Podcast Episode 40: WordPress Considers Ditching Signed Core Updates

A recent discussion among WordPress core developers about removing support for code signing in core caught our attention. Code signing support was included with the WordPress 5.2 release. The discussion centers around removing code signing and implementing SSL verification and hashes to verify code integrity. In this week’s episode we chat about the history behind the vulnerability found by Wordfence’s Matt Barry, which is what motivated the addition of code signing to WordPress core. We review several high profile supply chain attacks and discuss how SSL and hashes would not protect against a sophisticated attack on WordPress core servers. Find […]

Podcast Episode 38: Automattic Buys Tumblr from Verizon

The Wall Street Journal reported on Monday, August 12, 2019 that Verizon is selling social media and blogging platform Tumblr to Automattic for an undisclosed sum, though rumors state that it may be as low as $3 million dollars. After the announcement, Automattic CEO Matt Mullenweg discussed the news on PostStatus, stating that they plan to migrate infrastructure off of Verizon, move Tumblr’s backend to WordPress, and support the same APIs on both WordPress.com and Tumblr. Mullenweg noted on PostStatus that this acquisition is “by far the largest investment or acquisition Automattic has ever made.” In this episode, we discuss […]

Podcast Episode 37: Vito Peleg Talks Breaking the Agency Glass Ceiling & Building a Product with Customers

 In this episode, Mark chats with Vito Peleg, the founder of WP Feedback, a plugin that helps WordPress-focused agencies streamline approval and support for their customers. Vito talks about the glass ceiling in agencies where managing people and projects begins to inhibit growth and profitability. He also shares some interesting thoughts on where pain points lie and how to move past them, as well as how to effectively leverage your own customers to inform product design. Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast. Click here to download an MP3 […]

Podcast Episode 36: Proposals to Improve WordPress Include WP Notify and Security Backporting Changes

This week, we talk about our corporate trip to DEF CON, the WordPress security team’s proposal to backport security fixes to fewer releases, a new feature proposal called WP Notify that has a number of very positive implications for WordPress users, Cloudflare’s decision to terminate service for 8Chan, and a European court’s ruling that companies using the Facebook “like” button are liable for data collection. Here are timestamps in case you would like to jump around: 1:18 The Defiant trip to DEF CON 3:05 WordPress Security team proposes backporting fixes to fewer releases 6:58 Feature Proposal: WP Notify 11:52 Cloudflare […]

Podcast Episode 35: Security Researcher Jem Turner Talks About Pipdig Scandal

 Jem Turner was one of the security researchers that found malicious code in Pipdig’s P3 plugin. Both Jem and Wordfence’s Mikey Veenstra found the P3 plugin to contain a number of suspicious or malicious features, including a remote “killswitch,” an obfuscated function used to change users’ passwords, and code which generated hourly requests to DDoS a competitor’s site. At WordCamp Europe, Mark sat down with Jem and asked about her process of finding this malicious code and the diligence in her research. Jem also talks about the unexpected reaction from the Pipdig developer and their users, and how the […]

Podcast Episode 34: Capital One Data Breach Impacts over 100M Customers and Other News

This week we talk about the Capital One breach affecting over 100 million customers and some important takeaway lessons from that case. We also look at news with the the Equifax settlement, a spearphishing campaign targeting ProtonMail users, the conclusion to Marcus Hutchins’ legal woes, and Facebook’s $5 billion fine and new regulation from the FTC, amongst other stories. Here are timestamps in case you would like to jump around: 1:20 WordCamp Asia & WordCamp US 3:36 Capital One Breach 14:19 Equifax settlement news 18:00 ProtonMail spearphishing 21:08 Marcus Hutchins case 25:01 Facebook fined by FTC 31:27 Ransomware affecting Georgia […]

Podcast Episode 33: Joomla Security Lead David Jardin Discusses Securing Over 2.5 Million Joomla Sites

 David Jardin is the Security Strike Team Lead for Joomla, an open-source content management system powering more than 2.5 million websites. At WordCamp Europe, Mark and David sat down and talked about the workflow for Joomla security reports and why a proper proof of concept makes fixing vulnerabilities easier for security teams. They also discussed the improvements in cryptographic code signing expected in Joomla 4, its next major release. Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast. Click here to download an MP3 version of this podcast. Subscribe to our […]

Podcast Episode 32: WordPress Vulnerabilities Targeted, iOS Security Update & the Equifax Settlement

This week, we cover WordPress vulnerabilities targeted by a malvertising campaign and an important iOS security update. We also look at Equifax’s $700 million settlement and a recent uptick of new breaches added to Have I Been Pwned. Along with other news and a summary of WordCamp Boston, we talk about the film project we’ve worked on since late last year. Open | The Community Code will premiere November 2019. We talk about how and why we created this film about the open-source WordPress community. Here are timestamps in case you would like to jump around: 0:45 Kathy reviews WordCamp […]

Recent WordPress Vulnerabilities Targeted by Malvertising Campaign

The Defiant Threat Intelligence team has identified a malvertising campaign which is causing victims’ sites to display unwanted popup ads and redirect visitors to malicious destinations, including tech support scams, malicious Android APKs, and sketchy pharmaceutical ads. This type of campaign is far from novel, but these attacks drew our attention. By targeting a few recently disclosed WordPress plugin vulnerabilities, the attackers inject a JavaScript payload into the front end of a victim’s site. These injections each contain a short script which sources additional code from one or more third-party URLs. That code is executed when a visitor opens the […]

Podcast Episode 31: Securing Sensitive Data in the Cloud with Chris Teitzel

 At WordCamp Europe, Mark chats with Chris Teitzel, CEO and founder of Lockr. Lockr is a key management system for websites using CMSs like WordPress and Drupal. Chris talks about the challenges of securing sensitive information and how Lockr makes secure key management affordable. Chris speaks on security topics at WordCamps and DrupalCons around the world. Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast. Click here to download an MP3 version of this podcast. Subscribe to our RSS feed. You can find Chris on Twitter as @technerdteitzel and learn more about […]