If you care about security
For those that care about security, like Mossack should've, the first step to make WordPress secure would be to use "rm -rf /" and then use a much simpler and easier to secure method of publishing their website.
To me, WordPress is pretty much Macromedia ColdFusion / Microsoft Frontpage for Web 2.0. Something that should only be used by groups so small that they can't afford someone to write a webpage for them. A company with the funds of MF should have a full-time web development team that manually updates their website rather than using a CMS...
Of course, that ignores the fact that they were complete idiots and put multiple services on a single box like that, servers aren't that expensive, especially for a law firm pulling in millions a year on legal fees.