April 2016 witnessed a massive data leak that sent tremors of shock running down the worlds of journalism, cyber security and corporate services alike. The Panama Papers – by far the largest data leak in the history of Information Technology – account for about 2.6 terabytes of leaked data in the form of 11.5 million confidential documents.These documents – dated as far back as the 70s – offer proof of how the wealthy elite from all over the world enlisted the Panamian corporate services firm Mossack Fonseca to hide their assets and wealth through offshore shell companies to evade tax. Big names include several prominent figures from all walks of society. From Heads of States – the likes of Vladimir Putin – to star football players Lionel Messi and even celebrity actors like Jackie Chan and Amitabh Bacchhan were all implicated in illegitimate uses of offshore companies, foundations and trusts to hide wealth.This infographic by TrackingCourier is great way to sum it all up:
How Did A Leak Of Such Epic Proportions Come To Be?
The leaks originate from an anonymous source who goes by the name of John Doe, who handed over the data to the German newspaper, Süddeutsche Zeitung. But of course, the John Doe in question wouldn’t have happened to just find the data lying around on cyberspace. Forbes was the first to break the story that the server containing the data was hacked, exploiting the vulnerabilities in the an outdated Drupal-portal Mossack Fonseca had set up for public access.
A little more digging by Wordfence revealed that “The MF website runs WordPress and is currently running a version of Revolution Slider that is vulnerable to attack and will grant a remote attacker a shell on the web server.”
The version of Revolution Slider plugin used on their website failed to check authentication in revslider_admin.php/showbiz_admin.php, allowing an unauthenticated attacker to abuse administrative features like:
- Creating/Deleting/Updating sliders
- Importing/exporting slider
A hacker could have easily uploaded a shell to the WordPress site and downloaded the wp-config.php. This particular file is the holy grail of all the information an attacker would need to potentially disrupt service and gain access to the server (the credentials can be found in the mentioned file and is typically present in readable cleartext).
And that is all they needed to virtually own the server and all the data on it.
Given the fact that Mossack Fonseca was hosting both it’s emailing service and the website on the same IP address, gaining access to one was good as hacking the other. Both emails and documents.
In simpler terms? Mossack Fonseca should have known better than to use outdated plugins and CMSes to manage eight figure sums of tax free money.
Could A Security Plugin Have Helped?
Plugins that reinforce security on your WordPress website can only do so much. See, security plugins work in a predictable pattern. They check for vulnerabilities on your website, for any encrypted code in the system that could indicate towards a potential hack. They will alert you once you are actually hacked.
But they won’t prevent your website falling prey to malicious attacks.
How Can Security Breaches Be Prevented?
If your site flows sensitive client data or is home to numerous customer interactions, then make sure following things are being handled properly on your website:
1. Plugins/Theme Active On Your Website
A) Be it a free or premium plugin/theme, if it supports any kind of upload to the server (e.g an image upload), you ought to make sure that the plugin/theme author has taken care of all validations. What kind of validations exactly? Here are a few:
- File extensions eligible for upload.
- Authentication before gaining access to upload.
- If the data is submitted via POST.
- If nonce’s validity is being checked.
- If a limit is set on the file size to be uploaded.
- Checking the file type: There is difference between extension checking and type checking. I can change the extension of text file to ‘jpg’ but that does not make it a valid image file.
B) Premium plugins/themes are hosted on seller’s website. That implies that the updates, if any, are sent from seller’s website. Ask the plugin author if their plugins/themes handle updates appropriately.
C) Ask the plugin/theme author if all kind of ajax requests written in code follow nonce validations.
2. Always update all your softwares to the latest version.
Be it WordPress core, plugins, themes or any other software.
3. Secure your uploads area.
That means make sure that no PHP file uploaded in ‘uploads’ directory get executed. This can be done by adding the following content in .htaccess within the uploads directory.
<FilesMatch "\.(?i:php)$"> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> <IfModule mod_authz_core.c> Require all denied </IfModule> </FilesMatch>4. Install a plugin like Hide My WP, so that attackers don’t get to know that you are using WordPress.
5. Use Sucuri Firewall Service which eliminates most of the unwanted requests before they reach your site.
6. Avoid using any of the versions of the Revolution Slider plugin prior to 3.0.95.
WordFence has showed how Revolution Slider plugin is vulnerable for unauthorized file uploads below 3.0.95.
7. And obviously, keep your email server and hosting server separate.
Why Don’t People Update Plugins/Themes Or WordPress?
- For one, it’s just plain old lethargy. I mean, why bother going through the trouble of updating and upgrading the endless number of plugins and the theme on your WordPress when everything’s going just fine, right? WRONG. Things go smoothly right until they don’t. Don’t believe me? Ask Mossack Fonseca.
- When it’s not lethargy, it’s the apprehension. People often live in the fear that updating a plugin or a theme might lead to malfunctioning of other plugins or the theme, leading to a website crash. And they’re not entirely wrong, sometimes that’s exactly the case, and it’s inevitable. But hey, a malfunctioning website is still your own and can be serviced appropriately as compared to having no website at all, thanks to a DoS attack.
- Often is the case that users modify an existing plugin or a theme and customize it to suit their requirements. Such changes to plugins and themes are usually lost while updating your software. In such cases, measures must be taken so as to regularly back up content and the code, and they must be updated at least once a while, if not often, to keep abreast with technology (and anti technology).
A Stitch In Time Saves Ninety Nine
Unless you want your private data strewn all over the Internet (or face an equally horrible scenario), it’s time to put those technical chops to good use and update your WordPress and all the software on it right about now. Seriously, some random evil sociopath with a laptop may just be lurking on the edges of your website security as we speak, waiting for just the right opportunity to break in. You never really know.
Another great option would be to let a professional deal with the technicalities involved in maintaining the security and the smoothness of your website, while you take care of the business end of things, just the business end of things. As you may have already guessed, WisdmLabs specializes in exactly that. What you didn’t know is that we have a killer deal up for grabs on our Website Maintenance Services, make sure you follow this link right here and contact us.
We’ll be happy to help! Stay sharp.