The law firm's Drupal site had issues, too
The problem wasn't with the WordPress site alone. Mossaca Fonseca was running Drupal 7.23 for its secure portal, which let customers log in and submit sensitive business information. In October 2014, Drupal released version 7.32, warning about critical vulnerabilities in the earlier software. The vulnerabilities were so severe that automated attacks began compromising Drupal 7 websites that were not patched or updated within hours of the new version's release.
Security experts recommended assuming the site was compromised and starting over with a fresh install. "You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15, 11pm UTC; that is, seven hours after the announcement," the Drupal Security Team said at the time.
Mossaca Franseca's customer portal could have been vulnerable to attack, and likely backdoored, for more than a year, which would have given the leakers ample time to grab 11.5 million documents.
The Web server was also on the same network as the email server, and the company used the Drupal site for sensitive customer data. The audacious attack may have succeeded because the adversaries were able to pivot from the vulnerable WordPress site to where the corporate assets were stored to the email server to download all the emails, Maunder said.
WordPress, Drupal, Joomla, and PHP developers need to get their acts together
Mossack Fonseca isn't the first company to get tripped up by outdated software. An attacker recently breached the Los Angeles Times website through the the Advanced XML Reader plug-in for WordPress, which lets sites display XML files, and offered to sell access to the site. The LA Times said that the issue has since been resolved.
Attacks targeting sites running outdated versions of a CMS or using vulnerable plug-ins are getting more and more common. Security experts point at the plug-in ecosystem, with poorly coded and maintained plug-ins, as the culprit, but the core developers need to shoulder some of the responsibility. It's not only WordPress -- other popular CMS software such as Drupal and Joomla also need to consider how third-party software is affecting their platform and provide better mechanism to secure their customers' sites.
There is currently no process to vet plug-ins or automatically update outdated plug-ins. Although WordPress and Drupal have made it easier to search and update some third-party plug-ins directly from the administrator dashboard, the core team can -- and should -- explore ways to keep the entire platform secure, instead of focusing on the core codebase alone.
Of course, part of the problem may lie with the culture of PHP development, which prides itself on being hacky and a quick and dirty way to get things done. PHP's historic focus on getting something half-assed that works out the door means -- no surprise -- that security is going to fall by the wayside. Now all these websites are paying the price.
Sign up for CIO Asia eNewsletters.