The ‘Panama Papers’ hack has done web developers everywhere a great service.
Mossack Fonseca provided a live demonstration of what can happen when businesses ignore the most fundamental and widely advertised web security advice: keep your site software up to date.
Security Experts have linked the so called ‘Panama Papers’ hack to outdated WordPress and Drupal software.
Whether you’re entertained or infuriated by this unfolding story, its interest for many centres around the open source software used on the websites in question.
Security breaches, hacks and big leaks are not uncommon these days. But this one is making history with its size and impact.
The victims have already started to fall. No doubt there will be a good number to follow.
And why? Security experts are saying it may all have been down to neglected software. Specifically WordPress and Drupal sites which someone failed to keep maintained and updated.
As one commentator so aptly put it:
“It turns out that not updating your WordPress plugins may result in the fall of world leaders and the largest data breach to journalists in history.”
The Panamanian law firm at the centre of this storm, Mossack Fonseca, used both WordPress and Drupal software. Their WordPress site was running a version of a plugin known to have vulnerabilities that gave an attacker access to the web server.
The well-known plugin vulnerability had been fixed in subsequent versions. Those updates had not been applied. Similar vulnerabilities were exploited in their Drupal website.
WordPress and Drupal are both open source content management systems that between them power almost one third of websites on the internet. WordPress is used by major newspapers, top 100 sites and tens of thousands of businesses around the globe.
Is there a security problem with WordPress? No. The core WordPress program is sound, regularly monitored and updated. The problem lies with the thousands of plugins and themes available from a huge variety of sources that anyone has the ability to use on their WordPress site.
It comes down to knowing who to trust and keeping those carefully chosen themes and plugins updated.
Right now, websites are being hacked and exploited. All sorts of sites, everywhere. And amazingly, despite what we all see and know, a hack like the Panama Papers will happen again.
It’s a statistical reality sustained by human nature and old fashioned ignorance.
“It will never happen to me.”
“Why would anyone bother to hack my site, it has nothing of importance?”
“My website is not as important as my actual business.”
Online security is more of a human problem than a software problem. Some people will continue to click on links with unlikely promises of wealth and happiness. Some people will continue to run websites with major security problems.
Sarah Gooding of WordPress Tavern summed it up nicely:
This leak is not a measure of open source software’s reliability but rather underscores how low a priority some companies place on their tech departments and web security. With the rampant software vulnerabilities in this age, not updating software for years constitutes abject neglect of customers.
The bottom line is that software needs to be updated. This kind of routine maintenance is as foundational to a company’s business as brushing teeth or showering is for one’s health. Law firms and companies with such a lax approach to security are either ignorant or unwilling to spend the money to maintain technology that they don’t fully understand. The Panama Papers serve as a reminder that having a competent, skilled tech department is critical for any company that deals in sensitive information.
You don’t have to be a law firm to be a target. In fact, most hackers don’t care about the content on your site. They’re keen to add your site to their network for a variety of evil purposes.
They use automated bots to scour the interwebs for any sites with outdated, vulnerable software. So mostly, it’s not humans trying to break into your site – but automated programs.
Sadly, if your site gets compromised, it will be punished by the all-seeing Google. Google doesn’t like hacked sites because people don’t like hacked sites. And as those who have had a site compromised will tell you, sometimes there is no coming back from a major breach.
There’s one big takeaway from the Panama Papers – how much is your brand worth?
The second point is – act now. If you’re not sure that everything that can be done is being done to secure your online assets, find out now.