If you are a bit up to date with computer security news you may already know that a few days ago a serious vulnerability was detected in the log library known as Log4j.
What is Log4j?
Log4j is open source software used by many servers on the Internet to record activity logs and send them to a centralized server.
Log4j software is likely to be found anywhere the Java programming language is used, including in a variety of toolkits used on Apache servers, which is the world’s most popular server software.
What is the vulnerability of Log4j?
The vulnerability, originally reported on November 24, 2021, provides the ability to launch commands to a server via the Log4j library and take control of the system. In theory, this means that cybercriminals can:
- View sensitive user data
- Install malware and spyware
- Use the machine(s) for illicit purposes.
You may read a lot of excessive claims about this vulnerability, and rightly so: This is a big problem.
The widespread use of the library in JAVA programs, the universal support for JAVA in all web browsers, and the ability of JAVA programs to run on ANY computer or device.
Technical details about the exploit can be read here.
Has the Log4j vulnerability affected many applications?
The Log4j vulnerability has shaken the foundations of thousands of software applications, and this is no exaggeration, including many really popular and widely deployed ones.
The list is huge but, to give you an idea of the scope, services such as 1Password, all Adobe software and services, the famous 7-Zip compressor, Akamai platform services, Amazon, lots of Apache server services, cPanel hosting management software, all Atlassian services, such as Trello and others, the Cisco platform and IBM have been affected by this vulnerability.
The list is big, really scary, you can see it in full at this link.
Is my WordPress website at risk because of the Log4j vulnerability?
Although it is still too early to determine the scope of the Log4j vulnerability, there are some patterns that you can considerate:
- It is unlikely that most websites made with WordPress will be directly affected by this vulnerability because it runs primarily through PHP and its core does not use Java.
- If you use CloudFlare’s service, they have already announced that their systems were exposed to this vulnerability. They took quick action to patch the vulnerability and have been helping other service providers do the same. However, it is unlikely that most WordPress sites that use CloudFlare, such as this one, are at risk because CloudFlare is never used after a user logs in. This means that only non-sensitive, unprivileged data would be at risk.
- The most exposed services will be those that offer user data syndication such as CRM plugins, for example. Any vulnerability to data on a WordPress site is likely to only be through an integration with one of these systems.
- If you host your site with a hosting provider that uses cPanel (details of the Log4Shell vulnerability at this link) you should contact them to ask if they have taken steps to investigate and fix this vulnerability, if they have been affected.
Are any plugins or themes affected by the Log4j vulnerability?
To date the list of plugins and versions affected by this vulnerability is as follows:
- PublishPress Capabilities <= 2.3
- Kiwi Social Plugin <= 2.0.10
- Pinterest Automatic <= 4.14.3
- WordPress Automatic <= 3.53.2
Epsilon Framework theme versions affected by the vulnerability:
- Shapely <=1.2.7
- NewsMag <=2.4.1
- Activello <=1.4.0
- Illdy <=22.214.171.124
- Allegiant <=126.96.36.199
- Newspaper X <=1.3.1
- Pixova Lite <=2.0.5
- Brilliance <=1.2.9
- MedZone Lite <=188.8.131.52.4
- Regina Lite <=184.108.40.206.4
- Transcend <=1.1.8
- Affluent <1.1.0
- Bonkers <=1.0.5
- Antreas <=1.0.4
- Sparkling – No patch to date, better uninstall it.
- NatureMag Lite – No patch to date, better uninstall it.
Are there hosting companies affected by the Log4j vulnerability?
By now most of the major hosting companies have already reported this vulnerability, and those that could have been affected have taken measures and applied patches.
SiteGround, for example, published a note days ago reminding that their servers use NGINX and do not use the Log4j library in any of their applications, services or processes, direct or indirect, and therefore are not vulnerable.
Other companies such as WP Engine and Liquid Web have published tweets indicating that they are not affected, and today CDMon has sent an email to its customers indicating that they have performed an analysis of their services and that, after having to update some of them, they are currently not affected.
On the other hand, Kinsta days ago exposed that they had been affected when using ElasticSearch, a Java application affected by Log4j.
Right now – unless you tell me otherwise in the comments – I don’t know of any other hosting company that has made any statement in this regard.
However, you should make the specific query to your hosting company, and have them provide you with details, for example, I would ask them:
- Do you use the Log4j library?
- Has my data been compromised by any exploitation of the Log4j vulnerability?
- What can I do to safeguard my data?
This is especially important if your hosting company uses cPanel as its hosting management software (most of them), as a vulnerability has been detected in this application.
Is there anything I can do to protect my WordPress site against the Log4j vulnerability?
The first thing you should do is read all of the above in this article and check if you are using any plugins, themes, services or hosting companies possibly affected by the Log4j vulnerability and take action.
If none of the above hasn’t affected you, there are several things you can do to avoid surprises.
Controls user registration
In cases where the Log4j vulnerability has infected WordPress sites through plugins or themes, it has done so by exploiting 2 elements, in addition to the vulnerable software:
- That user registration was allowed on the site via the WordPress
users_can_registerfunction, enabled from the WordPress general settings or another method.
- Setting the default profile for new users to administrator using the
Assuming you are not using already vulnerable software, such as the one we have seen above, you can stop this by disabling the possibility of registration.
It is important that you do not allow members to register, but it is even more important that the default profile is not an administrator; it is usually a subscriber, which is a secure profile for your website.
I am very annoying with this, but no matter the possible vulnerability, with WordPress and all its plugins and themes updated it is very difficult to be affected because they all usually exploit that, vulnerabilities of known versions, which are usually fixed in a matter of hours in later versions.
Even the plugins and themes in the list that we have seen before, most of them already have secure versions.
Use a good security plugin
Always, always, you must have a good security plugin active and well configured. If you need some options: Siteground security, iThemes Security and All in One WP Security are some of the best.
Add security headers
Security headers are one of the best methods to avoid all kinds of attacks and code injections on your WordPress website, in addition to protecting yourself with a good security plugin.
Some security plugins allow you to add the main security headers, and if not you can check this guide where I explain other methods to add them:
Get a good hosting
Of course, none of the above makes sense if your hosting company(where your WordPress site is hosted) is the weakest link in the chain when it should be precisely the strongest, as it is the foundation of your website.
I host all my websites and those of my clients at SiteGround, you know that, simply because it is currently the best hosting company specialized in WordPress, offering the best quality/performance/price ratio, and they are always ahead in performance and security solutions for WordPress.
There are other good hosting companies, but if I have to recommend one and do it with total confidence, without a doubt right now is SiteGround.