Skip to main content
wordpress support services

WPTavern: New WP-CLI Project Aims to Extend Checksum Verification to Plugins and Themes

By 02/10/2017October 24th, 2017No Comments

WPTavern: New WP-CLI Project Aims to Extend Checksum Verification to Plugins and Themes

The WP-CLI team is initiating a new project that aims to bring checksum verification to plugins and themes. Checksums are a method of verifying the integrity of files. Three years ago, WP-CLI added the capability of verifying WordPress core checksums using the MD5 algorithm. This is a useful security feature that allows developers to easily see if any files have been modified or compromised.

The core checksums are handled via WordPress’ official API ( and WP-CLI contributors are planning to extend this infrastructure to plugins and themes hosted on

“Having this kind of functionality for plugins and themes as well would be a huge security benefit,” WP-CLI co-maintainer Alain Schlesser said. “It would allow you to check the file integrity of an entire site, possibly in an automated fashion. However, there is no centralized way of retrieving the file checksums for plugins or themes yet, and the alternative of downloading the plugins and themes from the official servers first just to check against them is wasteful in terms of resources and bandwidth.”

Contributors are currently exploring different options for implementation in a discussion on GitHub, inspired by an existing wp-checksum project by Erik Torsner.

“The simplest possible infrastructure to go with would be flat files (no database),” WP-CLI maintainer Daniel Bachhuber said. “I’ve chatted with the corresponding folks about hosting. If our middleware application can generate flat files served by some API, then it will be fine to sync those flat files to a server (with rsync or similar).”

The team is considering building the API under a separate URL for testing and iteration and then incorporating it back into’s infrastructure once it is ready. However, the sheer size of the SVN checkouts and the CPU required to sync the files makes it an interesting challenge. DreamHost has volunteered a server for the team to run its checksum generator on while the infrastructure is being developed.

Torsner’s WP-CLI subcommand to verify checksums for themes and plugins currently only works with those hosted on, but he is also experimenting with mechanisms for getting checksums from some commercial vendors, including Gravity Forms and Easy Digital Downloads. He said he hopes the project would be capable of keeping these capabilities for commercial plugins after it is incorporated back into

The Plugin and Themes Checksums project is currently in the initiation stage and will have an official kickofff during the next WP-CLI meeting on Tuesday, October 3, 2017, at 11:00 AM CDT. Anyone who would like to volunteer is encouraged to attend, especially those with an interest in security, systems administration, and the technology required to get this project off the ground.

“This project will have a huge impact on the perceived and effective security of WordPress installations,” Schlesser said. “It can greatly reduce the amount of malware-infested sites plaguing the internet, and through the substantial market share of WordPress, improve the general browsing experience for all net citizens.”

Source: WordPress