A Hacker’s Perspective on WordPress Security – Q&A with Mat Rollings (Stealthcopter)
“There’s no shame in having a vulnerability; the shame might be in how you handle it.”
WordPress security often gets questioned, but many of those questions are directed at plugin developers. We sat down with Mat Rollings, aka Stealthcopter, a leading researcher at Patchstack’s ethical hacking community, to talk through what the real security picture looks like from the inside.
Getting to Know Mat Rollings (a.k.a. Stealthcopter)
“I’m Mat, or Stealthcopter as I’m more commonly known in the Patchstack leaderboard. I’ve been a developer for over a decade now.
I spent a few years doing application security, worked in FinTech for a bit, and then decided to focus on what I enjoy: hacking stuff and teaching people.
Now, I’m a full-time bug bounty hunter. I find bugs, get paid for it, and teach others how to do the same. I also volunteer and teach kids to code.”
How Mat Finds Vulnerable WordPress Plugins
Most people pick a plugin and dig into it manually. Mat takes a broader, faster approach.
He downloads the code for every plugin in scope and uses static code analysis to search for vulnerable patterns. The aim is to trace user input from “sources” (where input is taken) to “sinks” (functions that can be dangerous) without proper validation.
“This might let an attacker do something the developer didn’t expect, or something they shouldn’t be able to do based on their user level.”
He’s compiled a list of common sources and sinks in WordPress and PHP, available on his website.
Testing a WordPress Vulnerability
Once a target is identified, Mat sets up a local WordPress instance to test it – using Docker, though others use VMs or VPS.
“You install the target plugin or theme, then you need to figure out how to trigger that vulnerable code path through the front end.”
To streamline this, he built a WordPress hacking plugin for dynamic analysis. it shows function links and includes helpful gadgets.
“My go-to tool here is Xdebug, the PHP debugger, which speeds things up massively.”
Writing an Effective Vulnerability Report
After confirming a vulnerability, Mat focuses on making the report easy to verify.
“I usually write a Python script so the team can just run it. It’s better than written steps or a video, which slow things down.”
From his application security background, he knows how to structure reports for both technical and non-technical readers.
“I always start with BLUF – Bottom Line Up Front. State the impact and the vulnerability type in the first sentence.”
He follows that with:
- A Summary
- A Cause section with code references
- Clear Steps to Reproduce
This format helps ensure a smooth triage process and accurate bounty rewards.
Where to Report WordPress Vulnerabilities
Unlike traditional bug bounties where you report to one company, WordPress has several options – Patchstack, Wordfence, and WPScan/Automattic.
Mat usually goes with Patchstack.
“They go down to 50+ installs, have a points-based leaderboard, a table for calculating points, monthly payouts, zero-day bonuses, and a gamified leveling system.”
Deciding where to report depends on install count, bug severity, and each platform’s rewards.
Why Mat Avoids Reporting Directly to Developers
“I’d never report bugs directly to the plugin developer. Almost always, you’re ignored.”
Emails can get flagged as spam or dismissed as scams. He’s even had a CEO publicly criticize him after reporting via Patchstack
“You’re very unlikely to get any monetary reward or even proper acknowledgment. I’d always recommend going through a program.”
Researchers aren’t trying to embarrass developers – they want to help.
“I even had one CEO reach out to me on Twitter after I reported a vulnerability to Patchstack. He started slamming me because he didn’t understand the vulnerability or its impact.”
Going through structured programs ensures the bug is seen, taken seriously, and handled properly.
“There’s no shame in having a vulnerability; the shame might be in how you handle it.”
What Makes WordPress Bounties Different
In traditional bounties, companies pay for vulnerability reports after doing internal audits. In WordPress, programs such as Patchstack and Wordfence pay instead of the plugin developers.
“Most plugin companies couldn’t run their own bounty programs. They don’t have the money or staff.”
This setup benefits everyone – developers get security help, and researchers get real-world experience.
“I’ve found 500+ vulnerabilities, 250+ of which were reported through Patchstack. It’s helped me build skills and confidence for other programs.”
Mat’s Most Memorable Find
“Over Christmas 2023, I found a really complicated vulnerability in an anti-malware plugin. It took over a week to figure out.”
The plugin used regex rules to find and delete malware. Mat discovered he could edit those rules himself – tricking the plugin into deleting its own code.
“It left behind a function that executed my input via eval(). That gave me Remote Code Execution.”
Mat’s Easiest Vulnerability
“This was during the Patchstack event when they dropped the minimum install count to 50+. Suddenly, no one had looked at these plugins before.”
It took him 16 days to download them all. Once he did, vulnerabilities were everywhere: RCEs, arbitrary file uploads, and privilege escalations.
“I found three different plugins where you could just add ?id=1 to the URL and instantly log in as the administrator. It didn’t take much skill: find the code, put it in the browser, and boom, you’re the admin.”
Mat’s Security Tips for WordPress Users
“The most impactful tips are actually really straightforward.”
1. Keep your plugins and WordPress itself up to date.
2. Install a security plugin that does virtual patching.
(“That alone massively reduces the risk – even if a plugin you use has a flaw disclosed.”)
3. Have a plan for if you do get hacked.
“Do you have backups? Do you know how to restore them? Everyone learns this the hard way at least once – like accidentally formatting a hard drive. Planning’s better.”
Are Big Companies More Secure?
“Some people might think there’s a big difference between plugins made by large companies versus indie developers. But honestly, you shouldn’t have that bias.”
Just because a plugin comes from a big name doesn’t mean it’s secure.
“There are still loads of really basic vulnerabilities in massive applications – stuff someone finds just by trying something obvious that no one else bothered to check.”
Install count can help a bit.
“Higher installs usually mean more eyes on it, so more bugs get found. But again, don’t let that bias stop you.”
Sometimes, smaller devs care more.
“If it’s one person’s full-time income, they might be way more invested in doing things properly.”
Is WordPress Core Secure?
“I think the WordPress core is quite secure. It gets a lot of scrutiny – big market share, lots of researchers looking at it, and bounties help too.”
That said, some design choices and legacy code make things tricky.
“There’s stuff that’s just… weird. Like, first and last name fields can contain pretty much anything except angled brackets. I used that to find XSS in around 50 themes just by putting quotes in the display name.”
Nonces are another example.
“They’re supposed to be a ‘number used once,’ but in WordPress they’re good for 12 hours and mainly act as CSRF tokens. The docs say don’t use them for authentication – but devs still do.”
These quirks aren’t flaws in core itself, but they increase the chances of mistakes in plugins.
“Ideally, security should be built into the framework more. Like, give devs a way to mark access controls clearly – something that can be checked automatically.”
The Role of AI in Bug Hunting
“Like in any industry, you want to become AI-assisted. If something feels boring or repetitive – that’s what computers should be doing. Let AI handle that so we can keep the fun bits.”
Mat uses AI regularly, especially for the less exciting parts of the workflow.
“It’s great for writing reports. I use templates, but if I’m stuck on wording, I’ll feed in the context or a PoC and ask it to draft a summary or explain the impact in ‘stakeholder talk.’”
But when it comes to actually finding vulnerabilities?
“LLMs aren’t there yet. They lack context, hallucinate bugs, or just point out best practices instead of real issues.”
So while AI isn’t replacing the work of a security researcher any time soon, it’s a solid way to speed things up around the edges.
Want to Learn More?
This conversation with Mat Rollings (Stealthcopter) offered a practical, honest look inside the world of WordPress security research, the core of Patchstack’s ability to protect users. His shift from developer to full-time bug bounty hunter highlights the opportunities (and challenges) that come with securing an open ecosystem.
If Mat’s insights sparked your interest, here’s where to go next:
- Explore More from Mat: Read his earlier Patchstack interview for more on his background and approach.
- Hear from Other Experts: Browse interviews with other security researchers in the Patchstack community.
- See Mat in Action (CTF Write-up): Read his detailed breakdown of the Patchstack CTF challenge: Sneaky.
- Patchstack Bug Bounty Guidelines & Rules: Understand the expectations before you submit your first report.
- Learn from Patchstack Academy: Start building the skills you’ll need as a vulnerability researcher.
- Join the Patchstack Discord: Connect with researchers, ask questions, and get feedback.
“If you’re thinking about getting into this space – just start. Pick a plugin, open the code, and follow the data. You’ll learn more by doing than by waiting until you feel ready.”