wp core verify-checksums
Overview
Compare every WordPress core file on disk against the official MD5 checksums from wordpress.org. Any file that differs — added, modified, or corrupted — is flagged. This is the fastest way to detect core-level tampering on a live server.
What It Does
wp core verify-checksums downloads the official checksum manifest for your installed WordPress version from the wordpress.org API and compares it against every file in your WordPress installation. Modified or extra files are reported.
Syntax
wp core verify-checksums [OPTIONS]
Arguments & Options
| Flag | Description |
|---|---|
--version=VERSION | Check against a specific WP version (default: installed version) |
--locale=LOCALE | Locale used when fetching checksums (default: site locale) |
--insecure | Allow non-HTTPS for fetching checksums (not recommended) |
Basic Usage
Verify the current install
wp core verify-checksums
Clean output:
Success: WordPress installation verifies against checksums.
Tampered file output:
Warning: File doesn't verify against checksum: wp-login.php
Error: WordPress installation doesn't verify against checksums.
Real-World Scenarios
Scenario 1: Rapid post-compromise triage
#!/bin/bash
# run after detecting suspicious behavior
echo "=== Integrity Check: $(date) ==="
echo "Site: $(wp option get siteurl)"
echo ""
if wp core verify-checksums; then
echo "✓ Core files intact"
else
echo "✗ Core files COMPROMISED"
echo "Enabling maintenance mode..."
wp maintenance-mode activate
echo "Contact your security team immediately."
fi
Scenario 2: Scheduled nightly scan
#!/bin/bash
# /opt/scripts/wp-nightly-checksums.sh
LOG="/var/log/wp-integrity-$(date +%Y%m%d).log"
wp core verify-checksums >> "$LOG" 2>&1
if grep -q "doesn't verify" "$LOG"; then
echo "CHECKSUM FAILURE on $(hostname) — $(date)" | \
mail -s "⚠ WP Integrity Alert" admin@example.com
fi
# Add to cron (nightly at 2 AM):
0 2 * * * /opt/scripts/wp-nightly-checksums.sh
Scenario 3: Verify before and after an update
echo "=== Pre-update Check ==="
wp core verify-checksums
wp core update
echo "=== Post-update Check ==="
wp core verify-checksums
Scenario 4: Check only specific version
# Useful if you suspect the installed version report is wrong
wp core verify-checksums --version=6.4.2
What Gets Flagged
| Flag Type | Meaning |
|---|---|
| Modified file | File contents differ from official hash |
| Extra file | File in a core directory not in the manifest |
| Missing file | Core file deleted or renamed |
Extra files
Files added by plugins to core directories (e.g. wp-content/) are not flagged — only files within standard WP core paths.
After a Failure: Remediation
# 1. Put site in maintenance mode
wp maintenance-mode activate
# 2. Reinstall core files without touching wp-config or wp-content
wp core download --force
# 3. Verify again
wp core verify-checksums
# 4. If clean, deactivate maintenance mode
wp maintenance-mode deactivate
Best Practices
- Run regularly — weekly or nightly via cron on production sites.
- Alert on failure — pipe output to an email or Slack webhook.
- Combine with plugin checksums —
wp plugin verify-checksums --allto cover the full install. - Enable maintenance mode immediately upon a checksum failure before investigating.
Troubleshooting
| Problem | Cause | Fix |
|---|---|---|
Error: Checksum API is not accessible | Network or firewall issue | Ensure the server can reach wordpress.org |
| False positives after manual edit | You edited a core file (bad practice) | Reinstall with wp core download --force |
| Locale mismatch error | Site uses a non-English locale | Pass --locale= explicitly |
Quick Reference
wp core verify-checksums # Verify current version
wp core verify-checksums --version=6.4.2 # Specific version
wp core download --force # Reinstall core after failure
wp maintenance-mode activate # Lock site during investigation
Next Steps
wp maintenance-mode activate— take the site offline before remediation.wp core update— update core if outdated.wp plugin verify-checksums— extend verification to plugins.