The Panama Papers and WordPress Security
Find a Consultant Become a Consultant

The Panama Papers and WordPress Security

The Panama Papers and WordPress Security

By [email protected]

A hacker with a hood with laptop. Online network danger.WordPress is without a doubt the best, most flexible platform for a small business website. We suggest it for every business we work with, and half of the tools we recommend are WordPress plugins or add-ons. Simply put, if you aren’t using WordPress for your website, you are missing out on tons of functionality.

But, like an operating system on your computer, with all that functionality comes some concern for security.

Recently, hackers were able to access over 4.8 Million emails from the Panamanian law and accounting firm Mossack Fonseca. The resulting data leak, dubbed by the press as the “Panama Papers,” was the largest in history, and contained evidence of tax evasion by countless public officials and figures worldwide.

Some cyber security firms are blaming Mossack Fonseca’s outdated WordPress website as the source of the breach.

So what does this mean for you, your website and your business? Are you at risk for a data breach? The simple answer is no, but you must keep your guard up and your website up-to-date.

The Panama Papers

The Panama Papers are just the latest and largest in an increasingly common trend of high-profile data leaks. Unlike recent data leaks from large retailers that targeted credit card numbers and financial information from individual customers, this leak was focused on the release of sensitive data to the press to embarrass world leaders and tax evaders.

The leak has been a massive, worldwide story, and journalists haven’t been able to sift through all of the data yet. There are over 2,600 GB of leaked data, which is more than any other major data leak in history combined. For context, the Wikileaks data leak of 2010 was just 1.7 GB.

Not only do the papers contain information on tax evaders, which is legal but frowned upon by most countries, they also contain evidence of more serious crimes such as money laundering and fraud.

The leak directly implicates 12 current or former heads of state in these activities as well, including Russian President Vladimir Putin, and has already resulted in the resignation of Iceland’s Prime Minister.

Also, several other world leaders are indirectly implicated, like Prime Minister of Great Britian, David Cameron.

How did this happen?

WordFence has a nice breakdown of the nitty-gritty details, but a majority of the data was captured by exploiting a weakness in Mossack Fonseca’s WordPress website.

Mossack Fonseca was running a plugin on their site called Revolution Slider. The plugin ran most of their visual features and is a pretty popular and powerful WordPress design tool.

Every plugin or add-on can add a vulnerability to your site. Developers are not perfect, and it is impossible to create a perfect code the first time. That is why most plugin developers release regular software updates. Unfortunately, Mossack Fonseca hadn’t updated the plugin and left some vulnerabilities that were patched in later versions. Wordfence has a video of how hackers were able to exploit this plugin.

Once inside the website, the hackers were then able to access Mossack Fonseca’s email server because they had another plugin that allowed them to send mail through the website. This plugin had no vulnerabilities and was fully updated, but once the hackers were in, it was already too late.

Should I be worried about my site?

The answer to this question isn’t that simple. Mossack Fonseca was a target here mainly because they were involved in potentially illicit activities with high-profile clients and lots of money. The hackers were sophisticated, more so than your general cyber-criminal, and would probably only target businesses like these with high stakes.

But any small business can be at risk for cyber crime, particularly if you handle some of your commerce online. There are plenty of cyber criminals looking to make an easy buck off stolen credit card information.

That’s why you should take away the following lessons from this incident: pay attention to your website, and update your plugins regularly.

Be sure not to leave your website running in the background without maintenance for too long. Hackers and criminals move quickly, and developers are forced to respond just as quickly. If a developer releases an update that includes security features, assume it is because someone somewhere has figured out a way in. You must be willing to update your site regularly to prevent the next person from figuring it out.

Alex-Boyer-Photo-150x150-e1420769709443.jpgAlex Boyer is a Community Manager and Content Ninja for Duct Tape Marketing. You can connect with him on Twitter @AlexBoyerKC

Free eBook 
7 Steps to Scale Your Consulting Practice Without Adding Overhead

The Duct Tape Marketing Consultant Network has helped me to grow my business by over 40% in the last 12 months. ~ Michael Quinn - Michael Quinn Agency, Fargo, ND

10 Critical Elements Your Website Must Employ Today
Many people assume that a website’s purpose is to get new clients. Just create high-quality product pages, write a little content, add a CTA button then sit back and see if it works.Yet the primary goal of a website isn’t only to obtain new clients. In fact, 92% of consumers visit a brand’s website for […]
5 Tools to Make Your Email Smarter, Faster, Better
I believe that email is with us for a while longer. Despite the attempts of well-meaning app makers and social networks, email is not dead. In fact, I get a ton of email from those same social networks that were going to kill email off. Email, like it or not, is the one tool that […]

Subscribe to the Duct Tape Marketing Podcast

If you know your small business needs marketing, but don’t have the time or resources, look no further. The Duct Tape Marketing podcast covers everything from earning referrals to managing time and being more productive.