Last Thursday, WordFence revealed on their blog that the Mossack Fonseca data breach that resulted in the Panama Papers was possibly initiated via an outdated WordPress slider plugin. They have since done an update regarding the breach as it relates to WordPress. I’m sure many people are shocked that Mossack Fonseca wasn’t only running an old, vulnerable version of a slider plugin for WordPress but that they also were running a 3 year old version of Drupal as well.
I’m not shocked at all. In my experience many law offices often have antiquated computer equipment and software. So much so that I’m no longer shocked to find a paralegal asking me to send a .doc formatted document because they are still running Word 2002 or to find out the operating system they are on is Windows 98.
I suppose it’s not limited to law offices either, it could be many small businesses, my experience has just been primarily law firms. Many businesses view computer software and equipment as a one-time purchase and seldom think beyond the fact that it works.
If the technology that they work with in the office every day doesn’t get upgraded, you can be sure they aren’t thinking about their website software and security.
Over the past six years I’ve built dozens of business websites on WordPress. At the end of the build I always send my clients information on the importance of keeping WordPress, the theme and the plugins up to date. I stress the need for strong security measures and I offer them a variety of maintenance packages if they feel they are going to be unable to take care of their new website themselves. Less than half opt for a maintenance package. Which is fine if they are planning on doing the updates and monitoring themselves.
The scary thing is they don’t. I’m sure they intend to, but it seldom happens. When revisiting many of the websites I’ve created in the past not only are they still running outdated versions of themes and plugins, a staggering number of them are still running an outdated version of WordPress itself.
They might as well be hanging a sign on their website that says “Hacker Friendly”.
Chances are none of my former clients have the type of information that results in a Panama Papers type breach, but they most certainly have information within the website they wouldn’t want in the hands of an unscrupulous hacker. (Think passwords, names, addresses, etc.)
While stealing information is possibly the scariest type of hack, it’s not the only thing a hacker can do to hurt you. Many of the exploits found in outdated software and plugins allow them to do things like redirect people from your website to another or install malware, etc. These type of attacks can severely hurt the reputation of a business, say nothing about your standing with the search engines.
Once upon a time, unless you were a big name business, you probably fell under the radar of hackers because it wasn’t worth their time. That was before identity information became a valuable commodity. Now hackers get big money for lists of names, addresses and other personal information. Not to mention passwords!
With all of this in the news why do so few businesses pay attention when we explain the need for updates and security measures? Is it complacency, laziness or refusal to invest time or money into their websites? I wish I had the answer.
I do know that you can’t blame WordPress when the fault so clearly lies with human failure to properly care for their websites.