How the Panama Papers Can Be Traced Back to a WordPress Plugin Security Flaw

It’s a Big, Bad, World Wide Web. Is Your Website Secure?

In general, it can be very easy for people to justify short-term gain vs long-term effort.

“Well, I’ll just leave my keys in the car door tonight. I’m sure it’ll be fine. I really don’t feel like carrying them around… Ugh, they’re just so heavy and jangly.”

When it comes to the security of your website, it’s definitely worth the time spent to fortify its defenses. To put it into perspective, the absurdity of the above example is not that different from complaining that your password is too hard to remember or hosting a bunch of inactive, outdated plugins on your WordPress site.

How The Panama Papers Leak Affects You

Some list confirming that a bunch of world leaders and celebrities have secret stashes of untaxed money shouldn’t exactly concern you on a personal level, right?


The vulnerability that led to the largest data leak of all time actually stems from something we all use regularly, whether you’re a business owner, developer, or a consumer—Wordpress. It’s almost difficult to believe, but a widely-used plugin just so happened to spark the collapse of …well, the entire world. (Or, at least, it has definitely changed how the global public handles its leaders and the rest of the 1%.)

Let’s review how a failure to update a WordPress plugin very quickly turned into a worst-case scenario and PR nightmare for Mossack Fonseca, a Panamanian law firm that is known to be, wait for it… a “leading global provider for legal and trust services.”

Last week, WordFence, a software engineering team and makers of the Wordfence WordPress Security plugin, broke the story of a massive Mossack Fonseca breach, citing a vulnerability in the firm’s version of the Revolution Slider plugin.

That particular vulnerability was actually old news; the exploit was published in September of 2014 and the Revolution Slider plugin had since been patched and updated multiple times*.

*In case you are wondering about the nifty slider on your own website, the vulnerability affects versions of Revslider all the way up to 3.0.95. The current version of the plugin is 5.2.

Many commercial WordPress themes come bundled with Revolution Slider and other cool plugins. These themes generally require a renewal payment every 6-to-12 months to maintain access to updates and support. But, if your web developer doesn’t hang around to keep your site updated, or worse, has used a theme that THEY purchased and own the license to, you could have a problem.

Top 5 Reason Sites Get Hacked

Many website owners may not even be aware that they are hosting similar vulnerabilities simply by not maintaining their website frameworks, plugins, themes, browsers, and operating systems. Yes, that’s right — even browsers and operating systems.

Don’t just assume that your web developer (or your best buddy who’s building your website for free) is taking care of the site’s maintenance and security. Take ownership of your technology. Ask your developer, “Will you maintain my website security once my site is launched and what best practices have you put in place?”

#1) Failure to Update

WordPress.org and its community of developers all agree that failure to update is the leading cause of hacked sites.

In a quick follow-up article to the Mossack Fonseca breach, WordFence described how the Panama Papers debacle was likely a lateral move for the hackers, explaining: “Once you gain access to a WordPress website, you can view the contents of wp-config.php which stores the WordPress database credentials in clear text. The attacker would have used this to access the database.”

…Yep. By hosting known vulnerabilities you’ve essentially given away the keys to your car, left your address on the dash, your apartment door wide open, and your bank card and pin number under a plate of cookies in the kitchen.

Hackers aren’t sitting around trying to guess YOUR password as Matrix-like code cascades across several monitors. The majority of attacks are automated and impersonal; their aim is to identify easy access points (known vulnerabilities) that offer the greatest ROI.

Any other plugins that you might be using, like the popular WP SMTP Mail (which gives you the ability to send mail from your website via a mail server), can now also be accessed and reveal not only your email and password but also provide hackers access to everyone in your address book.

To see just how prevalent this is, you can view a cool animation of real-time attacks on the WordFence website, which shows a mere 4% of the 10,963 attacks happening per minute.

#2) Cheap, Insecure Web Hosting

That server a friend of a friend is running out of their basement? Yeah, it’s FREE but it’s probably not that secure. If you are in business, invest in your infrastructure. This is not just about your data, it is also about your clients’ and customers’ information. Pay for real web hosting. If you are building a site with WordPress, look for managed WordPress hosting like WPengine or Synthesis. Read this article by Joost DeValk about recommended web hosts for WordPress websites.

While you are at it, ask your developer to set you up with HTTPS. Google prefers it and it is part of a larger HTTPS Everywhere movement to make the web more secure.

#3) Your .htaccess Permissions Are Set to Read/Write All

Lock down your file permissions. Folders like /wp-admin and /wp-includes should not be writable by anyone but you. You can do this in your .htaccess file and there are also some good plugin solutions like iThemes Security and Bulletproof Security that can also do the job.

I also recommend WordFence for it’s real-time view of login attempts and 404’s, full site-scans that alert you when a plugin/theme has changed or if it spots a malicious file, and its ability to set two-factor authentication. WordFence is also integrated with its own high speed caching engine.

The scoop on hardening WordPress can be found in the WordPress codex. Use it.

#4) You Are Only As Strong As Your Weakest Link

If you wouldn’t make copies of your house keys for everyone on your block, why would you want to give everyone who uses your website Administrator level access?

Hacking is most often an exploit of ease and opportunity. The more Administrators you have, the more possible points of access to your website or other accounts. As you add users to your site, be sure to ask yourself, “Who actually needs what privilege?”

Your content management system, Facebook business page, MailChimp account, etc. understand that businesses have multiple users and access needs. Understanding who needs what privilege when it comes to doling out the editing and content creation roles is important.

Does the guy who writes blog posts for your site need Administrator access or could he just be designated an Editor or Author? Does your web developer need your primary login for MailChimp or could you make her an account manager instead? The benefit to this arrangement is that you can then remove the access once their job is completed.

As an aside, you also want to make sure that users do not access the backend of your brand new website and other sensitive accounts over free WIFI connections or share their unique logins with others. I highly recommend using a secure, modern browser (like Chrome, Firefox, or Opera) and making sure that you have some type of anti-virus protection installed on your computer.

#5) Using Default Usernames and Weak Passwords

Everyone knows this now, right? The default username in WordPress is “admin”. Don’t use the default username on your WordPress site. Unless you WANT to give away 50% of your login information…

WordPress does use strong passwords by default, but people still like to simplify their lives and create passwords that are easy to remember. Hey, guess what? Trying to remember all of your passwords is crazy! Use a password manager like LastPass to safely generate, store, and share strong passwords.

A few other tips:

  • Do not store passwords in your BROWSER. If you lose your computer, you also lose your passwords. If your computer gets hacked, your Keychain Access is EVERYONE’S Keychain Access.
  • Email is not secure. Do not share logins or other sensitive data via email. If you sign up for LastPass (it’s free by the way) you can also safely share passwords with other LastPass users.You can even share logins without displaying your super-strong password.
  • Use unique passwords. Always.

Ignorance of the law excuses no one.

If you are part of large organization, maybe you inherited a system that has seen many makers and is now too convoluted to update without breaking needed functionality. Or, you are a lone business person just trying to find time to add a new blog post and are waiting until you can afford a site redesign to make updates.

Unfortunately, “not knowing” is not a defense against malicious attacks or exploits. Just like owning a car, we may not understand exactly how everything works, but we do accept a basic awareness and responsibility for its use and maintenance. As website owners, and daily users of technology, we would be wise to note that the probability of attacks increase in direct proportion to the popularity and market share of the given product.

WordPress and your “(not!) virus proof” Mac are glowing red targets because of their ease of use and popularity with consumers. That doesn’t make them bad technology solutions. In fact, open source applications like WordPress benefit from having an active community of dedicated programmers constantly finding bugs and patching them.

Although exploits in the wild WWW will always exist, the best practices outlined above are mostly common-sense and really don’t change at all when it comes to securing your website and online accounts. This doesn’t mean that you will never suffer a hack or data-loss, but awareness and good online habits in the areas that you do have control over will make you a less-likely target.

For further reading, the following links can help you learn about site security and take action to strengthen your site’s defenses:

Chicago Style SEO offers managed WordPress hosting to all of our clients. WordPress hosting includes regular backups, maintenance, and updates. Our servers are considered “good neighborhoods” — we only host our own client’s sites, not thousands of randos crammed together on a stack. We also highly encourage you to make the switch from HTTP to HTTPS for SEO reasons, as well as for a more secure and better internet experience for everyone involved. Contact us for more information about our hosting and maintenance plans or switching to HTTPS.

Posted in WordPress