The WP Minute

Thanks Pressable for supporting the podcast! What hosting should feel like...nothing! https://pressable.com/wpminute 

Today’s episode features a segment from Eric’s interview with Anchor Hosting’s Austin Ginder. Austin shared the story of how he discovered a series of WordPress plugin supply chain attacks and how it led him to launch WP Beacon, a new security resource to discover and track these incidents.

You can catch the entire interview over on our WP Minute+ channel. Visit thewpminute.com for all the details: https://thewpminute.com/inside-the-surge-of-wordpress-supply-chain-attacks/ 


Support our work at https://thewpminute.com/support
Get the newsletter at https://thewpminute.com/subscribe
★ Support this podcast ★

What is The WP Minute ?

The WP Minute brings you news about WordPress in under 5 minutes -- every week! Follow The WP Minute for the WordPress headlines before you get lost in the headlines. Hosted by Matt Medeiros, host of The Matt Report podcast.

Eric Karkovack (00:00)
Hi everyone, and welcome to the WP Minute. I'm Eric Karkovack. Today's episode features a segment for my interview with Anchor Hosting's Austin Ginder. Austin shared the story of how he discovered a series of WordPress plugin supply chain attacks and how it led him to launch WP Beacon, a new security resource to discover and track these incidents. Now, you can catch the entire interview over on our WP Minute Plus channel.

Visit TheWPMinute.com for all the details.

Eric Karkovack (00:32)
What got you interested in this and ⁓ can you give us little bit of background on what you found?

Austin Ginder (00:41)
Yeah, so I think it's important to note that most of what I've been finding is completely by accident. I've been very lucky.

So the backstory really is story about AI and how everything kind of changed at the beginning of this year. For me personally, ⁓ like I was a very heavy user of generating code with AI all of last year. used Google Gemini for a while, but I didn't really use an agent for the first time until around February. When I used an agent, Cloud Code specifically, that's kind of when everything

Eric Karkovack (01:15)
Okay.

Austin Ginder (01:20)
just started to get really crazy. I'm for my business, if I take a step back, so I manage around 3000 WordPress sites. I'm a solo developer. I have some people that help me out from time to time, but the business is me. I'm a one man shop.

I had a huge influx of sites getting hacked and malware ⁓ as a byproduct of thanks to everyone having this superpower called AI. ⁓ so ⁓ February was a month of patching things up, getting things in a better place. ⁓ March was a lot of, all right, what can we do to...

⁓ actually go on the offense, like they'll redo my entire security system. ⁓ then in April, I started to reap some benefits from that. going back to the supply chain attack, the first one that I discovered was just a byproduct of me doing malware cleanup on my own customers. And ⁓ what?

Eric Karkovack (02:30)
Okay.

Austin Ginder (02:32)
you can do with Cloud Code specifically ⁓ with malware cleanup is just absolutely phenomenal. You can just keep digging and you can keep uncovering stuff. So, ⁓ previous malware, if WordPress sites get to malware infection, you can restore from backup, you can fix things up, you can get a developer involved, but you really don't get to the...

⁓ very rarely do you get to uncover the whole story. Like, this is how the hacker actually got into your site, and this is what they did. And this is the line of code that was the reason why everything was vulnerable in the first place. Well, with AI, you can just do crazy forensics level... ⁓

Eric Karkovack (03:02)
Sure.

Austin Ginder (03:19)
uncoverings to the point of, okay, this is exactly where it happened, and this is how it happened, and we can just patch those codes. And it's all in a conversation with working with Cloud Code. So anyway, the...

Eric Karkovack (03:36)
That's wild.

Austin Ginder (03:38)
The supply chain tax it was literally just kept digging like how did this happen? All right, let's expand the scope. Let's look at the plugins Let's look at the author of the plugin. Let's look at what's going on. ⁓ I think there's something here I should probably reach out to the WordPress the WordPress plugin team To report this as an issue. So that's that's how I got started and that was like a month ago

Eric Karkovack (04:06)
And so that's quite a story. honestly, I'll tell you, I don't feel as bad now that I've had sites hacked, I know you're a pretty darn good developer. So if you've had sites hacked, I don't feel nearly as dumb now. So thank you for that.

Austin Ginder (04:21)
Yeah,

the playbook for keeping your site secure just completely changes this year in particular because I was doing all the right things. ⁓ I run a very strict...

⁓ I update all my customer sites every week. I run backups, run long-term backups, I run an entirely different ⁓ revision history system so that I can catch file level changes immediately. So I was doing all the right things and I would say that was good advice up until about October, November of last year.

Eric Karkovack (05:02)
Okay.

Austin Ginder (05:02)
And that

advice started to fall short because people got really good AI and you could just scan for vulnerabilities and you could find stuff. Going back to my main point, like I'm not really a security expert. I've historically not submitted things to security teams to get patched. Well, with AI, I'm finding them all the time. Like you're on a scan on a site and it's like, oh, this block of code is...

Vulnerable, I should probably report that so I tell Claude hey draft this findings up to the author It kicks out an email draft. I'm like that looks good send Well, if they're real team they get back to you right away. They're like, thank you for letting us know This will be patched in the next few days so Yeah, like it it I think ⁓ the big takeaway is things have changed

So like, not just me, but like everyone needs to stop their game when it comes to security. And the rules are just getting rewritten right in front of our eyes.

Eric Karkovack (06:09)
Yes, it seems like the same old cat and mouse game that we've been playing for years, but now with maybe on steroids with these AI tools that, ⁓ as you said, I mean, you can actually go in and see that what vulnerable code there is, but also a hacker could do the same thing, right? If they're, well, if they want to target a certain plugin or a certain site, they absolutely can do that.

Austin Ginder (06:27)
Yep.

Yep. Some of these discoveries have been dormant for years. And also, part of my new process is I aim to get 100 % code audited for all of my customers. And that's kind of difficult for me to do, but I'm making progress. I'm getting there.

During this process, it's like a house cleaning. Like I'm uncovering things that have been planted there for years, like PHP back doors, ⁓ things that all the classical security systems have missed. Because a security system at the end of the day is just as smart as whatever. ⁓

Fingerprint you give it like hey look for things that do this But with AI it's kind of like human level intelligence to evaluate is this thing a real threat or not and ⁓ That's the difference

Eric Karkovack (07:25)
Sure.