An Interview with a Wordfence Senior Security Analyst

Colette Chamberland is one of our two Senior Security Analysts who mentor and guide the rest of our team of analysts. She works closely with our site cleaning team to maintain our forensic investigation processes that ensure we deliver excellent and timely service to our customers while ensuring their data and credentials stay secure and their site is recovered and back in production as quickly as possible.

Colette is a Certified Ethical Hacker (CEH) and a Computer Hacking Forensic Investigator (CHFI). She brings many years of experience in forensic work and site remediation to the team and has worked for several notable companies and organizations prior to Wordfence including NASA.

The Wordfence Forensic Team produce much of the data that we use to improve our detection capability in Wordfence and our firewall rules. We rely on them to not only get our customer websites back up and running as fast as possible after an incident, but to produce research on an ongoing basis that informs our products and helps improve security for the whole WordPress community via the Wordfence Threat Defense Feed.

resizeccTell us about your background, how did you become a WordPress security expert?

I started off developing nTier client/server applications and websites in the mid 90s and security was always more of a hobby for me.  It wasn’t until after the early 2000s that people started getting concerned with the concept of computer and cyber security. This shift gave me a chance to turn something that I loved doing into a career. I’m the type of person though that doesn’t like the label “expert” – I feel there is always something more to learn and know. No one can ever truly be an expert in WordPress security. I know enough to know that I don’t know everything, and probably never will. There are always new ways to attack and defend and you have to continually be in learning mode.

Describe the emotional state of a typical site owner who has been hacked.

As you would expect, most site owners are frightened, scared and sometimes a bit panicky when they find out their site has been compromised and infected. They don’t think that attackers target their business or site because it’s so small.  What they don’t know is that attackers don’t just go after the big guys like Target, Home Depot and big banks – they often use the little guys as an intermediary to carry out a large scale attack. No one is safe, everyone is a target.

What makes cleaning up a hacked website difficult? Why do people turn to experts for help?

In order to be able to identify what’s bad in a site, you have to understand the technology it’s built with and what attackers commonly use to hide their malicious activity. This often involves reading code, reverse engineering obfuscated payloads, reviewing log files and sometimes even reenacting the attack using the same vector as the attacker. This is far beyond the capabilities of most website owners. They usually hire a developer and designer to create their site and once that is done, they no longer have a relationship with them and no one on staff with the technical expertise required.

What makes your job rewarding?

Knowing that my knowledge can help someone get out of a tough spot and keep their business going.

With all of the advances in website security, why are hacks still happening?

I think the biggest misconception that people have about security is that once something is “secure” it’s no longer hackable. Nothing could be further from the truth. There is no guarantee in security. Security is about mitigating your risk and improving your security posture. It’s not a matter of “if” I will be hacked, it’s a matter of “when”.

To determine what to protect, you have to decide if the cost to recover is more than the cost to secure it in the first place.  I think that’s why Wordfence makes so much sense for business owners. The cost of a compromised site far exceeds the cost of Wordfence Premium.

Attacks still happen because new methods are uncovered almost every day. Once you stop one type of attack, another surfaces. The only way to completely secure your site is to take it offline – but then what good does that do you?

What trends are you seeing with infected websites lately?

The biggest trend lately has been ransomware. Attackers inject code into unsuspecting sites that redirect users to malicious sites with payloads that are then downloaded based on what they have running on their system that is outdated. Then their system gets encrypted and requires them to pay a ransom to the attackers to get their data back. This really underlines the importance of good backups.

What advice would you give to site owners who want to improve security?

I think it’s been said many times but bears repeating: Make sure you have a good host, put preventative measures in place, like Wordfence and make sure you keep your site, plugins, themes, etc. up to date. Also, don’t forget the back-end that you rarely see and forget about entirely – your hosting account and your FTP/SSH credentials. All of these passwords should be changed on a regular basis, just like your underwear. Another “biggest issue” I see with most site owners is log retention & review. Many never look at their logs; they rely on things like Google Analytics because they are only concerned about their traffic, but they should also be reviewing their logs regularly for signs of potential issues, malicious activity and threats.

Conclusion

We’d like to thank Colette for taking the time out of her busy schedule to participate in this interview. If you would like apply to join the Wordfence team, visit our careers page –  we’d love to hear from you. If you would like to learn more about WordPress or web security and how to spot vulnerabilities or perform your own forensic investigations into website intrusions, visit our Learning Center where you can find knowledge that we’ve shared about website security and secure application development.

If you have been hacked, visit this page to learn about how our team can help clean your site and get you back up and running.

Did you enjoy this post? Share it!

Comments

13 Comments
  • Interesting...
    A good behind the scenes at Wordfence. I actually have a lot more confidence in them now, I didn't realize they had such a passionate security expert on staff...

    It really is nice to know who you're working with.
    I also didn't know the wordfence learning center was such a tremendous source of information. Really glad that was brought to my attention.

    Also, a bit of a typo in the article at:
    "hire a developer and designer to create their site and once that is done, they no longer have a relationship them and no one on staff with the technical expertise required."
    You're missing "they have a relationship with them." and... "no one on staff has the technical expertise required."

    Just threw me off a little bit when reading... Anyway, thanks again for the article.

    • Thanks Aaron. I'm not sure I understand why you think that's a typo. Perhaps it's just not as fluid as it could be. Thanks again.

      • You've omitted the word "with" between "relationship **** them"

        • Thanks David. Fixed it. :-)

      • It's this one part: "relationship them" should be "relationship with them" -- picky but nonetheless. :)

        • Thanks! Fixed it.

      • The original is missing the word "with".

        "...they no longer have a relationship them and no one on staff with the technical expertise required."

        • Ah, thanks! Fixed that. I'll let Colette know to watch her 'with's. ;-)

  • One thing you might add is to not make usernames obvious. Wordfence shows the logins that brute force attackers use and names that appear on the site, admin and variations of the URL are the most common. I use Wordfence to immediately lock out any of these.

  • Colette makes many very good points. Take care of your site and pay attention to the little things before they become big. Updates to plugins are made for a reason - so install them ASAP not when you get around to it or you will have problems. Thanks Collette, Keep up the good work!!!

    JO

  • Great article. Is it OK to not constantly replace passwords if you have ones that are "very strong" and plugins that prevent constant login attempts?

    • That's a great question. The CISSP in my wants to say "no, you have to regularly change your password to be secure". But it's worth war gaming it a little. So:

      Lets assume you're not using the same password across multiple sites.
      You have a strong password - alphanumeric with special chars that is 15 chars long.
      You have brute force protection.

      The question becomes: How does not changing your password reduce security.

      One argument is: If you are hacked and they manage to reverse your password, then it matters because if you change your password, you may lock them out. But you've already been owned, so it doesn't matter at that point.

      Another is: If they discover your password but don't yet use it to gain access, then changing your password will lock them out. But that's unlikely because it's often an automated attack that gets your password and immediately exploits it. There's very little or no lag at all.

      Like I said: Good question.