The WP-CLI team is initiating a new project that aims to bring checksum verification to plugins and themes. Checksums are a method of verifying the integrity of files. Three years ago, WP-CLI added the capability of verifying WordPress core checksums using the MD5 algorithm. This is a useful security feature that allows developers to easily see if any files have been modified or compromised.
The core checksums are handled via WordPress’ official API (https://api.wordpress.org/core/checksums/) and WP-CLI contributors are planning to extend this infrastructure to plugins and themes hosted on WordPress.org.
“Having this kind of functionality for plugins and themes as well would be a huge security benefit,” WP-CLI co-maintainer Alain Schlesser said. “It would allow you to check the file integrity of an entire site, possibly in an automated fashion. However, there is no centralized way of retrieving the file checksums for plugins or themes yet, and the alternative of downloading the plugins and themes from the official servers first just to check against them is wasteful in terms of resources and bandwidth.”
Contributors are currently exploring different options for implementation in a discussion on GitHub, inspired by an existing wp-checksum project by Erik Torsner.
“The simplest possible infrastructure to go with would be flat files (no database),” WP-CLI maintainer Daniel Bachhuber said. “I’ve chatted with the corresponding WordPress.org folks about hosting. If our middleware application can generate flat files served by some API, then it will be fine to sync those flat files to a WordPress.org server (with rsync or similar).”
The team is considering building the API under a separate URL for testing and iteration and then incorporating it back into WordPress.org’s infrastructure once it is ready. However, the sheer size of the SVN checkouts and the CPU required to sync the files makes it an interesting challenge. DreamHost has volunteered a server for the team to run its checksum generator on while the infrastructure is being developed.
Torsner’s WP-CLI subcommand to verify checksums for themes and plugins currently only works with those hosted on WordPress.org, but he is also experimenting with mechanisms for getting checksums from some commercial vendors, including Gravity Forms and Easy Digital Downloads. He said he hopes the project would be capable of keeping these capabilities for commercial plugins after it is incorporated back into WordPress.org.
The Plugin and Themes Checksums project is currently in the initiation stage and will have an official kickofff during the next WP-CLI meeting on Tuesday, October 3, 2017, at 11:00 AM CDT. Anyone who would like to volunteer is encouraged to attend, especially those with an interest in security, systems administration, and the technology required to get this project off the ground.
“This project will have a huge impact on the perceived and effective security of WordPress installations,” Schlesser said. “It can greatly reduce the amount of malware-infested sites plaguing the internet, and through the substantial market share of WordPress, improve the general browsing experience for all net citizens.”
This is an outstanding move. I hope this type of thing gains momentum. From a security perspective, this has been needed for a long time, but better late than never.