Interview with Security Researcher Pan Vagenas
At Wordfence I’m really proud of the team we have. Our team are all amazing people who work hard every day to help secure WordPress websites. A few months ago we published the first installment in a series of posts where we introduce you to a few of the incredible people who work here and give them an opportunity to share with you a bit about themselves, how they became interested in information security and some of their knowledge.
Today’s interview is with Panagiotis “Pan” Vagenas, a security analyst at Wordfence. Pan is known for discovering vulnerabilities in Easy Forms for MailChimp, WP Fastest Cache and All in One SEO Pack among others. Besides Pan’s public contributions, he has made significant contributions internally at Wordfence to our research and our products.
As you know, Wordfence runs as a completely remote working team. Most of us are based in the USA and we also have team members in Sweden and several other countries. Pan is based in Athens, Greece. When Pan isn’t discovering security vulnerabilities and doing security research, he is a passionate motorcycle rider who loves exploring high mountain roads and steep hills.
What attracted you to information security?
I love solving problems, so information security seemed to me like the ultimate problem to solve. I also care a lot about online privacy, love breaking code, I like cryptography and of course I saw WarGames at a very young age.
Besides that I believe that what we do in information security is protecting real people’s lives and that intrigues me a lot. So who doesn’t want a job like this one?
Can you describe some of your early adventures when you started playing or working with information security?
Back in the 90s we had these dial-up modems that dial a number and connect to a server. They were servers that were like forums and/or chatboxes and this was where all the cool kidz were hanging around at that time. So I was trying to connect to a server, but that required a username and a password. Fortunately there was this chatroom that anyone could connect before getting in the subscribers area so it only took a macro. Unfortunately it didn’t take long before my telephone number got banned.
Why did you become interested in the WordPress space?
Some years ago I had this project involving an e-zine and I was looking for a platform that would be flexible, extensible, secure and easy to code with. So I had to try this WordPress thing that I had heard so much about and it seemed like a perfect fit for the project. I guess programmers can fall in love with a program (after all code is poetry) and this was love at first sight.
You have developed a reputation for finding zero day vulnerabilities in WordPress plugins. Can you talk about how you choose which plugins to focus your energy on and your process for finding 0 day vulnerabilities?
There are some cases where I have found a vulnerability as part of an investigation into a hacked website. Frequently I hit a tag in the plugins repository and choose plugins that look interesting. After that I review the code and use several tools to quickly test specific things, like injectable JS code in parameters, fuzzing input and things like that.
I think the biggest advantage I have in this is that I understand pretty well how WordPress works. This allows me to easily spot mistakes developers make which could lead to a security issue. In the WordPress community a lot of people are contributing in a wide variety of ways. This is my way of contributing – always working to make this community more secure, or at least less vulnerable.
In the past few months you have started focusing your energy on big data analysis to find new threat intelligence. Can you talk about some of the things that you’re able to do with this new approach?
This was a real revelation for me. Analyzing our attack data gives us the ability to have true insight on what and how the bad guys are doing what they do. By analyzing attack data we now effectively have a real-time feed on new malware and 0-day vulnerabilities.
We process a large number of malware files every day. We are always working to close the time gap between a new malware appearing in the wild and getting a rule deployed that protects customers from attacks using that malware.
We examine and analyze millions of attacks every day in search of 0-day vulnerabilities. Doing this we always stay updated with latest attack techniques and vulnerabilities, used in real cases. This gives us the ability to verify that our firewall is protecting our users from all known vulnerabilities, build new rules and to extend the protection we provide our customers. It also means we contribute back to the community by giving a heads up about vulnerable products and by publishing research.
What do you think is the biggest threat for WordPress site owners currently?
Unpatched code. Either in core, plugins or themes. By ‘unpatched’ I mean outdated code that is being used on a website where the site owner has not updated to the newer version with a security fix. Outdated code is the biggest threat a site owner faces.
Fortunately in most cases this is an easy problem to solve. WordPress has an integrated update system which makes updating a website as easy as possible. Security updates in core are now getting auto-updates if this isn’t disabled in a website, and we’ve seen some plugins and themes getting auto-updates for security releases.
How has Wordfence evolved since you joined the company 6 months ago?
For several years now Wordfence has been doing a great job, so I suppose this was a fast moving train before I got onto it. When I first came on-board our firewall wasn’t yet released. And then there was the firewall! I seriously believe this was a huge milestone.
And then there have been all those excellent professionals joining us. Now we are de facto the leader in WordPress protection, site cleaning and hack recovery.
I feel like Wordfence is moving so fast towards becoming a leader in the security industry that I consider myself really, really lucky to be joining this train.
Do you see a future where WordPress is a secure publishing platform?
I believe WordPress is getting there. There is no such thing as total security, but WordPress is a mature platform taking security seriously and is thoroughly checked by many security researchers. I think this, combined with Wordfence is what it takes to have the most secure CMS out there.
Comments
9:44 am
About 4 years ago my website had been hacked. The teacher who taught me to build my own site from a template, helped me out. It was costly too.
My site is, I think, very venerable, because my articles are historical and international.
The Wordfence info that I received prove that too.
As a WordPress user and being 80 years with no knowledge of coding, I am very pleased with your protection. The world become a more safer place.
9:46 am
There are so many reprobate coders out there in the world trying to mess up the work we spend so much time on. It is reassuring to have good guys like the Wordfence team constantly running out in front to protect our websites that we depend on for so much.
9:55 am
Great interview.
Always interested to learn more about "behind the scenes" security analysis.
10:23 am
You don't mention Google's push to encourage website owners to go HTTPS with implications for both security and page ranking.
There is no question that we will still need WordFence (thank you for your great work) but would appreciate your comment on this.
10:37 am
I'm setting up a tweet about this article and found Panagiotis Vagenas on Twitter @panVagenas.
Pan - please take a look at these Twitter tips I put together for the WordPress community. Adding a photo and bio to your Twitter account will be a nice quick addition for you as this WordFence article gets passed around Twitter.
http://boomertechtalk.com/social-marketing-twitter-tips/
1:09 pm
Thank you Linda. I'm not much of a twitter guy but I'll try to follow your advice.
7:29 pm
I see you got your photo up on your Twitter bio quickly. The other tips are child's play for a brainiac like you but that was the most important thing.
11:09 am
Security is always a serious issue and Wordfence has done a good job in this era.
1:22 pm
Thanks Mark and Pan and all the hard workers at WordFence!
Years ago when our hosting clients wanted an "edit it themselves" solution we were reluctant to host any of the available solutions after testing them for security vulnerabilities. As the industry shifted and larger hosting companies offered less and less expensive solutions of that type we made the decision to host Wordpress sites as it seemed to be the most stable and user friendly option and we felt we needed to stay in the game with a solution our customers requested.
Security is always a challenge with any hosted solutions but giving the keys to the kingdom, so to speak, by granting administrative privileges was daunting to say the least.
Finding WordFence was such a win!
Giving users the ability to install plugins is still worrisome to me. Wordfence lessons that fear a bit in that I can at least see out of date themes and plugins and fix that but the issue with "no longer supported" code is trickier and more time consuming to investigate. I still get touchy when clients want to install outside of the wordpress framework - we put those customers on isolated VMs so their choices do not impact any other customers. Again - WordFence is useful for scanning those files as well!
The complexity of actual security in hosted environments paired with the false sense of security that customers feel with the internet of things makes WordPress scary and tools like WordFence so wonderful!
I can fall down a rabbit hole looking at the WordFence logs from multiple sites and comparing many of them to the logs, spam filters and blocklists on our mail servers.
You consistently feed my need to watch the trends, while giving me a break from being totally paranoid about everything all the time (sort of).
THANK YOU!
11:07 pm
Great interview and nice to meet the people behind the scenes. A lot of what Pan mentions I can relate to, I've too been there since the days of dial up modems and also since day 1 of Wordpress. As always you guys are doing a great job at Wordfence and every time I create a new site the very first plugin installed is always Wordfence.
5:46 am
I have enjoyed using wordfence and to me its the best web security i have ever come across, thank you guys for the good work you are doing to protect our WP sites
8:47 am
Security is always a serious issue and Wordfence has done a good job in this era.