Skip to content

Why is Mossack Fonseca not a great role model?

Why is Mossack Fonseca (MF) a poor role model? Could it be that MF's role in today's world, where you and I work hard, pay our taxes and make a living, is the total opposite of what some people think is OK. A role where people like MF help other mongrels, that make obscene amounts of money, avoid paying fair taxes and dodge sanctions and other rules, to make even more money? Well, that's not the sort of behaviour we should aspire to. OK that's one reason.

But the other reason is that they are a perfect example of why you really need to be on top of your website updates and security.  In this article, the people that make Wordfence Security (a plugin we use), demonstrate how MF allowed their data to be stolen (The biggest recorded leak in history, by data volume) They showed that initially it was a WordPress plugin that was a few months out of date, one known the world to have security issues anyway. However by a series of steps the hacker got to a customer portal running Drupal, which hadn't been updated for years.

WordPress itself is inherently secure, but suffers from the same thing that Windows does as an operating system, and that is popularity. Because of it's popularity is has a statistical spotlight. (my terminology). Which means that it often gets bad press just because of the sheer number of installations, and you only ever hear about the problems. The opposite of a gambler who will tell you about his wins but not his losses.

Hackers continually look for vulnerabilities, whether they be on a website or a personal computer or a server. When a vulnerability comes to light, good software is patched, updated.

In the case of WordPress the biggest risk is, by far, poorly written or out of date plugins, followed by brute force. See this article.

How hacked sites were compromised (Wordfence)

How hacked sites were compromised (Wordfence)

I can attest to the fact that often the greatest server load is caused by concerted attacks on website and email logins (brute force). As for plugins, as a website owner and developer, I have always chosen then carefully and updated quickly, the same for themes and WordPress core.

You might not have terabytes of sensitive information accessible from your website or even on the same network, but as the Wordfence people demonstrated, it's not too many hops to get to it. But even if that's not an issue, your website itself may be the result of a lot of effort and/or money and that needs to be protected. So that's why you don't want to let your site become out of date, because like Windows (or any other software over time) vulnerabilities become apparent and can be exploited.

Keep your passwords secure, your software up to date and good backups in place.

Leave a Comment