WordPress Plugin Vulnerability Leads to Panama Papers Leak
By Jason Sherrill on Thursday, April 14, 2016
Security researchers have pointed the finger at a WordPress plugin as the root vulnerability that allowed hackers to execute the data theft that resulted in the Panama Papers leak. This further reinforces our recommendation to financial institutions that WordPress is a risky web platform for banks and credit unions to use for any public-facing websites.
Banks and credit unions running WordPress websites should exercise extreme care to ensure that their WordPress websites are routinely patched, including (and especially) plugins, to better protect against successful attacks that will cause reputational damage and potential data loss.
Ideally, banks and credit unions should carefully select website platforms that are better designed to meet modern security best practices that offer more protection against common attacks and exploits. The minimum security features that should exist in any bank website CMS include:
- Multi-factor authentication for CMS access
- Data encryption for forms that collect and store data
- Password complexity, expiration, and account lockout policies should be built into the CMS
- IP-restricted access to the CMS
- Persistent audit logs for all CMS access and website content changes
- Granular roles & permissions architecture to precisely control user access within the CMS
- Protection against SQL injection, cross-site scripting, and other common website attack methods
This is by no means a comprehensive list, but does represent a good starting point for your CMS security checklist. Even when these features exist, properly implementing and configuring these and other security options is often even more important than simply having the features present in the CMS. WordPress hardening and patching is a service that we provide to many of the banks and credit unions that host their websites with us.
If you have questions or concerns about your website's security, get in touch with us. If you work with a marketing agency, we gladly work with them, too, so send them our way if you'd like to talk about ways that we can help you and your team.