By this time I’m sure everyone in the world has heard about the The Panama Papers.
Now, evidence has come to light that a set of WordPress security problems likely enabled the leak.
Here’s what we know.
In late 2013, the popular WordPress plugin Slider Revolution was found to have two serious security vulnerabilities. The first, found in September, enabled an outbreak of the “Soak Soak” malware. The second, identified in late December, caused several larger outbreaks of “WPCache-blogger” malware. Here’s more detail on these, if you want to wade through the technical stuff.
People, this is why plugin developers release security updates.
WordPress Security and You
Shortly after the problems with Slider Revolution were uncovered, the developer issued updates that patched the flaw. If your site wasn’t infected and you updated, you were protected.
Apparently, though, the law firm of Mossack Fonseca ran a WordPress site and didn’t bother keeping it up to date. According to Wordfence Security, maker of the plugin of the same name, the company was running WordPress with version 2.1.7 of Slider Revolution. (The plugin was vulnerable up to version 3.0.95, and the current version is 5.2.)
According to another article, the firm’s version of WordPress was also outdated by nearly 18 months, and it’s running a three-year-old theme. Additionally, some of their site runs on a similarly outdated version of Drupal.
The MF law firm made some other dumb mistakes. Like putting their public website on the same server as their (unencrypted) email. This is the same website that hosted sensitive customer information, by the way.
Since the hack, the company has apparently put a firewall in place, but are still running the outdated, vulnerable version of Slider Revolution, WordPress, the TwentyEleven theme, and Drupal.
For more of the technical information, here’s an article by Wordfence.
What Does This Mean for the Average WordPress User?
The answer is simple: if you’re not updating regularly, you’re missing the simplest way to improve your WordPress site’s security.
“Updates” means updates to WordPress itself, to your theme, and to your plugins.
How Often Should You Update?
There’s no single answer here. Ideally, whenever a new WordPress, theme or plugin version is released. That may not always be practical, but you should have an established schedule, and it should have some relationship to your traffic and how often you add or update content.
Always Back Up Before You Update
Before applying any update, you should completely back up your WordPress site, and store that backup somewhere different from your WordPress server. There are plenty of excellent backup plugins available. Many of them will send your backup to Dropbox, Google Drive, or some other cloud storage. Or you can download it to your computer. See this article for more detail on backups.
Update in this Order
You may not always need to update everything, but when you do, it should be in this order:
I recommend always keeping one of the basic WordPress themes installed, like TwentySixteen, along with whatever theme you’re actually using. It’s important to keep even an inactive theme up to date.
As to plugins, if you’re not using it, you should deactivate and uninstall it. However, if you do have inactive plugins, make sure you update them when an update becomes available.
If that seems like too much work, consider a Monthly Maintenance package. I’ll take care of the backups and the updates. Normal updates will be on a regular schedule, and when something unexpected occurs, as when a big plugin vulnerability comes to light, I’ll jump on it right away.
Click here for information about Monthly Maintenance packages.
Whether you think that leaking the Panama Papers was justifiable or not, I’m sure you don’t want your site to be equally vulnerable…
I always set my WordPress Update to automatic and receive the notification email after the update is successful. Since WordPress 4.5 is about to launch soon, I definitely don’t want to miss it. As for the update for the plugins, I hope there is an easy way to update them automatically but sometimes the plugins may cause my website some issues so I always have to back up my site before I do that. I hate to do that manually but for security reason, it’s something I have to do as you suggest.
You should always run a complete site backup before updating anything. Yes, it’s a nuisance, but not nearly as much of a nuisance as trying to put a site back together after a problem update! IMO, you shouldn’t attempt to update plugins automatically – there are too many that just don’t play nicely together.