How Bad WordPress Security May Have Caused The Panama Paper Scandal

When I first heard about the ‘Panama Papers,’ where there was a major cyber attack against Panama-based law firm Mossack Fonseca, I was convinced this was just another high-profile leak of information that had absolutely nothing to do with me, my clients, or my business.

Boy… was I wrong.

By the time this post was written, nearly two weeks after the leaks went public, authorities still hadn’t figured out exactly who the hackers were, or where they got the information from exactly. But one thing is certain, Mossack Fonseca has a WordPress based website… and they absolutely did not properly manage its security.

The folks over at WP Tavern wrote a detailed post with some revealing research on the lack of security of Mossack Fonseca’s website. You can read their post here.

Wordfence, a premier WordPress security plugin, also wrote two posts concerning the attacks, which you can read here and here.

I have recapped the 6 most important takeaways from these posts, and from the Panama Papers cyber leak in general.

If you are a small business, and you have a WordPress based website, you cannot take this stuff serious enough. Believe me.

1. Infrequent WordPress core updates

Forbes reported that the Mossack Fonseca website was running on a version of WordPress that was three months old. Now, that may not seem like a long time to you, but in the world of cyber security, three months is a lifetime of possibilities. The WordPress core is updated at least once a month, and if you look at their release notes, most of those updates specifically target vulnerabilities. Well, guess who reads those vulnerabilities and takes advantage of them?!

WPTavern went further than Forbes, pointing out that the version of WordPress that they were running was actually more than a year old, and a specific version that had known major security flaws.

2. Infrequent Plugin updates

As Wordfence reported in their blog post, the Mossack Fonseca WordPress website was running the Revolution Slider plugin on (at time of writing) version 2.1.7, which has a wildly-known security vulnerability. They believe that the hackers could have easily exploited this known vulnerability to literally “jump” from their WordPress site to their unsecured email host.

If you are not consistent about updating your WordPress core, themes, and plugins on a regular basis, you are risking your website and data to the same vulnerabilities as Mossack Fonseca and having your own Panama Papers cyber leak.

3. Misleading Security Measures

Perhaps the most frustrating aspect of this attack for the clients of Mossack Fonseca is that they were under the assumption that their data WAS secure. According to an article in Wire UK, their website claimed that it provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. Further on in that article, Professor Alan Woodward, a computer security expert from Surrey University, said that their website seemed “horribly” out of date. He continued to say, “They seem to have been caught in a time warp. If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology.”

Make sure you know that your vendors and partners have proper security standards on their websites and systems, especially if they hold any of your data on their systems.

4. Host Your Website Separate from Your Data

If you host your domain, website, and email all at the same place, you may be increasing your chances for vulnerabilities. Panama Papers may have been avoidable if Mossack Fonseca’s email server wasn’t hosted in the same place as their website. According to the Wordfence article above, it is very likely that the hackers exploited the vulnerability of one of the plugins, then used that to literally “jump over” to the email server to scrape the email data.

Here at Smart Web Ninja, we always recommend our clients host their website separate from where they host their domains. And, for too many reasons to include in this article, we highly recommend investing in a proper business-class email solution that has many of the security features built-in that could prohibit a cyber leak like Panama Papers. A solution such as Google Apps for Work or Office 365 are well worth the investment, usually no more than $5 per user per month.

5. Don’t Use Your WordPress Site as a Database for Client Information

One of the plugins that Mossack Fonseca used on their WordPress based website is an email plugin that stored the credentials of their email server in a plain text file. As described above, once a hacker gets into your website it only takes a little bit of snooping for them to find credentials, user data, or other sensitive information which they can then exploit.

If you are using any type of plugin or web form to gather any kind of information from website users, make sure you are capturing and storing that information in a secure and encrypted location.

6. Enforce the Principle of Least Privilege

The Principle of Least Privilege suggests that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.


Basically, if a particular user doesn’t need access to a specific function or area of your website (or network), don’t give them that access!

Take Your Website Security Seriously!

If you think these types of cyber attacks only happen to high profile businesses, think again. I’ve known a number of small business WordPress based websites that were hacked. One site was for a non-profit, and barely had a few dozen visitors per month. What was the cause? Poor WordPress security. They didn’t take care of their website.

Please make sure to take care of your website. If assistance is required, you can check out our WordPress Care Plans that ensure your website stays up-to-date and secure.