If you are a little aware of the news about computer security, you may already know that a few days ago a serious vulnerability was detected in the registry library known as Log4j .
Index of contents
What is Log4j?
Log4j is open source software used by many servers on the Internet to record activity logs and send them to a centralized server.
Log4j software is likely to be found anywhere the Java programming language is used , including in a wide variety of tool sets used on Apache servers , which is the most popular server software in the world.
What is the vulnerability of Log4j?
The vulnerability, which was originally reported on November 24, 2021, provides the ability to launch commands to a server through the Log4j library and take control of the system . In theory, this means that cybercriminals can:
- View sensitive user data
- Install malware and spyware
- Using the machine (s) for illegal purposes
You may read a lot of excessive statements about this vulnerability, and for good reason: This is a very big problem .
The widespread use of the library in JAVA programs , universal support for JAVA in all web browsers, and the ability for JAVA programs to run on ANY computer or device.
You can read the technical details about the exploit here .
Has the Log4j vulnerability affected many applications?
The Log4j vulnerability has shaken the foundations of thousands of software applications, and it is not an exaggeration , among which are many really popular and widely deployed.
The list is immense but, to give you an idea of the scope, services such as 1Password, all the software and services of the Adobe company, the famous 7-Zip compressor, services of the Akamai platform, Amazon have been affected by this vulnerability. , lots of Apache server services, cPanel hosting management software, all Atlassian services like Trello and others, the Cisco or IBM platform.
The list is huge, really scary, you can see it in full at this link .
Is my WordPress website at risk due to the Log4j vulnerability?
Although it is still too early to determine the (huge) extent of the Log4j vulnerability, there are a few patterns you can assess :
- It is unlikely that most WordPress websites are directly affected by this vulnerability because it works mainly through PHP and its core does not use Java.
- If you use the CloudFlare service, they have already announced that their systems were exposed to this vulnerability. They took swift action to patch the vulnerability and have been helping other service providers do the same. However, it is unlikely that most WordPress sites using CloudFlare, like this one, are at risk because CloudFlare is never used after a user logs in. This means that only non-sensitive and non-privileged data would be at risk.
- The most exposed services will be those that offer user data syndication such as CRM plugins, for example. Any vulnerability to the data of a WordPress site is likely only through an integration w
ith one of these systems. - If you host your website at a hosting provider that uses cPanel ( details of the Log4Shell vulnerability in this link ) you should contact them to ask if they have taken steps to investigate and fix this vulnerability, if they have been affected.
Are there any plugins or themes affected by the Log4j vulnerability?
To date, the list of plugins and versions affected by this vulnerability is as follows:
- PublishPress Capabilities
- Kiwi Social Plugin
- Pinterest Automatic
- WordPress Automatic
Epsilon Framework theme versions affected by the vulnerability:
- Shapely
- NewsMag
- Activello
- Illdy
- Allegiant
- Newspaper X
- Pixova Lite
- Brilliance
- MedZone Lite
- Regina Lite
- Transcend
- Affluent
- Bonkers
- Antreas
- Sparkling – No patch to date, you better uninstall it.
- NatureMag Lite – No patch to date, you better uninstall it.
Are there hosting companies affected by the Log4j vulnerability?
By now, most of the large hosting companies have already reported this vulnerability , and those that could have been affected have taken action and applied patches.
SiteGround, for example, published a note days ago remembering that their servers use NGINX and do not use the Log4j library in any of their applications, services or processes, direct or indirect, and that therefore they are not vulnerable .
Other companies such as WP Engine and Liquid Web have published tweets indicating that they are not affected, and today CDMon has sent an email to its clients indicating that they have carried out an analysis of their services and that, after having to update some of them, they currently do not are affected.
On the other hand, Kinsta days ago exposed that they had been affected by using ElasticSearch, a Java application affected by Log4j.
Right now – unless you tell me otherwise in the comments – I don’t know of any other hosting company that has made any statement in this regard.
However, you should make the specific query to your hosting company, and that they offer you details , for example, I would ask them:
- Do you use the Log4j library?
- Has my data been compromised by any exploitation of the Log4j vulnerability?
- What can I do to safeguard my data?
This is especially important if your hosting company uses cPanel as software for the management of the accommodations (most of them) , as a vulnerability has been detected in this application.
Can I do anything to protect my WordPress site from the Log4j vulnerability?
The first thing you should do is read everything above in this article and check if you use any plugin, theme, service or hosting company possibly affected by the Log4j vulnerability and take action on it .
If none of the above has not affected you, there are several things you can do to avoid scares .
Control user registration
In cases where the Log4j vulnerability has infected WordPress sites through plugins or themes, it has done so by taking advantage of 2 elements, in addition to the vulnerable software:
- That user registration was allowed on the site through the WordPress
users_can_register
function, activated from the general settings of WordPress or another method. - Defining the default profile for new users to administrator through the
default_role
function.
Assuming that you do not use software that is already vulnerable, such as the one we have seen above, you can stop this possibility by deactivating the possibility of registration .
It is important that you do not allow members to register, but it is even more important that the default profile is not administrator ; the normal thing is that it is a subscriber, which is a secure profile for your website.
Update everything
I am very heavy with this, but it does not matter the possible vulnerability, with WordPress and all its plugins and updated themes it is very difficult for them to affect you , since they all tend to take advantage of that, vulnerabilities, of known versions, which are normally solved in a matter of hours in later versions.
Even the plugins and themes on the list that we have seen before for the most part already have secure versions.
Use a good security plugin
Always, always, you must have a good security plugin active and well configured . In this guide you have what I have found to be the best free WordPress security plugins:
What is the best free security plugin for WordPress? (2021)
Add security headers
Security headers are one of the best methods of avoiding all kinds of attacks and code injections on your WordPress website , as well as protecting yourself with a good security plugin.
Some security plugins allow you to add the main security headers, and if not, you can review this guide where I explain other methods to add them:
How to add HTTP security headers in WordPress
blockquote>
Hire a good hosting
Of course, none of the above makes sense if your hosting company, where your WordPress site is hosted, is the weakest leg of the gear, when it should be precisely the strongest, being the foundation of your website .
I host all my websites and those of my clients in SiteGround , you know, simply because it is currently the best hosting specialized in WordPress, which offers the best quality / performance / price ratio, and they are always ahead in performance solutions and security for WordPress.
There are other good hosting companies, but if I have to recommend one and do it with complete confidence, without a doubt right now it is SiteGround .
( 2 votes, average: 4 ) Rate this article to help improve the quality of the blogYOU MAY ALSO BE INTERESTED IN …
Did you like this article? You can’t imagine what you’re missing on YouTube !