+44 0330 223 3428
Call Us
+44 0330 223 3428

WPTavern: New WP-CLI Project Aims to Extend Checksum Verification to Plugins and Themes

WPTavern: New WP-CLI Project Aims to Extend Checksum Verification to Plugins and Themes

The WP-CLI team is initiating a new project that aims to bring checksum verification to plugins and themes. Checksums are a method of verifying the integrity of files. Three years ago, WP-CLI added the capability of verifying WordPress core checksums using the MD5 algorithm. This is a useful security feature that allows developers to easily see if any files have been modified or compromised.

The core checksums are handled via WordPress’ official API (https://api.wordpress.org/core/checksums/) and WP-CLI contributors are planning to extend this infrastructure to plugins and themes hosted on WordPress.org.

“Having this kind of functionality for plugins and themes as well would be a huge security benefit,” WP-CLI co-maintainer Alain Schlesser said. “It would allow you to check the file integrity of an entire site, possibly in an automated fashion. However, there is no centralized way of retrieving the file checksums for plugins or themes yet, and the alternative of downloading the plugins and themes from the official servers first just to check against them is wasteful in terms of resources and bandwidth.”

Contributors are currently exploring different options for implementation in a discussion on GitHub, inspired by an existing wp-checksum project by Erik Torsner.

“The simplest possible infrastructure to go with would be flat files (no database),” WP-CLI maintainer Daniel Bachhuber said. “I’ve chatted with the corresponding WordPress.org folks about hosting. If our middleware application can generate flat files served by some API, then it will be fine to sync those flat files to a WordPress.org server (with rsync or similar).”

The team is considering building the API under a separate URL for testing and iteration and then incorporating it back into WordPress.org’s infrastructure once it is ready. However, the sheer size of the SVN checkouts and the CPU required to sync the files makes it an interesting challenge. DreamHost has volunteered a server for the team to run its checksum generator on while the infrastructure is being developed.

Torsner’s WP-CLI subcommand to verify checksums for themes and plugins currently only works with those hosted on WordPress.org, but he is also experimenting with mechanisms for getting checksums from some commercial vendors, including Gravity Forms and Easy Digital Downloads. He said he hopes the project would be capable of keeping these capabilities for commercial plugins after it is incorporated back into WordPress.org.

The Plugin and Themes Checksums project is currently in the initiation stage and will have an official kickofff during the next WP-CLI meeting on Tuesday, October 3, 2017, at 11:00 AM CDT. Anyone who would like to volunteer is encouraged to attend, especially those with an interest in security, systems administration, and the technology required to get this project off the ground.

“This project will have a huge impact on the perceived and effective security of WordPress installations,” Schlesser said. “It can greatly reduce the amount of malware-infested sites plaguing the internet, and through the substantial market share of WordPress, improve the general browsing experience for all net citizens.”



Source: WordPress

Related Post
Post Status: “Become the best version of yourself.” An Interview with Rich Tabor

Post Status: “Become the best version of yourself.” An Interview with Rich Tabor Rich Tabor is transitioning to a new role now as Senior Product Manager of WordPress Experience with GoDaddy. In the past three years, Rich founded a digital agency, launched a popular PhotoShop resource site, and started ThemeBeans, a successful WordPress theme shop. […]

Read more
WPTavern: WordPress 5.2 Will Add 13 New Icons to the Dashicon Library

WPTavern: WordPress 5.2 Will Add 13 New Icons to the Dashicon Library Dashicons, the WordPress admin icon font, will be getting its first update in three years when WordPress 5.2 ships. The library will be updated to use WOFF2 (Web Open Font Format 2), replacing the previous WOFF 1.0 format for improved compression. WOFF 1.0 […]

Read more
WPTavern: WooCommerce 3.6 Released with New Product Blocks and Major Performance Improvements

WPTavern: WooCommerce 3.6 Released with New Product Blocks and Major Performance Improvements WooCommerce 3.6 was released this week after six months in development. Store owners with sites running on WordPress 5.0+ will now have access to eight new product blocks, including hand picked products, featured products, products by category/attribute, sale products, new products, top rated, […]

Read more