WordPress Core File Checksums

A freshly-downloaded copy of WordPress 5.8.2 contains 2,622 files spread across 317 directories. It's a lot to keep track of, but verifying the integrity of the files post-install is actually pretty simple.

All you need are the canonical checksums for that specific release — a list of expected file hashes. With that in hand, you can check that each and every local file's hash still matches.

If you have a copy of wp-cli handy, you can simply run the following command from the installation's root directory:

wp core verify-checksums

That will tell you if any of the files have changed from their original versions. Nice and easy! But slow…

The magic of wp-cli comes with the overhead of loading the WordPress environment, including PHP and MySQL. Depending on the site and server, it can take several seconds to get an answer.

Going Native

File integrity isn't a WordPress-specific problem. Most computers come pre-loaded with dedicated binaries for validating file checksums.

These programs do not require PHP/MySQL to work their magic, and as such, are significantly faster.

For example, if you had a master MD5 checksum list, you could validate a given WordPress installation by running the following from its root directory:

md5sum -c /path/to/list.md5

Getting Checksums

The WordPress API helpfully provides an endpoint for fetching MD5 file checksums for each and every Core release. This link, for example, points to the hashes for the latest release, 5.8.2.

That's a good start, but unfortunately WordPress serves those hashes in a custom JSON format that can't be used by anything without a bit of parsing and restructuring.

{
    "checksums": {
        "5.8.2": {
            "xmlrpc.php": "fc41dc381c170a502a90617c2fd9b34b",
            "wp-blog-header.php": "5f425a463183f1c6fb79a8bcd113d129"
            …
        }
    }
}

A native MD5 checksum list, by contrast, would look like this:

fc41dc381c170a502a90617c2fd9b34b  xmlrpc.php
5f425a463183f1c6fb79a8bcd113d129  wp-blog-header.php
…

Wacky formatting aside, there is also the matter of format. MD5 has long been considered cryptographically-broken. A motivated hacker could potentially introduce changes to a file without modifying the file's overall hash.

As 2021 draws to a close, MD5 isn't really an appropriate choice any more.

But that's all WordPress provides.

Getting More Checksums!

To workaround this problem, we published the WP Core File Checksums archive.

It contains pre-computed checksums for every WordPress release — including betas and RCs — in Blake3, MD5, SHA256, and SHA512 formats that can be used directly with the corresponding b3sum, md5sum, sha256sum, and sha512sum binaries.

The Blake3 checksums for 5.8.2, for example, can be fetched here.

We'll continue pushing updates to the repository as new WordPress releases are published.

Hopefully you find it useful!

Performance

If you are just checking a single site, the relative performance probably doesn't matter. A couple seconds is just a couple seconds.

But if you're checking hundreds or thousands of different installations, or want to run the verifications in an environment that doesn't support wp-cli, going native can make a huge difference.

We're partial to Blake3 ourselves. Not only is it twice as fast as MD5, using b3sum is nearly 20x faster than wp-cli. And, well, it's more secure than MD5!

Chances are your computer won't come with b3sum pre-installed, but you can download it from their releases page, or build it from source.

Josh Stoik
20 December 2021
Previous Announcing Refract GTK!
Next How You Manage Debian Apt Sources Is Changing