where I have found a vulnerability as part of an investigation into a hacked website. Frequently I hit a tag in the plugins repository and choose plugins that look interesting. After that I review the code and use several tools to quickly test specific things, like injectable JS code in parameters, fuzzing input and things like that.
I think the biggest advantage I have in this is that I understand pretty well how WordPress works. This allows me to easily spot mistakes developers make which could lead to a security issue. In the WordPress community a lot of people are contributing in a wide variety of ways. This is my way of contributing – always working to make this community more secure, or at least less vulnerable.
In the past few months you have started focusing your energy on big data analysis to find new threat intelligence. Can you talk about some of the things that you’re able to do with this new approach?
This was a real revelation for me. Analyzing our attack data gives us the ability to have true insight on what and how the bad guys are doing what they do. By analyzing attack data we now effectively have a real-time feed on new malware and 0-day vulnerabilities.
We process a large number of malware files every day. We are always working to close the time gap between a new malware appearing in the wild and getting a rule deployed that protects customers from attacks using that malware.
We examine and analyze millions of attacks every day in search of 0-day vulnerabilities. Doing this we always stay updated with latest attack techniques and vulnerabilities, used in real cases. This gives us the ability to verify that our firewall is protecting our users from all known vulnerabilities, build new rules and to extend the protection we provide our customers. It also means we contribute back to the community by giving a heads up about vulnerable products and by publishing research.
What do you think is the biggest threat for WordPress site owners currently?
Unpatched code. Either in core, plugins or themes. By ‘unpatched’ I mean outdated code that is being used on a website where the site owner has not updated to the newer version with a security fix. Outdated code is the biggest threat a site owner faces.
Fortunately in most cases this is an easy problem to solve. WordPress has an integrated update system which makes updating a website as easy as possible. Security updates in core are now getting auto-updates if this isn’t disabled in a website, and we’ve seen some plugins and themes getting auto-updates for security releases.
How has Wordfence evolved since you joined the company 6 months ago?
For several years now Wordfence has been doing a great job, so I suppose this was a fast moving train before I got onto it. When I first came on-board our firewall wasn’t yet released. And then there was the firewall! I seriously believe this was a huge milestone.
And then there have been all those excellent professionals joining us. Now we are de facto the leader in WordPress protection, site cleaning and hack recovery.
I feel like Wordfence is moving so fast towards becoming a leader in the security industry that I consider myself really, really lucky to be joining this train.
Do you see a future where WordPress is a secure publishing platform?
I believe WordPress is getting there. There is no such thing as total security, but WordPress is a mature platform taking security seriously and is thoroughly checked by many security researchers. I think this, combined with Wordfence is what it takes to have the most secure CMS out there.