The Hacker Mindset

How Beating WordPress Hackers Taught Me to Overcome Obstacles & Innovate

​

#WCBOS

Your Presenter: Kathy Zant

• Pre-WordPress web developer
• WordPress for well over 10 years
• Wordfence & WordPress security for the last 3 years
• Repairing sites
• Malware and vulnerability research
• Operations
• Large organization/institution client partner

How I got here: getting hacked

Inherited a server that was set up incorrectly

TimThumb vulnerability widespread intrusions

• Husband’s site was hacked
• Coincidentally my CEO’s site was hacked, which led to Wordfence.

Security tip #1

If you inherit a project from someone else, assume it was done insecurely.

Never assume someone else knows what they’re doing.

​

Cleaning Hacked Sites

• Every site had something a little different.
• Every new vulnerability required a fresh perspective.
• Near constant new & unique challenges; never a dull day.
• There’s always a new vulnerability, a new challenge, something to learn.

Welcome the challenge

How you respond to a challenge is your experience.

• Life is pushing and pulling us to greatness.
• Your greatest achievement will not happen in a vacuum; it will come as your response to challenge.

Can you think like a hacker when you respond to life’s challenges?

WordPress: Under Attack

WordPress powers > 33% of the internet.

Hackers understand economies of scale.

You’re under attack right now.

Security is good for business

• Companies with proactive security policies average 24% sales growth over the past three years with 20% profit margins.

​

• Companies without active security policies only experienced 6% sales growth with 3% profit margins.

​

Source: AT&T

Security tip #2:

Get proactive about security!

Audit your site’s security.

https://www.wordfence.com/site-security-audit/

We’ve all been hacked.

Source: haveibeenpwned.com

Security tip #3:

Check for your email address at

https://www.haveibeenpwned.com

Don’t reuse passwords across multiple services.

Who are hackers and what is the hacking mindset?

This guy?

Maybe this guy

“Non-conformist teenage hacker girl”

(security stock photos are notoriously ridiculous)

ALERT: Actual hackers

Phone Phreaking: 2600 Hz tone

Hackers Don't See Different Things,

Hackers See Things Differently

Thinking Differently

Normal People

Locked door

The way it’s always been

Rules & Regulations

See vulnerabilities

Hackers

A door with a lock to be picked

New ways of doing it better

Rules to be bent, broken

See opportunities

Hacker see systems as a collection of rules…

… rules to be bent, and broken

Innovation comes from seeing the challenges in your life differently.

The How & Why of Thinking Like a Hacker

​

Patience

Security tip #4

Functionally isolate your WordPress websites.

• 1 cPanel = 1 site
• Remove anything you’re not using, including plugins/themes.
• Delete test sites if you’re not using

Persistence

Patience & Persistence

Don’t give up.

Walk away from problems, come back with fresh eyes.

​

​

​

Security Tip #5

Treat problems - and security - like puzzles, gamify solutions.

Look for opportunities in challenges. When you watch your site security, you’ll see the challenges coming your way.

Backups!

Scaling the attack

The attacks on your sites are coming from bots looking for vulnerabilities opportunities.

Security tip #6

Leverage technology to make your security more effective.

• Firewalls & intrusion prevention
• Intrusion detection & malware scanning
• Log file analysis
• Password managers

Look below the surface

Curiosity

How does this work?

What’s really going on?

What if...

​

Ethics: What makes us different

Ethics over money vs. money over ethics

Vulnerability exploitation vs. opportunity exploitation

What is the intent behind the exploitation?

​

White Hat Hacking: Instagram Vulnerability

$30,000 bug bounty

Showed Instagram how to bypass their 2-factor authentication

White hat hacking FTW

Ethics before money can still be profitable

Security Tip #6: Use 2FA Everywhere

Username and passwords aren’t enough right now.

Adds an extra layer of security for everything.

Choose authenticator-based 2FA over SMS-based 2FA.

Keep in touch!

My personal site: www.zant.com

wordfence.com/podcast Think Like a Hacker

Email: kathy@zant.com

Social: @kathyzant

​