By this time I’m sure everyone in the world has heard about the The Panama Papers.
Now, evidence has come to light that a set of WordPress security problems likely enabled the leak.
Here’s what we know.
In late 2013, the popular WordPress plugin Slider Revolution was found to have two serious security vulnerabilities. The first, found in September, enabled an outbreak of the “Soak Soak” malware. The second, identified in late December, caused several larger outbreaks of “WPCache-blogger” malware. Here’s more detail on these, if you want to wade through the technical stuff.
People, this is why plugin developers release security updates.
WordPress Security and You
Shortly after the problems with Slider Revolution were uncovered, the developer issued updates that patched the flaw. If your site wasn’t infected and you updated, you were protected.
Apparently, though, the law firm of Mossack Fonseca ran a WordPress site and didn’t bother keeping it up to date. According to Wordfence Security, maker of the plugin of the same name, the company was running WordPress with version 2.1.7 of Slider Revolution. (The plugin was vulnerable up to version 3.0.95, and the current version is 5.2.)
According to another article, the firm’s version of WordPress was also outdated by nearly 18 months, and it’s running a three-year-old theme. Additionally, some of their site runs on a similarly outdated version of Drupal.
The MF law firm made some other dumb mistakes. Like putting their public website on the same server as their (unencrypted) email. This is the same website that hosted sensitive customer information, by the way.
Since the hack, the company has apparently put a firewall in place, but are still running the outdated, vulnerable version of Slider Revolution, WordPress, the TwentyEleven theme, and Drupal.
What Does This Mean for the Average WordPress User?
The answer is simple: if you’re not updating regularly, you’re missing the simplest way to improve your WordPress site’s security.
“Updates” means updates to WordPress itself, to your theme, and to your plugins.
How Often Should You Update?
There’s no single answer here. Ideally, whenever a new WordPress, theme or plugin version is released. That may not always be practical, but you should have an established schedule, and it should have some relationship to your traffic and how often you add or update content.
Always Back Up Before You Update
Before applying any update, you should completely back up your WordPress site, and store that backup somewhere different from your WordPress server. There are plenty of excellent backup plugins available. Many of them will send your backup to Dropbox, Google Drive, or some other cloud storage. Or you can download it to your computer. See this article for more detail on backups.
Update in this Order
You may not always need to update everything, but when you do, it should be in this order:
I recommend always keeping one of the basic WordPress themes installed, like TwentySixteen, along with whatever theme you’re actually using. It’s important to keep even an inactive theme up to date.
As to plugins, if you’re not using it, you should deactivate and uninstall it. However, if you do have inactive plugins, make sure you update them when an update becomes available.
If that seems like too much work, consider a Monthly Maintenance package. I’ll take care of the backups and the updates. Normal updates will be on a regular schedule, and when something unexpected occurs, as when a big plugin vulnerability comes to light, I’ll jump on it right away.
Whether you think that leaking the Panama Papers was justifiable or not, I’m sure you don’t want your site to be equally vulnerable…