It’s easy to set it and forget it. We do it with alarm clocks, smoke detectors, and many other things we encounter on a daily basis. What about your WordPress website?

If you haven’t heard about the Panama Papers breach by now, there are plenty of stories in mainstream media to catch up (here, here and here). It turns out a Panamanian law firm, Mossack Fonseca, housed a lot of very sensitive data on their office computer network. Even worse, it appears their public website was hosted on a server in their office (a major no-no that we advise strongly against for many reasons.)

What We Think Happened

Could you believe that there’s possibly a link between an out-dated plug-in on their WordPress site and the “Panama Papers” leak? Our friends at Wordfence have compiled a very thorough analysis of the Mossack Fonseca WordPress site along with the Slider Revolution plugin their website uses. The analysis by Wordfence gets very technical, but here’s the bottom line:

  1. The Mossack Fonseca WordPress site was built using the Slider Revolution plugin (you know those sliders that everyone wants on their website).
  2. The plugin wasn’t updated since 2013.
  3. The plugin had code that wasn’t secure and allows someone with very technical skills to “exploit” the vulnerability.
  4. Within a couple of minutes, someone could gain “superuser” access to the web server their website is hosted on. If this server is on a network with other computers in their office all of those computers could be accessed through this hack.

It’s really that easy (and that scary). Within a couple of minutes someone with bad intentions could not only break into your website, but possibly your entire network. It’s vitally important to keep your website up-to-date. This includes any software used to power the site whether that’s WordPress, Drupal, Joomla, or another content management system. If you’re using any third party software like the slider plugin possibly used in this breach, they need to be updated.

Do Those Updates (Carefully)

A word of caution, however, before you login and click “Update All” for those plugins or WordPress itself. While the odds are most updates will work without issue, some may “break” the site. The best course of action is to:

  1. Backup your entire website before upgrading.
  2. Review each plugin’s change log before updating.
  3. Update one plug-in at a time.
  4. If a plug-in causes an issue with the site, revert to the backup or previous version. Investigate what may be causing the issue with this particular plug-in.
  5. Update the remaining plug-ins.
  6. Test the website before going live again.

Finally, if you didn’t read the full Wordfence article on the Revolution Slider breach, here’s their video of just how fast and easy a breach is possible:

 

Mossack Fonseca Slider Revolution Vulnerability Demo from Wordfence on Vimeo.