How WordPress Core File Integrity Monitoring Works
Understand the technical process of WordPress core file integrity verification. Learn how checksums detect file modifications and protect your site.
Core file integrity monitoring uses cryptographic checksums to detect any modifications to WordPress files. Understanding how this works helps you appreciate its power and limitations.
The Checksum Concept
What is a Checksum?
A checksum is a unique fingerprint for a file's contents:
- Any file produces a specific hash value
- Even tiny changes produce different hashes
- Impossible to reverse-engineer
- Collision probability is negligible
Example
Original file: <?php echo "Hello"; ?>
MD5 checksum: a591a6d40bf420404a011733cfb7b190
Modified file: <?php echo "Hello!"; ?>
MD5 checksum: 3b71f43ff30f4b15b5cd85dd9e95ebc7Just adding one character completely changes the hash.
How Integrity Verification Works
Step 1: Official Checksums
WordPress.org provides official checksums for every WordPress version:
https://api.wordpress.org/core/checksums/1.0/?version=6.4.2
Step 2: Calculate Local Checksums
For each WordPress file on your site:
md5_file('/path/to/wp-includes/functions.php')Step 3: Compare
Compare local checksums against official values:
- Match: File is unmodified
- Mismatch: File has been changed
- Missing: Official file doesn't exist locally
- Extra: Local file isn't in official list
What Gets Verified
Included in Verification
- All wp-admin files
- All wp-includes files
- Root PHP files (index.php, wp-*.php)
Not Verified
- wp-config.php (always customized)
- wp-content/ (your content)
- .htaccess (often customized)
WP Folder Shield Implementation
Efficient Scanning
- Caches official checksums locally
- Only downloads new checksums when WordPress version changes
- Parallel file hashing for speed
Detailed Reporting
For each issue found:
- File path
- Expected checksum
- Actual checksum
- Modification type
- Recommended action
Scheduled Verification
- Daily automatic checks
- Immediate post-update verification
- On-demand scanning anytime
Handling Verification Results
Modified Core Files
- Review the changes (use diff tool)
- Determine if legitimate or malicious
- Replace with clean copy if malicious
- Investigate how modification occurred
Missing Core Files
- Could indicate failed update
- Or intentional deletion by attacker
- Restore from WordPress.org
Extra Files
- Unknown files in core directories are suspicious
- Review contents carefully
- Delete if malicious or unnecessary
Limitations to Understand
wp-config.php Not Checked
This file must be customized, so no official checksum exists. Review it manually.
Only Detects, Doesn't Prevent
Integrity monitoring finds changes after they happen. Combine with prevention measures.
Legitimate Changes Possible
Some plugins or hosting environments modify core files. Investigate before assuming malicious.
Get WP Folder Shield for automated core file integrity verification with detailed reporting and easy remediation.
Written by Marcus Johnson
WP Folder Shield Team
