Does WordPress Use log4j

Should you be worried about the Log4J vulnerability and your website? Let’s take a look at what Log4J is, why it exists, how it is used and how it interacts with your WordPress site.

What is Log4J?

To understand what Log4J is we must hop in and understand some basic concepts of building software whether it is for the web, a mobile app or desktop software. Logs are a key part of this process of not just building but supporting these applications. Logs contain information about performance, issues and failures inside the software. Engineers or Developers strategically . use these logs to pass that information which can be used to help solve issues with the software by allowing engineers to analyze the logs.

To put information into these logs engineers and developers will often use common libraries so they do not have to repeat code making development much easier. Log4J is one of these libraries, a java-based logging utility which was developed and maintained by the Apache Foundation. Log4J is exclusively built for the programming language Java (not to be confused with JavaScript).

Why is logging so important?

Like we talked about above, some of the simple uses are to track down issues and give developers keys to what is going on. It provides a wide wealth of  information in Apache servers, Nginx web servers, and other generic web servers. Even on WordPress itself, it offers comprehensive logging to help you or your IT team insights into what is going on with your plugins or themes. Many logging tools use different logging libraries but do not make use of Log4j therefore do not have the log4j exploit. Your WordPress site is built on general open source software that is clear of these issues.

Let’s use an example, say you just became a customer of us here at Phynite Solutions. You go  to install our plugin so that we can start taking those critical backups of your site and start monitoring its uptime. But, when you install you get errors and you cannot input your secret key to activate the plugin and you see there is an error listed. Because we provide a complete solution these issues are logged via an open source logging tool and the first thing it will do is log critical information that you can send over to us here. With this information we will quickly and happily analyzing the log messages to provide supper and even new versions of the plugin for you. While this is not normal this is a key representation of why logging can be so critical.

Why should I be worried about Log4J?

Java is one of the most popular programming languages around the world. It is commonly used at many of the large technology companies like Amazon and Google. Because of this wide use it is often the target of attacks from cyber criminals looking to gain access and exploit these holes.

In December 2021 there was a massive vulnerability found in the Log4J package that allowed attackers to access and execute commands that execute remote code on remote servers compromising personal and privileged information. A new version was required to patch and help eliminate Log4J vulnerabilities.

That’s great information but does it impact WordPress?

Simply, no. As we mentioned before Log4J is exclusive to the Java programming language. Your WordPress site has been and always will be built on the PHP programming language which cannot make use of the Log4J package. Your WordPress website and PHP make use of a different logging library unique to WordPress.  However, there is a chance your web host uses the Java language to manage its hosts and tools. You should follow up with your host to ensure that if they use the Log4j library and check if they have not only patched it so that it is no longer vulnerable to exploitation or if they are overall have been affected by the log4j. 

To be clear, your WordPress site itself is not affected by the log4j.