There has been a significant amount of speculation about how the Panama Papers hack was accomplished. It is the general thought of security experts that the hacker(s) accessed emailo records and the documents leaked were contained within the emails. What we know for sure is that the law firm in Panama was using a WordPress website hosted on the same server as their email server, and in addition they were hosting a drupal server used for client access. Both servers were using an outdated plugin (revolution slider) with a documented vulnerability that could be used to gain shell access to the server. Once the hackers had shell access they would be able to access documents and data stored on the server.
What does this mean for your company?
Every organisation needs to be continually vigilant against cyber-attacks. Although your organisation may not have a similar structure to Mossack Fonesca, it is still vulnerable to an attack. Every company should follow accepted security policies of isolating systems and establishing disaster recovery procedures.
Is WordPress safe?
WordPress would argue that as soon as they identify a breach, it is promptly fixed and they make every attempt to inform its users of the breach. However, this does not always extend to plugins and widgets. WordPress’ humble beginnings as an open source simple blog site management tool has evolved over time to become a versatile CMS used by millions of organisations throughout the world. Current stats indicate that WordPress is being used on 26 percent of all websites, which is just over 26 million sites worldwide. This proliferation of WordPress and very easy access means that would-be web developers with little or no skill have been building and selling plugins for many years. The open source nature of WordPress means that there are little to no controls in place to manage the development progress and vet plugins. In most cases when a plugin is installed you provide it full access to your server. Since 2014 WordPress’ core software has had more than 29 security vulnerabilities – not including individual plugins and their vulnerabilities. In comparison Umbraco has had one vulnerability in the same time frame. With the current landscape of the internet I would say that in the short-term, any website running WordPress has a very large target on its back, and my long-term outlook would lean towards WordPress continuing to be a target, vulnerable to further attacks and the consequences which come with that.
What’s the worst that can happen?
The Panama Papers breach is a perfect example of what could happen. At the very least a hacker could gain access to your website and:
- Remove all your content and hold it hostage until you pay a ransom to get your data back
- Install a sub website that acts as a warehouse of information using your domain
- Remove all your content and set up a web site that sells/promotes illegal products or services ( e.g. child pornography, weapons, bomb making kits, etc.)
- Install a server side script that allows other hackers to use your server for DOS attacks
- Use your site to distribute viruses using your established domain name
- Leave your site up and change the content to discredit or damage your reputation. This could be articles, text or blog posts that appear to be written by members of your organisation supporting racism, terrorism or anything else you could think of
All of these attacks are perpetrated using your domain and in some cases you may not be aware that your site is being used for illegal activity until you’re contacted by the police or international law enforcement to seize your servers.
Where do you go from here?
By doing nothing the initial cost may be zero but it would be ill advised to adopt a strategy of gambling that you aren’t the next target. The cost to your reputation could be the loss of current and future clients. Who wants to associate their brand with a tarnished reputation? The only alternative is to take action to reduce and mitigate against an attack. This could be migrating your site to a more secure platform or outsourcing your website hosting and security to an expert experienced with these attacks. This short term cost and change can be managed as opposed to an unknown cost and some ad hoc solution in the future.
I have long held the belief that WordPress as a CMS is only appropriate for small start-ups, SOHOs, non-profit organisations and individuals. No professional organisation that needs to protect a brand should be using WordPress. The cost of having a brand or reputation tarnished by a hack is incalculable.