Anyone here found bugs in WordPress plugins…

Hi everyone,

I’m Francesco, and over the last six months, I’ve found over 300 bugs in WordPress plugins. Some are small, while others are in plugins that lots of people use.

When I’m not bug hunting, I manage the security for high-traffic WordPress sites running custom code. This is my first attempt at doing an AMA, so feel free to ask me anything related to WordPress security, whether you’re a developer, site owner, or just a regular user.

Let’s chat below!

Not a question but thanks for your efforts! We need more people like you. :heart:

Drew said:
Not a question but thanks for your efforts! We need more people like you. :heart:

Thanks, that means a lot. :slight_smile:

Leighton said:

Drew said:
Not a question but thanks for your efforts! We need more people like you. :heart:

Thanks, that means a lot. :slight_smile:

Did you earn good money from finding these bugs? I’m curious because I want to start ethical hacking.

@Echo
About 220 bugs qualified for bounties, and I earned around $16,000 from Wordfence’s program, plus some extra from private vendors.

The best part is some vendors hired me for private reviews after that, so it was definitely worth it.

@Leighton
That’s awesome! I’m just starting out, and this is super inspiring. Thanks!

Why are there so many repeated comments on this post? Looks weird.

Also, what’s your take on virtual patches? Do you think they’re effective?

Arlen said:
Why are there so many repeated comments on this post? Looks weird.

Also, what’s your take on virtual patches? Do you think they’re effective?

Yeah, I noticed the repeated comments too. Maybe something went wrong when the post was uploaded.

About virtual patches, they’re basically managed firewall rules. They can be really effective for some types of vulnerabilities like SQL injection or XSS. But for others, like IDORs, they might not be enough. They’re great as a temporary fix, but addressing the core issue is always better.

Arlen said:
Why are there so many repeated comments on this post? Looks weird.

Also, what’s your take on virtual patches? Do you think they’re effective?

It’s not bots—it’s just this forum being glitchy sometimes.

What are the must-do security steps when setting up a new site? And does Cloudflare actually help with security?

Why does nobody care about me? :disappointed:

Milo said:
Why does nobody care about me? :disappointed:

Start with caring about yourself first. Everything else follows. :heart:

Milo said:
Why does nobody care about me? :disappointed:

Easy answer: because you’re using WordPress. :sweat_smile:

How many of those bugs were found with automated tools, and how many were manual?

Brooke said:
How many of those bugs were found with automated tools, and how many were manual?

All manual. My automation is limited to writing simple scripts that search for patterns I spot during code reviews.

@Leighton
Interesting! Can you share an example of one of those scripts?

Lex said:
@Leighton
Interesting! Can you share an example of one of those scripts?

Sure! One example: I look for hooks like wp_ajax_nopriv that can be accessed by unauthenticated users. A simple grep command like this can do the trick:

grep -r "wp_ajax_nopriv" .

@Leighton
A great tip! I also recommend using the -B and -A options with grep to see the lines before and after the match. It gives you context and makes it easier to review without opening the file in an editor.

What’s the best way to test WordPress sites for bugs?

Shannon said:
What’s the best way to test WordPress sites for bugs?

If you don’t have access to the site, WPScan is a good place to start: https://github.com/wpscanteam/wpscan.