Checksums for the WordPress community.
Every plugin uploaded to WordPress.org receives a corresponding checksums file like this: https://downloads.wordpress.org/plugin-checksums/woocommerce/8.6.0.json. These checksums are used by tools like WP-CLI to verify that nothing has been tampered with.
Many popular plugins aren’t on WordPress.org. So how can we extend this basic security feature for the larger WordPress community? That’s why WP Beacon exists.
WP Beacon allows users to generate and verify checksums for plugins which have not been uploaded to WordPress.org.
How’s it work? WP Beacon provides a WP-CLI package wp package install wpbeacon/checksum-command
which adds the following commands:
wp beacon plugin verify-checksums [<plugin>...] [--all]
This command will perform the normal wordpress.org then generate and verify localized checksums for all other plugins. Optionally you can self-host your own checksums by providing an --provider=<url>
.
wp beacon plugin generate-checksums [<plugin>...] [--all]
This command can generate checksums for one more many plugins currently installed. Checksum generation automatically happens during wp beacon plugin verify-checksums
.
Additional questions and answers…
Where are the checksums stored?
Checksums are stored at the following location organized by slug, author and version.
/checksums/plugins/{slug}/{author}_{version}.json
This is similar to WordPress.org with an added layer for the author as there is nothing to prevent identically named plugins in the WordPress ecosystem.
Can others see my plugins?
Only checksums are created for files inside your plugins. Code and original zip files are never made available. You can store checksums at a private folder using --source-dir=<directory>
.
Are localized checksums trustworthy?
Well… no. A local checksum could be tampered with or contain checksums which aren’t valid. That said these local checksums are only used in the situation where WordPress.org does not have any checksums. Should a checksum became available then the local checksums will be ignored and no longer generated. Even so a local checksum can at least verify that the plugins files aren’t continually being changed. So in that sense, they can be helpful.
Why are checksums failing to verify even though everything looks healthy?
While making WP Beacon I discovered many plugins not uploaded to WordPress.org include file changes between version releases. This fundamentally breaks checksum verifications as the changes are not known. Depending on your installed plugins, wp beacon plugin verify-checksums --all
may frequently fail.
How can my contribute?
Feedback is welcomed on Github: https://github.com/WPBeacon/checksum-command.