What is the Log4j Security Threat?
The Log4j security threat comes from Java-based software that’s original purpose is to simply log error messages in applications. However, a vulnerability has been exposed which allows remote code execution (RCE). To put it simply – any device or software that uses Log4j is in danger of having malicious code injected into their system.
On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Director released a statement, in which she states:
This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use... To be clear, this vulnerability poses a severe risk. We urge all organizations to join us in this essential effort and take action.
Jen Easterly | Cybersecurity and Infrastructure Security Agency Director
Experts are consistently rating this a 10/10 security threat (the lowest score I’ve seen is a 9.8/10). The vulnerability is actively being exploited to implement ransomware, spyware and other malware. It’s dangerous and hard to detect. There isn’t a headline that isn’t spreading a bit of FUD:
Does Log4j Affect WordPress Websites?
Now, for the relatively good news. Wordfence, a well respected WordPress security plugin, has identified only a handful of WordPress plugins and themes that use Log4j. If you are using one of these, you should take immediate action:
- PublishPress Capabilities <= 2.3
- Kiwi Social Plugin <= 2.0.10
- Pinterest Automatic <= 4.14.3
- WordPress Automatic <= 3.53.2
- The following are the affected Epsilon
- Framework theme versions:
- Shapely <=1.2.7
- NewsMag <=2.4.1
- Activello <=1.4.0
- Illdy <=2.1.4
- Allegiant <=1.2.5
- Newspaper X <=1.3.1
- Pixova Lite <=2.0.5
- Brilliance <=1.2.9
- MedZone Lite <=1.2.4
- Regina Lite <=2.0.4
- Transcend <=1.1.8
- Affluent <1.1.0
- Bonkers <=1.0.5
- Antreas <=1.0.4
- NatureMag Lite – No patch known. Recommended to uninstall from site.
If you are running a custom built theme, you may need to speak with your developer about your security.
What Can I Do to Protect My Website from Log4j?
The best thing you can do to protect yourself from Log4j (and future potential vulnerabilities) is to keep your website and tools fully updated. Make sure you are running the latest version of WordPress. Move to the latest version of PHP. Update all plugins and themes as soon as possible.
You should also invest in reliable, high quality, and secure tools to help run your website and other applications.
Companies like Cloudflare are doing their part by updated their systems to the latest WAF protection.
WP Engine has reported that they don’t use Log4J for any customer-facing or internet-facing systems.
Wordfence keeps blogging about their findings and offering advice.
Make sure you have a partner that is following the latest industry news for security issues like these. As long as you’ve taken some general but necessary precautions, most WordPress websites should be ok.
Moving Forward
There have already been patches to protect against Log4j, but some of those patches have already been exploited. This bug will take some time to exterminate completely. However, even when it is handled, there will undoubtedly be another exploit that pops up somewhere, sometime. Specific hacks may come and go, but hackers will be around forever.
Unfortunately, this is the nature of the internet. If you are unaffected by Log4j specifically, use this as a reminder (or a wake up call) that you need to start taking website security seriously.
It’s a scary world out there, but with a little preparation, you’ll be able to react to the worst situations in the best way possible.