How To Verify WordPress Checksums Using WP-CLI

If you do not keep site plugins updated along with WordPress core updated, then you run into the chance of your site being hacked or infected by Malware. If your site does get infected by malware, a way to easily find any of the non-standard WordPress core and plugin files is by using the verify checksums commands in WP-CLI (the WordPress Command Line Interface).

Preparing to Run Commands

First, you will need to login to your portal via SSH. For directions on generating credentials for sFTP/SSH creds from your site manager, see Finding Your SFTP/SSH Credentials in Managed WordPress Portal. For help using SSH, see Logging into Your Server via Secure Shell (SSH).

Getting Started

Security plugins have definite uses, but when you need to verify WordPress core as well as all installed plugins on the WordPress.org checksums, plugins are just not the appropriate tool. WP-CLI already has checksum commands for both WordPress core and all plugins.

Checksums Commands

• To verify that all WordPress core files checksum match, the WP-CLI command to run is:

wp core verify-checksums

• To verify checksum against specific versions of WordPress, you can include the version number in the command. To verify for version 5.2.1 of WordPress core, for example, the command would be:

wp core verify-checksums --version=5.2.1

• If you were using an older version of WordPress, for example version 4.9.10, the command would be:

wp core verify-checksums --version=4.9.10

• To verify the checksum of all plugins which are installed on your site server (this would only include plugins available from WordPress), then the command to run would be:

wp plugin verify-checksums --all

• To verify the checksums of a specific plugin (e.g., WooCommerce), you will need to know the plugin “slug” (or short name). You can find the slug by looking in the plugins links on the WordPress website.

The plugin slug for WooCommerce is woocommerce, so to verify the checksums of the WooCommerce plugin, the command would be;

wp plugin verify-checksum woocommerce

Summing Up

The files that the core verify checksum or the plugin verify checksum commands in WP-CLI will display will be any of the non-standard PHP or other files that should not exist in WordPress folders. The files should be deleted (it’s always a good idea to take backups before deleting data from your server). and then you can rerun the same verify checksums commands to check that there are no other files which should not exist on your site server.

Knowing how to verify the checksums of WordPress core files, all plugins installed from WordPress.org, and specific plugins installed from WordPress.org using simple-to-use WP-CLI commands will give you peace of mind in knowing that there are no non-standard files that exist in those folder directories.