What is the Log4j or CVE-2021-44228 / CVE-2021-45046 Vulnerability?
On December 9, 2021, a severe remote code execution vulnerability was identified in the popular open-source java logging library "log4j" developed by Apache. This vulnerability rated a rare 9.8 of 10 severity due to the ease of exploitation, the library's widespread use in JAVA programs, universal support for JAVA in all web browsers, and the ability of JAVA programs to run on ANY computer or device.
Technical details about the exploit can be read here and here »
Is My WordPress Website Vulnerable to the Log4j Exploit?
Thus far, the Log4j vulnerabilities in the WordPress software ecosystem are limited to 4 specific plugins and 'Epsilon Framework' themes that use the vulnerable Java library.
Check if your website uses any of the plugins or themes on this list noted by WordFence. The list may be updated to include more plugins as they are discovered.
If your website doesn't use any of the listed plugins or themes, then it is not affected. The authors of the affected plugins and themes will hopefully be issuing patches quickly.
On the official WordPress.org forums, moderators have chimed in multiple times indicating that Log4j is not an issue for WordPress core:
- https://wordpress.org/support/topic/is-the-log4j-vulnerability-an-issue/
- https://wordpress.org/support/topic/cve-2021-44228-log4j-wordpress-affected-or-newspaper/
- https://wordpress.org/support/topic/vulnerability-log4shell-cve-2021-44228/
- https://wordpress.org/support/topic/log4j-vulnerability/
What about my website hosting?
cPanel hosting has a specific component that may be affected by Log4j.
If your WordPress website is hosted on a cPanel hosting plan, there is one specific component of cPanel that may be affected.
cPanel has issued a patch to fix the critical flaw in the log4j Java library found in part of the software used for email. The vulnerability itself is named, Log4Shell.
Contact your hosting provider if you think you may be affected by this. In all likelihood, the larger hosting companies have already patched the library, but it never hurts to double check.
Some common hosting companies we work with have issued statements or tweets concerning log4j:
SiteGround (not affected)
According to this support response, websites hosted on SiteGround are completely safe from the exploit because they use NGINX as the client facing web server for their systems and there’s no Log4j library configured anywhere on the hosting account. They also do not use any additional or 3rd party service that uses the vulnerable library to provide a certain service.
This means means that, as a SiteGround customer, this vulnerability did not affect you in any way and you do not need to take any actions.
WPEngine (not affected)
WPEngine staff replied in this tweet that they are not affected by the log4j vulnerability.
Liquid Web
In this tweet response, Liquid Web indicates that the log4j plugin does not come installed by default on Liquid Web servers, but modifying default configurations could provide it. Any customers who have installed the plugin should verify their plugin security and install any updates or patches that have been issued.
What else can you do to protect your WordPress website?
Equip your website with a security plugin.
You can equip your site with a security plugin such as WordFence, Sucuri Security (←this is an affiliate link) , MalCare (←so is this) , or similar security plugins. These types of plugins can help detect vulnerabilities and intrusions and also provide notifications when/if your site is using a vulnerable plugin -- so that it can be updated with the patched version.
Make sure your plugins and core WordPress are up-to-date.
It is a best practice to keep your plugins and WordPress up to date to ensure available patches have been applied. If you don't know if your WordPress and plugins are up to date, check out this tutorial, or you may want to consider a WordPress support plan.
