The thing I enjoy the most about being an online business owner is this: Nobody can take away what I have built with SBI! - John Shank, SBI! member since 2003

What the Panama Papers Leak Teaches us about WordPress


Recently the Panama Papers burst upon the world’s notice. You know, the enormous leak of confidential documents showing tax evasion and worse on the part of the world’s gazillionaires… And WordPress site owners should be paying attention.

Let me explain.

The leak originated with the Mossack Fonseca law firm in Panama, hence the moniker, “Panama Papers.”

How did this leak occur? What financial super sleuth used his super spy skills to uncover all this wrongdoing and chicanery?

We don’t know the identity of the leaker, but some information is coming to light now about just how the hacker(s) gained access, and it’s a fairly sordid tale involving hubris, stupidity, sloppy web hygiene, and illegal actions.

In fact, it would make a good movie if it weren’t so downright ordinary.

Because it appears that the hacker gained access because the law firm was either too lazy or too stupid to set up the site sensibly and keep it up to date.

Let me rephrase that… the hacker got in because the firm was running versions of WordPress, the theme, and plugin(s) that were way out of date. There were also other stupidities, which we’ll get to.

Major IT Problems at Mossack Fonseca

Outdated WordPress

According to this article at WPTavern, the firm was running WordPress 4.1, which was released in December, 2014. In the intervening 16 months, there have been numerous security updates, and we’re now up to WordPress 4.5, released on April 12.

Outdated Theme

The same article states that the theme was a three-year-old version of TwentyEleven (version 1.5 — they’re now up to version 2.4). Now, I won’t even discuss my contempt for a law firm catering to gazillionaires that uses the free theme that came bundled with WordPress instead of at least springing for a decent premium theme… I mean, seriously? But I digress…

Outdated Plugin

I’m sure that, with WordPress and the theme outdated, most or all of the plugins probably were as well. But let’s focus on one.

It’s a very popular plugin called Slider Revolution. It’s available from Code Canyon, sister site to Theme Forest and both owned by Envato. Security vulnerabilities have been found repeatedly in this plugin.

There’s an article with details here (available to SBI! for WP subscribers) and security company Sucuri has described several of them here.

Wordfence Security (makers of the plugin of the same name) have discovered that Mossack Fonseca was using version 2.17 of Slider Revolution. Versions up to 3.0.95 are “vulnerable to attack and will grant a remote attacker a shell on the web server.”

The current version of Slider Revolution is 5.2.

Wordfence published a theory on what happened:

“A working exploit for the Revolution Slider vulnerability was published on 15 October 2014 on exploit-db which made it widely exploitable by anyone who cared to take the time. A website like which was wide open until a month ago would have been trivially easy to exploit. Attackers frequently create robots to hit URLs.

“Once they establish that the site is vulnerable from the above URL the robot will simply exploit it and log it into a database and the attacker will review their catch at the end of the day. It’s possible that the attacker discovered they had stumbled across a law firm with assets on the same network as the machine they now had access to. They used the WordPress web server to ‘pivot’ into the corporate assets and begin their data exfiltration.”

Other Stupidities

I mentioned “other stupidities” above. These include:

  • No firewall
  • Putting the company’s email server on the same server as the vulnerable website
  • Running a three-year-old version of Drupal (version 7.23) to handle the client portal, with a known, critical  vulnerability that affected every Drupal site running version 7.31 or below, and was so serious it was known as “Drupalgeddon.”

What Should WordPress Site Owners Do to Secure Their Sites?

Let’s be honest, most of us don’t run sites that include client information that’s critical the way Mossack Fonseca’s clients information was. Someone could hack my site and the worst they’d discover is that I like to write late at night.

But that’s not the point.

If a hacker can gain access to sensitive information, he can also do all sorts of nasty things to your site. He can exchange your carefully crafted content for pornography. He can inject malware that will infect your visitors’ computers.

Once he’s in, he can do a lot of damage.

To make your site as secure as possible, follow these steps.

  1. Choose the best web host you can afford. If you can only afford a shared hosting account, that’s ok. It’s where most of us start. But choose one that provides decent security, like those we recommend in this article (updated in March, 2016).
  2. Choose a strong username and password.
  3. Install your own security plugin — you’ll find a number of recommendations here if you’re an SBI! for WP member.
  4. Choose a secure WordPress theme. That means selecting a theme from a reputable designer who pays attention to security — the best ones will hire a firm like Sucuri to audit their code before they release a theme. Here’s an introduction to WordPress themes and frameworks to get you started.
  5. Choose quality plugins.
  6. Maintain and update your site regularly. Let’s go into that in a little more depth.

Maintain and Update Your Site Regularly

This is where Mossack Fonseca fell down, and there’s really no excuse for it.

It’s sort of like housework. It’s boring and repetitive, but it’s simpler when you do it regularly. Let it go, and it’s harder to whip everything into shape when you want to.

So what does housework for your WordPress site look like?

#1. Make regular backups, and don’t store them on the server where WordPress is installed.

You need the backups so you can restore the site if something goes wrong. That includes having a clean backup to use in case you do get hacked.

Decide how often to back up based on how active your site is. If you add one new page or post in a month, and your site traffic is low, a monthly backup is probably ok. If you add content several times a day, or you have a high-traffic site, you should back up at least daily.

Many of the security plugins we recommend will back up your site on a schedule you set. Or install a backup plugin like UpdraftPlus, which will send your scheduled backup to a cloud location like Dropbox, Google Drive or Microsoft OneDrive.

#2. Update WordPress

When you log into your WordPress dashboard, you’ll see a notice when there’s a new version of WordPress available. By default, WordPress automatically applies security updates, but you’ll still need to initiate the updates for major new versions.

When a new version is released, it’s a good idea to wait a few days before updating just in case there are any bugs or issues. SiteSell’s plugin developer, Vinny, likes to wait until they release the first patch after the version release, for example, version 4.5.1 following the release of the 4.5 update.

However, don’t wait for 4.6 before you update to 4.5! You could miss a bunch of security upgrades during that time.

When a WordPress update is available, you’ll see a message at the top of your Dashboard, like the one below. Or click on the Updates link on the left or the corresponding icon in the taskbar at the top to see all available updates.


#3. Update Themes

The best theme developers will make sure their themes are in sync with new WordPress releases, so it’s common for theme upgrades to hit at the same time, or within a day or two, of a new version of WordPress.

When a new version of your theme is available, upgrade right away. If you have an inactive theme, keep that one upgraded as well. (We recommend keeping one basic theme, like TwentySixteen, installed, in case you need it for testing.)

#4. Update Plugins

Plugin updates can be released any time, and especially around a new version of WordPress. Update all your plugins, even the inactive ones. (We don’t recommend leaving inactive plugins installed. If you’re not using a plugin, it’s better to deactivate and uninstall it.)

Keeping plugins up to date can seem like a full-time job sometimes, but it’s important to do it regularly. If you can’t update your plugins right away, at least set up a regular update schedule and stick to it.

It’s also a good idea to stay informed about serious security issues. Follow a site like WPScan Vulnerability Database (from Sucuri) to see the latest security issues with WordPress, themes, and plugins.

#5. Delete Spam Comments

Sometimes comment spam can be more than a nuisance. Use good judgment when dealing with comments, along with a plugin like Akismet, to identify and get rid of spam.

When you follow these best practices for maintaining your WordPress site, you’ll be much safer from these internet bad guys. And much smarter than the law firm for gazillionaires.

Do you want more information like this to help improve your WordPress site? Sign up for our newsletter.

SBI! for WP
Susanna Perkins
Susanna Perkins is a writer who loves WordPress and travel. After several years in the beautiful Republic of Panama, she's back in the US (for now). She teaches non-technical people how to use WordPress, and writes about WordPress, expats and portable careers. Recently she's been working with a small team to create something insanely useful for WordPress users.

Join The Solo Build It! Community

Get the latest in best-practices and advice for your online business. Let each new article be delivered to your Inbox for free.