Checksum verification of WordPress

Reading time: 6m

Checksum Verification?

A checksum verification is when you have a known good hash or a file or set of files, and you do a comparison to ensure the files you have are ones that haven’t been modified.  This can serve as a basic security check to ensure no core WordPress files have been hijacked.

Why do I need to do this?

WordPress is constantly updated to resolve bugs and exploits, and sometimes keeping it up to date isn’t enough.  Sometimes you have to make sure that the core files haven’t been modified.  If they have, this may mean something has been modified without your permission, and could potentially be a piece of malware.  Core files are usually changed between releases, and are not supposed to be modified after install.  This is why there are action and filter hooks, as well as Plugins and your theme’s functions.php file.

How do I do this?

The first step is to get SSH access to your hosting account.

You can do this a multitude of ways, but there are plenty of articles which explain how to do this, so we’ll continue assuming you’re in your Home Directory in your SSH client.

The prompt you should be looking at may look something like:

[you@yourserver ~]$

From here, we’ll download the latest release of WP-CLI (Copy & Paste)

curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar

Then, we’ll use give wp-cli.phar execute permissions with:

chmod +x wp-cli.phar

Once wp-cli.phar has execute permissions, we can call it directly, and provide it the path to your WordPress install, on cPanel servers, usually replacing myusername with your actual username on the server.

./wp-cli.phar --path='/home/myusername/public_html' core verify-checksums

This will perform a checksum verification of the files present in the public_html directory, to see if any files are missing or modified, or otherwise not supposed to be there.

Interpreting the results

So, once you’re done running the checksum verification, it will print at the very end a status, either Success or Failure.  If you get a Success, then you’re all good, barring security issues in other areas of your server external to WordPress.  If you get a failure however, and looks like /wp-admin or /wp-includes/ or /wp-*.php files in public_html have been modified, then you may have a hijacked or at the least modified install.

It failed, how do I fix it?

While you are still logged into SSH, you can force a resync of the core files, which should put you in a much better position to remove most traces of file code injection.  Here’s the command:

./wp-cli.phar --path='/home/myusername/public_html' core download --force

This should overwrite the core files you have with versions from a verified source, and overwrite the files specifically that have been modified.  After you’re done with that command, you can run another core verify-checksums to ensure that your install is free of injection.

Leave a Reply

Your email address will not be published.