The Panama Papers and WordPress Security
WordPress is without a doubt the best, most flexible platform for a small business website. We suggest it for every business we work with, and half of the tools we recommend are WordPress plugins or add-ons. Simply put, if you aren’t using WordPress for your website, you are missing out on tons of functionality.
But, like an operating system on your computer, with all that functionality comes some concern for security.
Recently, hackers were able to access over 4.8 Million emails from the Panamanian law and accounting firm Mossack Fonseca. The resulting data leak, dubbed by the press as the “Panama Papers,” was the largest in history, and contained evidence of tax evasion by countless public officials and figures worldwide.
Some cyber security firms are blaming Mossack Fonseca’s outdated WordPress website as the source of the breach.
So what does this mean for you, your website and your business? Are you at risk for a data breach? The simple answer is no, but you must keep your guard up and your website up-to-date.
The Panama Papers
The Panama Papers are just the latest and largest in an increasingly common trend of high-profile data leaks. Unlike recent data leaks from large retailers that targeted credit card numbers and financial information from individual customers, this leak was focused on the release of sensitive data to the press to embarrass world leaders and tax evaders.
The leak has been a massive, worldwide story, and journalists haven’t been able to sift through all of the data yet. There are over 2,600 GB of leaked data, which is more than any other major data leak in history combined. For context, the Wikileaks data leak of 2010 was just 1.7 GB.
Not only do the papers contain information on tax evaders, which is legal but frowned upon by most countries, they also contain evidence of more serious crimes such as money laundering and fraud.
The leak directly implicates 12 current or former heads of state in these activities as well, including Russian President Vladimir Putin, and has already resulted in the resignation of Iceland’s Prime Minister.
Also, several other world leaders are indirectly implicated, like Prime Minister of Great Britian, David Cameron.
How did this happen?
WordFence has a nice breakdown of the nitty-gritty details, but a majority of the data was captured by exploiting a weakness in Mossack Fonseca’s WordPress website.
Mossack Fonseca was running a plugin on their site called Revolution Slider. The plugin ran most of their visual features and is a pretty popular and powerful WordPress design tool.
Every plugin or add-on can add a vulnerability to your site. Developers are not perfect, and it is impossible to create a perfect code the first time. That is why most plugin developers release regular software updates. Unfortunately, Mossack Fonseca hadn’t updated the plugin and left some vulnerabilities that were patched in later versions. Wordfence has a video of how hackers were able to exploit this plugin.
Once inside the website, the hackers were then able to access Mossack Fonseca’s email server because they had another plugin that allowed them to send mail through the website. This plugin had no vulnerabilities and was fully updated, but once the hackers were in, it was already too late.
Should I be worried about my site?
The answer to this question isn’t that simple. Mossack Fonseca was a target here mainly because they were involved in potentially illicit activities with high-profile clients and lots of money. The hackers were sophisticated, more so than your general cyber-criminal, and would probably only target businesses like these with high stakes.
But any small business can be at risk for cyber crime, particularly if you handle some of your commerce online. There are plenty of cyber criminals looking to make an easy buck off stolen credit card information.
That’s why you should take away the following lessons from this incident: pay attention to your website, and update your plugins regularly.
Be sure not to leave your website running in the background without maintenance for too long. Hackers and criminals move quickly, and developers are forced to respond just as quickly. If a developer releases an update that includes security features, assume it is because someone somewhere has figured out a way in. You must be willing to update your site regularly to prevent the next person from figuring it out.
Alex Boyer is a Community Manager and Content Ninja for Duct Tape Marketing. You can connect with him on Twitter @AlexBoyerKC