Matthias Held
@mazeheld
Build and destroy, then build it better. Matthias is a web professional with a deep knowledge of WordPress and cybersecurity. Spending his working days as a Security Solutions Architect at Bugcrowd, he brings a lot of practical industry experience to the world of hacking and securing WordPress. His previous role as CTO and Product Manager for Raidboxes allowed him to influence the Managed WordPress Hosting space with innovation and leadership. With over two decades in the field, Matthias has consistently paired software development with a passion for sharing knowledge. His speaking engagements include respected platforms like TEDx, B-Sides and various WordCamps, as well as many workshops for customers that want their development teams to code in a more secure manner. Throughout his career, Matthias has worked with a range of clients from startups to global brands, including Nike and National Geographic, helping to enhance their online presence through WordPress solutions. To learn more about Matthias’s work and insights into cybersecurity or WordPress development, visit held.codes.
Get to know Matthias 🎙️
Can you start by painting a picture of what a typical day looks like for you? What fuels your passion for the work you do, and how does it tie into your involvement with WCEU?
Over the past decade, the roles and responsibilities of security professionals have evolved, much like everything else in tech of course. Our importance has grown a lot as attack vectors targeting both businesses and individuals have increasingly moved to the digital space. It’s a stark reality: Everyone and everything connected to the internet is under constant attack, whether we like it or not—these attacks 99.9% of the time do not even care who or what you are; they’re just there to find a way in.
So my daily routine begins with reviewing messages and updates from newsletters and social channels to determine if any significant events occurred overnight that demand my immediate attention. This extends to both professional responsibilities and personal interests, impacting colleagues, friends, or family. For instance, I recently discovered that the car charging stations at my usual parking spot fail to encrypt data, allowing anyone to eavesdrop and collect personal details about me and my vehicle—a clear sign it’s time to find a new spot.
Professionally, I keep a keen eye on emerging vulnerabilities in WordPress Plugins/Themes and Core, ensuring that customers are promptly notified and patched. Much of my effort is devoted to educating users and clients on securing their WordPress setups effectively. I often find myself explaining the behavior of adversaries, however automated they may be, and outlining the necessary steps to counter these threats.
This is precisely why I initiated these informational talks and founded vulnwp.com. It empowers individuals to adopt a hacker’s mindset, equipping them with knowledge to both attack and defend WordPress sites—an invaluable perspective I believe.
What sparked your interest in becoming a speaker at WCEU? Was there a particular moment or experience that motivated you to share your insights with this community?
Speaking, being on stage and teaching is part of my DNA. It’s what I love doing the most. In the WP community being on stage is a great experience as you get to speak to like-minded folks all the time and not only “show and tell” but also learn together and gain valuable insights of what people not in security think or worry about. It’s a great experience and I just really love doing it.
For those awaiting your talk, could you give us a preview of what we can expect to learn from your talk? Any sneak peeks?
Ever wanted to become a hacker and see how these attacks work? I will show you how and you can follow along and do it yourself. You will get to see how and why threat actors work in a particular way and get to use the same tools and mindset like one of “us”.
Is it your first time at a WCEU or WordPress event? Any standout memories or lessons learned that you’d like to share?
Counting back this will be my 23rd WordCamp and 6th WCEU.
Looking beyond the scheduled sessions, what do you hope attendees will take away from their overall experience at WCEU? How can they leverage the event to enhance their professional development or personal growth?
Just like with every other talk on WordCamps, the importance is that attendees gain what they find useful for their own use case. With my talk these could mean multiple things or also completely new things I have not thought of. Off the top of my head it would answers to the following questions:
– How do hackers think?
– What tools do they use?
– How does hacking in general work?
– How does it work in a WordPress context?
– How do I check for vulnerabilities in general/on my site(s)?
– How can I exploit these?
– How can I make my site(s) more secure against these attacks?