Checksum Verification
Overview
WordPress maintains official checksums (MD5 hashes) of every core file in a known-good state. WP-CLI can compare your live files against those checksums to detect unauthorized modifications, malware injections, and corrupted installs.
Why Checksum Verification Matters
WordPress core files should never change between updates. If any core file differs from the official hash:
- A server compromise may have injected malicious code
- A plugin or theme may have wrongly modified a core file
- The WordPress install may be corrupted
Checksum verification is the fastest way to confirm core file integrity without manually reviewing every PHP file.
What Gets Checked
| Target | Command | Source |
|---|---|---|
| WordPress core | wp core verify-checksums | wordpress.org API |
| Plugins | wp plugin verify-checksums | wordpress.org plugin repo |
| Child themes (limited) | Manual via wp eval | N/A |
Workflow: Full Integrity Scan
#!/bin/bash
# integrity-scan.sh
echo "=== WordPress Integrity Check ==="
echo "Site: $(wp option get siteurl)"
echo "Date: $(date)"
echo ""
# 1. Verify core
echo "--- Core Checksums ---"
wp core verify-checksums && echo "✓ Core OK" || echo "✗ Core FAILED"
echo ""
# 2. Verify all plugins from wordpress.org
echo "--- Plugin Checksums ---"
for plugin in $(wp plugin list --status=active --field=name); do
wp plugin verify-checksums "$plugin" 2>/dev/null && \
echo " ✓ $plugin" || echo " ✗ $plugin — MISMATCH"
done
Next Steps
wp core verify-checksums— full usage and options.maintenance-mode— take the site offline before remediation.