The Panama Papers Breach is a prime example of the importance in regularly updating the WordPress platform.
What is WordPress?
WordPress is a free and open-source content management system (CMS) written in PHP and based on MySQL. It excels as a blogging platform, but can also function as a generic website that allows non-technical users the ability to make updates; without requiring they have any knowledge of HTML.
WordPress supports themes, which allow a website to assume different appearances without having to alter the content of the site. It also supports a plugin architecture capable of extending a website’s features, having over 40,000 plugins available.
WordPress is used by more than 23.3% of the top 10 million websites. WordPress is the most popular blogging system in use on the Web, at more than 60 million websites.
The sheer popularity of WordPress make it an obvious target of attack by malicious individuals or groups. Sometimes the target of attack is the WordPress server itself (and perhaps data). Other times penetrating a WordPress site only serves to make another deeper penetration in another system more possible. Any access to a company’s network can be “upgraded” to something more privileged and more potential for damage.
To make matters worse, once a WordPress site is compromised it can then serve attacks using malicious data to visiting clients of the website.
The clients could be anonymous users (somewhat useful) or authors requiring authentication (most useful). The purpose of the malicious data is to break through the security sandbox of the visiting user’s web browser. To take a popular example, a specially crafted Adobe Flash file can crash the web browser’s Flash Player (with something like a buffer overflow) and force it to run a program with Administrator privileges. The program typically installs other programs (like a rootkit) that serves to provide easy and total access for a remote attacker. At this stage your computer is probably performing illegal tasks for groups with shady business models.
Once the web client is compromised, an attacker can steal the victim’s login cookies and use them to impersonate the user on the attacked site (or others, depending on how the web client is breached).
It’s worth repeating; that having an old and insecure web server can eventually expose the private data of the website’s users to unsavory parties.
Mossack Fonseca’s Website
WordPress Tavern Editor Sarah Gooding reported that the firm’s website was running on WordPress 4.1 (released in December 2014). Since December 2014 there have been at least seven critical security issues reported (and subsequently fixed) by the WordPress and plugin developers:
- Cross-site scripting (XSS) vulnerability, which could enable anonymous users to compromise a site (affecting 4.1.1 and earlier).
- Various plugins vulnerable to a SQL injection attack (affecting 4.1 and later).
- XSS vulnerability, which could enable commenters to compromise a site (affecting 4.2 and earlier).
- SQL injection vulnerability in the wp_untrash_post_comments function (affecting 4.2.4 and earlier).
- XSS vulnerability when processing shortcode tags (affecting 4.3 and earlier).
- XSS vulnerability in the user list table (affecting 4.3 and earlier).
- Possible Server-Side Request Forgery (SSRF) for certain local URIs; open redirection attack (affecting 4.4.1 and earlier).
By the way; we’re only focusing on WordPress! It was reported that Mossack Fonseca ran a separate customer portal website written in Drupal, which is also a content management system like WordPress. The installed version of Drupal was 7.23, released in August of 2013. If we analyzed each security issue that has been discovered and subsequently fixed since, we would have another list of possible attack vectors like our list above for WordPress 4.1.
Any of these methods could have been used by an attacker against the Mossack Fonseca website. Once access is obtained, further access to sensitive information becomes much easier. Even more sinister is the fact that once the server is compromised, the next target is visiting clients.
If Mossack Fonseca had implemented better security standards, we would still be unaware of this massive tax avoidance racket. Perhaps we’re fortunate they did not take themselves too seriously.
The best way to prevent successful attacks against WordPress is to keep the platform updated. Keeping the platform updated means updating WordPress (Core), all installed plugins, and all installed themes (even if the theme is not being used; there have been attacks against inactive themes in the past).
The good news here is that WordPress contains convenient mechanisms for keeping it updated. WordPress has the ability to update itself (Core), installed themes and plugins. The way to do this is described in the document Configuring Automatic Background Updates on wordpress.org.
But this isn’t necessarily the end of the story. Many companies are using WordPress to manage their website in a way that makes it difficult to perform updates without affecting the website’s layout. This can happen if formatting tags are included in the WordPress content, breaking a theme’s ability to format data properly and leading to obvious visual problems after an upgrade. Attention to the content being added to WordPress is also required if data security is an important issue.