At this point everyone heard about #PanamaPapers, the scandal that involved Mossack Fonseca Law firm with the biggest data leak in history. While is still unsure if the data leak was perpetrated by outside hackers or if it was an internal job, many security experts already exposed security flaws and possible hacks that helped to obtain the data.
WordFence security experts revealed that the outdated WordPress site was also running an old version of Revolution Slider, that is vulnerable, making it pretty easy to upload a malicious file and gaining privileges on the server as demonstrated on the following video:
Once they gained access to the server they have access to database credentials. Taking a simple look into the database, they also discovered that they were running WP SMTP plugin which stores plain email credentials making access to account email easy. It all depends on how these db and email users were configured that could lead the intruders to gain more privileges. Is not the first time I see the root database user being used as the db user for WP sites. The possibilities are endless.
Along with all these, the corporate Fonseca site https://portal.mossfon.com/, where their state on the footer the following “The Mossfon Client Information Portal is a secure online account that enables to access your corporate information anywhere and everywhere, with real time updates of your ongoing request.” was using a 3 years old version of Drupal, the same version responsible of the Drupageddon at the end of 2014.
How to avoid getting hacked in WordPress ?
The simple answer is by taking care of your site. If you keep your site, plugins and themes up to date the possibilities of getting hacked get considerably reduced. Along with that, taking some security measures and doing regular malware scans reduces the chances even more.
Top 8 steps to avoid getting hacked:
- Get a decent hosting that is properly configured and up to date. We recommend Genesis or WpEngine but there are plenty of good hostings like BlueHost, Gandi, Siteground, Pagely, etc
- Only install reliable plugins. I usually check for rating and last time it was updated. If Im still not convinced I do a quick look on the support forums of that plugin and also check plugin developer profile to check what other plugins he created or was involved with. Of course installing popular plugins is not a guarantee, read Revolution Slider, Wp Super Cache, etc
- Be careful with bloated commercial themes that uses lots of libraries. The famous library Timthumb is a good example of what I mean here. We prefer and use Genesis framework to build our themes.
- Run Daily updates to make the time window smaller when a vulnerability is disclosed. If you can’t take care of your site, hire someone to do it for you. Keeping your plugins, themes and WordPress up to date it’s really importante. Not even the big ones are safe.
- Run daily backups to be safe if any of the steps above fails. Having backups is like keeping your business in a safeguard, if everything goes to hell you will still have a way to recover everything and keep your business running.
- Install a security plugin like Ithemes Security or WordFence to make it easier for you to take care of some basic security measures.
- Get a SSL certificate if you have any kind of login or purchase form. If you run a business, having https in your url is a must !
- Run Malware scans from time to time to be sure that nothing slipped through your security measures.
If all these sounds like a lot of work for you it’s because you never got hacked before. I know people that closed their business because they were not able to recover from something like this.
How can we help?
Wait, what? You thought this was going to be another #PanamaPapers post in the net ? No sir, we just wanted to let you know that we have been offering WordPress support that includes all of the above for quite a time now and we only have happy and relief customers.
As we mention on our support page “Let us take care of your WordPress site and just focus on your business.” . Our most basic package includes :
- Daily WordPress updates of themes, plugins, core,etc
- Automated daily backup and restores
- 24/7 site monitoring
- Malware Scanner
- Free SSL certificate
- Monthly reports