wp core verify-checksums
Overview
Detect modified, added, or deleted WordPress core files by comparing them against the official MD5 checksums from WordPress.org. The first command to run during any security incident.
What It Does
wp core verify-checksums downloads the official checksum manifest for the installed WordPress version from api.wordpress.org and compares every core file's MD5 hash. It reports:
- Modified files — core files where the hash does not match
- Deleted files — core files that are missing
- Added files — non-core files that shouldn't be in core directories
Only WordPress core files are verified — plugins, themes, and wp-content/ are not checked by this command.
Syntax
wp core verify-checksums [--version=<version>] [--locale=<locale>] [--insecure]
Options & Flags
| Flag | Description |
|---|---|
--version=VERSION | Override version to check against (defaults to installed version) |
--locale=LOCALE | Override locale for checksum lookup (defaults to installed locale) |
--insecure | Skip SSL verification when fetching checksums |
Basic Usage
Verify current installation
wp core verify-checksums
Verify against a specific version
wp core verify-checksums --version=6.7.2
Expected Output
All files match (clean)
Success: WordPress installation verifies against checksums.
Modified files detected
Warning: File doesn't verify against checksum: wp-includes/js/jquery/jquery.min.js
Error: WordPress installation doesn't verify against checksums.
Added files detected
Warning: File added: wp-admin/includes/evil-script.php
Error: WordPress installation doesn't verify against checksums.
What Each Warning Means
| Warning Type | Meaning | Action |
|---|---|---|
File doesn't verify against checksum | File content was modified | Inspect and restore with wp core reinstall |
File is added | Extra file found in a core directory | Inspect immediately — likely malware |
File is removed | Core file is missing | Restore with wp core reinstall |
"File is added" is the most serious
An unexpected file inside wp-admin/ or wp-includes/ is a strong indicator of a hack. Treat it as an active security incident.
Real-World Scenarios
Scenario 1: Incident response checklist
# Step 1: Identify which core files are affected
wp core verify-checksums
# Step 2: Backup database before any changes
wp db export backup_incident_$(date +%Y%m%d%H%M).sql
# Step 3: Reinstall core files at current version
wp core reinstall
# Step 4: Verify again — should be clean
wp core verify-checksums
# Step 5: Rotate salts (invalidate all sessions)
wp config shuffle-salts
# Step 6: Force password reset on admin accounts
wp user list --role=administrator --format=ids | xargs -I{} wp user update {} --user_pass="$(openssl rand -base64 20)"
Scenario 2: Regular security audit (cron)
#!/bin/bash
# Run daily and alert on failure
if ! wp --path=/var/www/html core verify-checksums --quiet; then
echo "ALERT: WordPress core file integrity check failed on $(hostname)" | \
mail -s "WP Security Alert" admin@example.com
fi
Scenario 3: Post-update verification
wp core update
wp core update-db
wp core verify-checksums && echo "Core files verified ✅" || echo "Integrity issue detected ❌"
Scenario 4: Verify all managed sites
SITES=("/var/www/site1" "/var/www/site2" "/var/www/site3")
for site in "${SITES[@]}"; do
echo -n "Checking ${site}: "
wp --path="$site" core verify-checksums --quiet && echo "✅ OK" || echo "❌ FAILED"
done
Best Practices
- Run after every update —
wp core update+wp core verify-checksumsis the minimum safe workflow. - Automate daily checks via cron — detect tampering before it escalates.
- Treat
File is addedas a critical alert — immediately investigate any unknown file in core directories. - Restore with
wp core reinstall— never manually edit modified core files. - Always rotate salts after a hack —
wp config shuffle-saltsinvalidates all sessions.
Troubleshooting
| Problem | Cause | Fix |
|---|---|---|
Cannot retrieve checksums | No internet / API unavailable | Use --insecure or retry later |
| Legitimate customization flagged | Core files were intentionally modified | Revert modifications — never edit core files |
| Pass on compromised site | Malware only in plugins/themes, not core | Check plugins with wp plugin verify-checksums |
| Version mismatch warning | wp-includes/version.php tampered | Use --version to force correct version |
Quick Reference
wp core verify-checksums # Verify current install
wp core verify-checksums --version=6.7.2 # Force version check
wp core reinstall # Restore after failure
wp config shuffle-salts # Invalidate sessions after incident
Next Steps
wp core reinstall— restore core files when checksums fail.wp config shuffle-salts— rotate salts after a security incident.- Security & Maintenance — full security hardening workflow.