Mossack Fonseca trusted WordPress

An incredibly large number of WordPress sites run a large parts of the web. From one hobby blogs to code boutiques to enterprise blogs, everyone is running an own copy of this popular Open Source blogging platform turned Content Management System.

The problem with WordPress is not that it’s inherently insecure, it’s just that it’s become so very popular that it’s become a tempting target for hackers to exploit. The codebase dating from the early 2000’s does not help. Neither do the thousands of the amateur level plugins people blindly install to create the functionalities they want to their site.

This issue has been largely ignored by many audiences, even if their site keeps getting all kinds of “skulls and crossbones” popping up in the admin every once in a while. If it’s a marketing site that you’re running it may seem like a reasonable compromise that you need to handle for a free Open Source product and cheap custom implementation. With nonexistent maintenance.

But WordPress and other similar tools are now widely employed in all kinds of environments. Usually the hacks don’t yield much damage for individual site owners as it’s much more beneficial for the attackers to use them for Distributed Denial of Service attacks (DDoS) than deface them.

In some cases such a vulnerable WordPress installation can lead to massive information breaches. This seems to be the case for Mossack Fonseca, the company that suffered from the largest information leak in history:

Maunder said his team assessed Mossack Fonseca’s IP history and discovered that the firm’s website IP was on the same network as its mail servers. The law firm’s website was wide open until a month ago and would have been “trivially easy” to exploit, he wrote on, in a security update.
 Pros examine Mossack Fonseca breach: WordPress plugin, Drupal likely suspects

In this case tax evasion information was a juicy bit of information to leak out. But imagine, if hackers can attack such an organisation. What’s stopping them from using an insecure installation at some of the establishment that you trust with your private data like medical records or something.

Not long ago Ashley Madison, a dating site for example leaked large amounts of information that was very sensitive and harmful to many individuals. The minimum you should do in the future when deploying WordPress is to understand the dangers of blindly collecting a number of plugins and leaving your WordPress installation unmaintained.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s