In case you don’t update your site plugins along with WordPress core then there are chances that your site might get hacked or infected by malware. If malware infects your website, it is easy to find any of the non-standard WordPress core and plugin files by using the verify checksums commands in WP-CLI (the WordPress Command Line Interface).
Preparing to Run Commands
At first, login to your portal via SSH.
Security plugins are used for specific purposes, but plugins aren’t the appropriate tool for verifying WordPress core along with installed plugins on the WordPress.org checksums. For your information, WP-CLI comprises of checksum commands for both WordPress core and all plugins.
- Run the below command, to verify that all WordPress core files checksum match:
1wp core verify-checksums
- For verifying checksum against specific versions of WordPress, the version number can be added in the command. For example for verifying for version 5.2.1 of WordPress core, the command would be:
1wp core verify-checksums --version=5.2.1
- For an older version of WordPress, for example version 4.9.10, the command would be:
1wp core verify-checksums --version=4.9.10
- If you want to verify checksum of all plugins installed on your site server (this would only include plugins available from WordPress), then you would need to run the below command:
wp plugin verify-checksums --all
- For verifying the checksums of a specific plugin (e.g., WooCommerce), you will need to know the plugin “slug” (or short name). You can find it by searching in the plugins links on the WordPress website.
The WooCommerce’s plugin slug is woocommerce, so to verify the checksums of the WooCommerce plugin, you need to use the below command:
wp plugin verify-checksum woocommerce
The files in WP-CLI that the core verify checksum or plugin verify checksum commands will display will be any of the non-standard PHP or other files that shouldn’t be present in WordPress folders. The files need to be deleted (it is always better to take backups prior to deleting data from your server) and then the same verify checksums commands can be run to check there aren’t any other files that shouldn’t exist on your site server.
By learning to verify the checksums of WordPress core files, plugins installed from WordPress.org, and those installed from WordPress.org with easy-to-use WP-CLI commands will help you stay tension free. This is because you will know that no non-standard files exist in those folder directories.