Ryan Dewhurst is an ethical hacker and penetration tester who has dedicated many years in helping people in the WordPress community improve the security posture of their websites and protect them from malicious attackers.
Ryan is the founder of WPScan, a free, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites. The WPScan CLI tool currently uses a database of 21,875 WordPress vulnerabilities.
1. For those who do not know you, tell us what you do and a bit about your past and credentials.
I’ve been interested in computers and the Internet for as long as I can remember. I used to go to a neighbors house, the only person I knew to own a computer at the time, to play solitaire on his Windows 95 machine. He didn’t even have access to the Internet, but I was happy just interacting with the computer.
Later, in my teens, I persuaded my mum to buy me my own computer, and this time, with Internet access! The ability to interact with people from across the globe blew my mind. Yahoo was big back then, and they had a service called Yahoo! Chat, and in that service they had a chat room called the “Hacker’s Lounge”. I spent nights upon nights in that chat room trying to learn about what everyone was talking about, trojans, RATs, DoS, general programming and so on.
Later in life I saw that the local university was going to start teaching an undergraduate degree in Ethical Hacking for Computer Security. I had left school when I was 15 to start working, so did not have any qualifications what so ever. The requirements for the course were at least three qualifications, including GCSE level Maths and English, which I did not have. So I immediately quit my low paying job and put myself through a fast track college course, which was free because I was not earning much money, to obtain the qualifications required. Even with the qualifications, I was initially rejected from joining the course, but I managed to find the teacher’s email address and write him a long story about how I felt this course was the only thing I wanted to do in life. And finally, I was accepted onto the course! After four years I completed the course with a first class honours.
After that, I got a job working for a penetrating testing company as a web application security engineer, where I worked testing many of the top UK businesses for security issues. I left this job to start my own penetration testing company, and eventually WPScan, where I am now.
2. You’ve been active in the web application security industry for years. What got you interested specifically in WordPress?
I started blogging about my experiences and things that I had learned about security and happened to use WordPress as my choice of blogging platform. One day I came across a security vulnerability that someone else had posted that affected WordPress. As I worked in security and was using WordPress myself, I wrote an exploit for the vulnerability to test on my own website. I then started down a rabbit hole of other security weaknesses that affected WordPress and eventually put all of this knowledge into a tool I called WPScan.
3. Many web application security professionals kind of look down on WordPress. I’ve spoken to many who say they would never use WordPress, or that the way it works is flawed (for example a plugin has full access to all hooks etc.). What are your thoughts on that?
As WordPress is so widely used on the web, it is a juicy target for attackers. This lead to a lot of security researchers and black hat hackers looking into WordPress when it was still in its infancy. As WordPress was not as mature as it is today there were a lot of security issues found. But today, relatively speaking, WordPress core is a very secure Content Management System (CMS). The problem nowadays is within its third-party plugins. There are just so many of them, which is what attracts users in the first place, but each and every plugin you install also introduces extra risk to your website.
But this is also getting better, with innovative companies being created to take on this problem, from my experience, over time, we are seeing WordPress plugins become more secure. Simply due to the level of research and companies dedicated to this area now.
4. In regards to WPScan, there is an open source scanner, the plugin, the vulnerabilities database etc. Can you please explain how these projects are connected together, which one should users use and why?
The WPScan WordPress vulnerability database is what glues all of our services together. All of our other products and services rely on the database, they are clients that consume the data and present it in a way that is useful for our users.
The WPScan CLI tool was our first product, free to use for non-commercial users, it scans a WordPress website from an outside perspective to give a hacker’s view of your WordPress website. But this tool requires users to be familiar with using a command line and can sometimes not be straightforward to install, depending on the user’s technical level. This tool is really designed for penetration testers and developers.
Our newest addition to our family of products is our WPScan WordPress security plugin, this is designed more for your everyday WordPress user. You simply install the plugin from the official WordPress repository, configure your API token, start running scans and start receiving security notifications. The idea of the plugin is to make you aware of security issues before the hacker’s have the chance to exploit them.
5. What does it take to maintain a database of WordPress plugins, themes and core vulnerabilities? How do you find out about new issues, how is it maintained?
It takes a lot of work. Every vulnerability that we enter into our database is done so by one of our expert WordPress security engineers, so you can have a high degree of confidence that it is, in fact a real vulnerability, and not a false positive.
We find vulnerabilities from a wide range of sources. We have a group of independent hard core security researchers who find vulnerabilities in WordPress, plugins, or themes, and submit them to us directly. We also constantly monitor social media, forums, blogs, websites and search engines for certain keywords that could be someone talking about a security vulnerability in WordPress.
We also sometimes conduct independent security research ourselves. For example, a member of our team recently discovered a Cross-Site Request forgery (CSRF) vulnerability in WordPress core, which has since been patched. We also have a number of honeypots on the web monitoring attacks, which has lead to us discovering 0-day vulnerabilities.
6. Can you explain to our readers what’s the process of verifying a vulnerability before you publish it? Or is there any process you follow to ensure the reported data is valid and correct?
Most of the time it is obvious if a vulnerability report is false or not. Our team of experts can usually tell by just reading the advisory, whether it is technically correct, or not. Other times, it is not so easy, and we have to manually verify the vulnerability ourselves by installing the vulnerable version and attempting to exploit it.
The thing that takes the most time for us is the triage of vulnerabilities. We don’t want to release information about vulnerabilities if it is just going to aid attackers. We want to ensure that the plugin vendor is aware of the vulnerability and pushed a patch before we add the details to our database. But, this is not always the case, as some vendors are either not contactable, or do not care. In that case, we work closely with the WordPress plugin’s team to make them aware of the vulnerability so that they can take action to protect WordPress users.
To make sure this process is transparent, we also have a public disclosure policy that outlines how we process the vulnerability data we receive.
7. Based on what you’ve seen so far in the WP vulnerability database and the WPScan project, what are your thoughts on the future of WordPress security and secure coding (in plugins, themes) etc.?
I’m an optimist and I think things are getting better. There is a lot more focus on WordPress security nowadays, and a lot more solutions available. I don’t think we’ll ever get to a point where WordPress core, all plugins and all themes are 100% secure, but I do think we can get to a point where most of the plugins with a large install base are secure enough. We just have to keep chipping away at it.
8. You also have a background in development. What are your top three tips to WordPress plugins and themes developers?
- Validate user input and encode user output. For example, use WordPress’ esc_html(), esc_attr(), esc_url(), functions thoroughly and in the correct places.
- Always use the prepare() function when creating SQL queries.
- Always check a user’s capabilities before running dangerous functions.
9. In your opinion, what are the three most important things, or security best practices a WordPress site admin should do to secure the site and keep it secure?
- Keep your WordPress version, plugins and themes updated.
- Install a security plugin. There’s a ton of good ones out there, pick one and use it.
- Use secure passwords. Ensure your password is unique and complex. This can be achieved with a password manager for example.
10. You have a long history in the web application security industry. I got to know you a few years back through DVWA. Can you explain to our readers what DVWA is, and why you developed it?
Damn Vulnerable Web App (DVWA) was an Open Source project I created while at university to help teach myself about web application security. I thought that the best way to learn would be to have real exploitable examples to use. I later released it online after a lot of help from others and it became very popular. Today it is managed by an old friend of mine Robin Wood (@digininja). So if you have any issues installing it, I’m sure he’ll be happy to help. 😉
11. Any tips and / or resources you can share to those who like you, would like to learn more about WordPress and application security?
Twitter is one of the best resources in my opinion. Follow some people who live and breath those topics and learn from them. Some people that I recommend following are @tnash, @Random_Robbie, @Viss, and there are so many others to mention. There’s also a great Facebook WordPress security group that is very active. If you are wanting to get deep into web application security, I would recommend the Web Application Hacker’s Handbook book.
12. What does the future of the WPScan project look like? What are the plans?
We recently redesigned the entire vulnerability database website and put a lot of effort into the backend of that, for managing vulnerabilities. Our WPScan CLI tool is very stable, it’s been around since 2011, so that needs little improvement nowadays. The plan is to continue to invest time in researching security issues in WordPress, its plugins and themes, to be able to ensure that our vulnerability database is always kept up to date and accurate. We also want to put a lot of effort into our WordPress security plugin going forwards, we believe that this will help us become more known in the WordPress eco-system.
13. To help inspire others, can you please tell us a bit more about your journey, and a bit more about the pitfalls you encountered through your career and what helped you pull through and achieve the current success?
I spoke a bit about this in my introduction but here I’ll talk about my pitfalls in trying to work for some of the large tech companies. After university, I wanted to work for a large tech company, I thought this would give me credibility to my peers and family. I interviewed at Mozilla, Facebook, Google and even Automattic (the creators of WordPress), as well as others. And although I managed to land the interview, I always failed them and never got offered a job. It’s hard to talk about your failures, but I believe that it can help others see that there is light at the end of the tunnel if you persist in your dreams.
Today, I co-own my own profitable and successful business, WPScan. A lot of the companies that I had interviewed for and failed are now our clients, and in the case of Automattic, our sponsors, which we are very grateful for.
Sometimes in life you may not walk the exact path that you think will lead you to your dreams. Sometimes you have to create your own path in life, and lay the ground work for others to follow yours.
14. Thank you very much for this interview. Can you please tell our readers where they can find you online?