Panama Papers and WordPress updates


Sometimes is hard to keep up with updating your website, but when you are covering your clients illicit money transfers into off-shore accounts, maybe you should be a bit more concerned with security.

Allegedly, a WordPress security breach was used by the hacker that got his hands on the leaked "Panama Papers" documents. Based on a blog post by a Wordfence security analyst an outdated revolution slider plugin was the entry point of the attack. The website is build using a modified twentyten WordPress theme and it makes use of an outdated version of revslider (2.0.17) which is vulnerable to an exploit discovered in 2014. Although the exploit is extremely old the plugin was not updated. All versions under 3.0.95 are vulnerable to the exploit, even if your WordPress version is updated:

The vulnerability allows a 3rd party to run an AJAX request via the plugin code that only privileged users should be allowed, thus providing a way to create files on the target server.

But then how could any sensitive data be accessed through an WordPress website. Well, this is where another mistake was done. First they offer an interface in the website for clients to access their documents and further more their entire email system is on the same network as the web server with no firewall, until a month ago when one was put in place. This is currently just a theory though, but still a very big possibility.

So if you don't want your own "Panama Papers" case, even if you are covering something up or not (although, please don't), always secure your platform with the latest updates for your plugins, use a security plugin like Wordfence, setup your firewall rules and allow opened ports only for known services which are actively listening on those ports. Also check your plugin sources and make sure they don't open up security breaches and follow with blogs as new exploits are always discovered.

If you are a WordPress developer:

  • always secure your code especially if it provides file creation or upload features;
  • verify current user credentials before giving access to those features, especially, if you can save files with an exec attribute (eg. use current_user_can('manage_options') for admin users);
  • don't save files with exec permissions unless absolutely necessary, read should be enough for most use cases;
  • do cleanup after your plugin on deactivation as your security measures might not be catered to when the plugin is inactive.

If you are a website admin you should also:

  • disable editors ( define( 'DISALLOW_FILE_EDIT', true ); in wp-config.php)
  • leave any site builder plugin inactive (drag&drop page editors) for the time they are not being used as they most commonly present security vulnerabilities
  • AGAIN: update your plugins and your platform's core as often as possible, and under developer supervision, if you are not tech savvy
  • AGAIN: use plugins from secure sources and make sure your developers are following development guidelines.
  • if you handle sensitive information secure your connections using at least SSLv3
  • make sure your hosting is secured and ask about open ports and firewall rules.

I don't know if Panama Papers was a good thing or not, but your website should always be secured.

Image source:


Leave a Reply

Your email address will not be published. Required fields are marked *