The Panama Papers & WordPress Plugin Security

It’s a Big, Bad, World Wide Web. Is Your Website Secure?

It can be very easy for people to justify short-term gain vs long-term effort:

“Well, I’ll just leave my keys in the car door tonight. They’re so heavy and jangly. Carrying things is hard.”

– Someone

The absurdity of the above example is not that different from complaining that your password is too hard to remember or hosting a bunch of inactive, outdated plugins on your WordPress site. When it comes to the security of your website, it’s definitely worth the time spent to fortify its defenses.

And, hey, guess what? Trying to remember all of your unique, strong passwords is impossible! Use a password manager like LastPass to safely generate, store, and share strong passwords.

How The Panama Papers Leak Affects You

Some list confirming that a bunch of world leaders and celebrities have secret stashes of untaxed money shouldn’t exactly concern you on a personal level, right?


The vulnerability that led to the largest data leak of all time actually stems from something we all use regularly, whether you’re a business owner, developer, or a consumer — WordPress. It’s almost difficult to believe, but a widely-used plugin just so happened to spark the collapse of …well, the entire world. (Or, at least, it has definitely changed how the global public handles its leaders and the rest of the 1%.)

Let’s review how a failure to update a WordPress plugin very quickly turned into a worst-case scenario and PR nightmare for Mossack Fonseca, a Panamanian law firm that is known to be, wait for it… a “leading global provider for legal and trust services.”

Last week, WordFence, a software engineering team and makers of the Wordfence WordPress Security plugin, broke the story of a massive Mossack Fonseca breach, citing a vulnerability in the firm’s version of the Revolution Slider plugin.

That particular vulnerability was actually old news; the exploit was published in September of 2014 and the Revolution Slider plugin had since been patched and updated multiple times*.

*In case you are wondering about the nifty slider on your own website, the vulnerability affects versions of Revslider all the way up to 3.0.95. The current version of the plugin is 5.2.

Many commercial WordPress themes come bundled with Revolution Slider and other cool plugins. These themes generally require a renewal payment every 6-to-12 months to maintain access to updates and support. But, if your web developer doesn’t hang around to keep your site updated, or worse, has used a theme that THEY purchased and own the license to, you could have a problem.

Top 5 Reasons Web Sites Get Hacked

Many website owners may not even be aware that they are hosting similar vulnerabilities simply by not maintaining their website frameworks, plugins, themes, browsers, and operating systems. Yes, that’s right — even browsers and operating systems.

#1) Failure to Update and its community of developers all agree that failure to update is the leading cause of hacked sites.

In a quick follow-up article to the Mossack Fonseca breach, WordFence described how the Panama Papers debacle was likely a lateral move for the hackers, explaining: “Once you gain access to a WordPress website, you can view the contents of wp-config.php which stores the WordPress database credentials in clear text. The attacker would have used this to access the database.”

By hosting known vulnerabilities you’ve essentially given away the keys to your car, left your address on the dash, your apartment door wide open, and your bank card and pin number under a plate of cookies in the kitchen. Thanks!

Hackers aren’t sitting around trying to guess YOUR password as Matrix code cascades across several monitors. The majority of attacks are automated and impersonal. Their aim is to identify easy access points (known vulnerabilities) that offer the greatest ROI.

Secure your site to protect not only your information, but that of your customers and business partners, too.

If you site is compromised, other plugins that you might be using, like the popular WP SMTP Mail (which gives you the ability to send mail from your website via a mail server), can now also be accessed and reveal not only your email and password but also provide hackers access to everyone in your address book.

To see just how prevalent this is, you can view a cool animation of real-time attacks on the WordFence website, which shows a mere 4% of the 10,963 attacks happening per minute.

#2) Cheap, Insecure Web Hosting

If you are in business, invest in your infrastructure. You can pay $25/month for WordPress managed hosting.

This is not just about your data, it is also about your clients’ and customers’ information. If you are building a site with WordPress, look for managed WordPress hosting like WPengine or SiteGround. Read this article by Joost DeValk about recommended web hosts for WordPress websites.

While you are at it, secure your site with HTTPS://. Most web hosting companies provide free auto-ssl certificates these days. Google prefers it and it is part of a larger HTTPS Everywhere movement to make the web more secure.

#3) Your .htaccess Permissions Are Set to Read/Write All

Lock down your file permissions. Folders like /wp-admin and /wp-includes should not be writable by anyone but you. You can do this in your .htaccess file and there are also some good WordPress plugin solutions that can also do the job.

More information about hardening WordPress can be found in the WordPress codex.

#4) You Are Only As Strong As Your Weakest Link

If you wouldn’t make copies of your house keys for everyone on your block, why would you want to give everyone who uses your website Administrator level access?

Hacking is most often an exploit of ease and opportunity. The more Administrators you have, the more possible points of access to your website or other accounts.

Understand who needs what privilege when it comes to doling out the editing and content creation roles. And, please don’t email your login information. Email is not secure. Try sharing access with a tool like LastPass.

Have an internet safety process in place. Make sure that people with access to sensitive accounts aren’t using free WIFI connections or sharing their unique logins with others. Use a secure, modern browser (like Chrome, Firefox, or Safari) and make sure that you have some type of anti-virus protection installed on your computer as well as a separate backup method. Don’t rely on time machine alone.

#5) Using Default Usernames and/or Weak or Duplicate Passwords

Everyone knows this now, right? The default username in WordPress is “admin”. Don’t use the default username on your WordPress site.

  • An 8-character password can be cracked in less than an hour.
  • Use a passphrase instead of a password.
  • Use a password manager and make sure you have unique passwords for your online accounts.

WordPress does use strong passwords by default, but people still like to simplify their lives and create passwords that are easy to remember. 2-factor authentication is recommended if you can get people to activate it.

A few other tips:

  • Do not store passwords in your BROWSER. If you lose your computer, you also lose your passwords. If your computer gets hacked, your Keychain Access is EVERYONE’S Keychain Access.
  • Email is not secure. Do not share logins or other sensitive data via email. If you sign up for LastPass (it’s free by the way) you can share passwords with other LastPass users without revealing your login. Then, remove access when your collaboration is over.
  • Use unique passwords. Always.

As Former President George Bush said, “There’s an old saying in Tennessee — I know it’s in Texas, probably in Tennessee — that says, fool me once, shame on… shame on you. Fool me… you can’t get fooled again.”

If you are part of large organization, maybe you inherited a system that has seen many makers and is now too convoluted to update without breaking needed functionality. Or, you are a lone business person just trying to find time to add a new blog post and are waiting until you can afford a site redesign to make updates.

Unfortunately, “not knowing” is not a defense against malicious attacks or exploits. Just like owning a car, we may not understand exactly how everything works, but we do accept a basic awareness and responsibility for its use and maintenance. As website owners, and daily users of technology, we would be wise to note that the probability of attacks increase in direct proportion to the popularity and market share of the given product.

WordPress and your “virus proof (not!)” Mac are glowing red targets because of their ease of use and popularity with consumers. That doesn’t make them bad technology solutions. In fact, open source applications like WordPress benefit from having an active community of dedicated programmers constantly finding bugs and patching them.

Although exploits in the wild WWW will always exist, the best practices outlined above are mostly common-sense and really don’t change at all when it comes to securing your website and online accounts. This doesn’t mean that you will never suffer a hack or data-loss, but awareness and good online habits in the areas that you do have control over will make you a less-likely target.

Don’t assume that your web developer (or your best buddy who’s building your website for free) is taking care of the site’s maintenance and security. Take ownership of your technology. Ask your developer, “Will you maintain my website security once my site is launched and what best practices have you put in place?”

For further reading, the following links can help you learn about site security and take action to strengthen your site’s defenses: