If your website is a WordPress website, a “Panama Papers”-style hack could happen to you
Everybody suspected that the richest and most devious had secret off-shore accounts, but it was only with the release of the “Panama Papers” that suspicions were confirmed. Since the release, the focus has been on the names associated with the accounts and the ensuing dramatic falls from power, like Iceland’s prime minister. But how did the hack happen? Because the website was built on WordPress and people tend to not keep their sites up-to-date. To prevent a similar hack of your website, you need to understand how WordPress works.
How WordPress Works
If you’re concerned about infection, it’s important to understand a little biology. At the most basic level, a webpage is a text document on a computer called a server. To make a webpage interesting, coding language is used to create visual layouts and pull together other hosted files. Making updates requires the ability to write that language. Or you could instead use a content management system, like WordPress.
WordPress chunks out the parts of a webpage into a database and then allows the user to manage the content in particular parts of the database. With a content management system like this, editing a page becomes a lot like adding a post to Facebook. A WordPress theme interacts with the database, interprets it, writes new sections and creates a visual output, the webpage. WordPress plugins are pieces of software that create additional functionality in the interaction between the database and the theme.
In terms of a house, WordPress represents a common set of raw materials like 2x4s, sheet rock, and copper wiring. The Theme is the design of the house and blueprint for further expansion. The Plugins are customization options, like remote switches for lights or a complex irrigation system that measures the UV index, rainfall, soil moisture and waters accordingly. And the plot of land it sits upon is the server.
Vulnerable at every level
If you are running a WordPress site, at each of those levels you are vulnerable. Hackers, like thieves casing a house, learn to identify the weak points at each level and exploit them. And so do security researchers and software developers. It is a constant race to see which side will find the weak link. It is a constant race that never finishes because nothing is static.
People want bigger and better things, so more functionality is added to each level of a WordPress site. Better data handling, better layouts, more interaction; this constant development invites the possibility that a cinch in the armor will develop between the layers and a hacker may find a way to exploit it. This is what happened with the “Panama Papers” hack.
How the “Panama Papers” Hack Occurred. Probably.
We use WordFence to assist our security. According to them, the law firm had a public facing WordPress website running an out-of-date plugin called Revolution Slider. This plugin is very popular, it creates display sliders with a variety of animation options. Very attractive, but also very complex, which breeds opportunity for something to go wrong. The out-of-date plugin allowed a hacker to upload a bit of code, called a script, directly into the database. In turn, that automated script ran code that allowed hacker access to the database.
The database contains all sorts of sensitive information related to the management of the website as well as the interaction with the host server. A script could be written to do any number of things, like scan the database for passwords. In the case of the “Panama Papers,” they used a plugin that allowed the website to send email messages from their mail server. This required a password to be stored in the database. The hacker probably gained access to the mail server after exploiting the out-of-date plugin, then they downloaded the mail server and all client communications within. Most likely the law firm used email to transmit statements as well as passwords to their client portal where more records where stored. This is how a single hack of a single plugin can grow into massive data breaches across multiple systems.
Keeping Clients Safe
We employ a number of tactics to keep our websites safe, including keeping everything up-to-date. And that’s trickier than pressing a button. A major update to one layer may have unintended consequences on the other layers: a plugin may stop working if the theme is updated, a theme’s layout may break because of an updated plugin, and the whole thing may go down if a new version of WordPress is incompatible with the theme or plugins. It takes careful maintenance and personal supervision.
If you are a plastic surgery practice concerned about your website security, feel free to give us a call.