Check WordPress Core Files for Hacks

March 1st, 2008 @ 9pm : 24 comments : Socialize This
Filed Under: Tags: core, hash, plugin, WordPress

Over the last 2 years I’ve worked on literally dozens of client WordPress projects. Many of these projects have been the simple cut the theme and go. Wham-Bam Thank You, Pay me, projects. The rest have been like normal projects. Tons of code written, different developers between phases of the site, custom plugins, themes from hell with very dynamic functionality. I hate to admit but in my early days exposed to WordPress, I found it easier to make mode direct to the core files before writing a plugin to extend the core functionality. This of course creates a problem because I don’t always remember what changes I’ve.

In more recent projects I’m been hired to make changes to an existing client WordPress site. Many of these project involve upgrading WordPress from some version 2 years ago to the most current. Not knowing the previous developer’s changes this has always been a concern of mine since a flat upgrade would mean potentially killing custom changes to some of the core files. So going in I will normally zip the entire tree of files. And pull a dump of the database just to be safe. Then perform the upgrade and do some visual and functional checks on the site to see if I can find things before the client sees the site.

At best this process is haphazard. Without doing a full diff on each and every file it would be near impossible to find file differences. Until now.

Announcing a new plugin Hash Checker

This plugin will help you determine changed file in your WordPress core before you upgrade.

Installation

Download the plugin from the link above. Unzip this into the plugin directory. This should create a folder named ‘hashchecker’. Open your browser to your WordPress Admin interface. Go to the Plugins page and activate.

Checking your site

To check your WordPress installation, find ‘Hash Checker’ on your Options menu. The plugin will automatically determine your current WordPress version and start comparing files. In this version there are two types of errors reported.

Errors reported because the hash values do not match.
Errors because the code file from the hash config are not found on your site

Customizing the Hash config files

Let’s say for example you like to secure your WordPress installation by removing the wp-admin/upgrade.php file or some other file. And you don’t want to see this error all the time when running the check.

Simple enough. Under the plugin install directory is a sub-folder ‘wp_version_cfg’. This folder contains a cfg file for many of the latest WordPress version. Each config file is a full set of files distributed for that release. To get the error off the screen simply edit the config file, find the line for the file and remove it.

Want to add files to the config? Well this can be done but it’s all manual at this point. The config file format is your basic format

Filename=hash value.

The filename is the path relative to where WordPress is installed. This is not your site root in all cases. The hash is a simple md5 hash of the file. The filename part is pretty easy. But how do you generate an md5 for a file? If you are lucky enough to run OS X or Linus you can easily do this from the command line:

md5

The returned alphanumeric value returned is the md5 hash. This goes on the right of the equal sign in the config.

Testing and Problems

I’ve tested this plugin under versions 2.3.3, 2.2.2 and 2.1. I’ve not been able to test this fully under all WordPress version. so please if you run into problems please give me a note using the comment form below. Will be glad to on this with you.

Also, this plugin assumes you are using the core WordPress files as downloaded from http://wordpress.org/download/. If you are running some SVN version or some ISP’s one-click custom installed version this plugin may not work. My apologies.

Future Plans

I’ve already started thinking about other options to put into the next release. Some of these are:

Adding the output to the Dashboard
Having the checker run on a cron at selectable intervals and emailing the admin on erros
Adding the ability to generate hash for non-core file via an interface.

If you think of anything please tell me below.

You can leave a response, or trackback from your own site.

24 Responses to “Check WordPress Core Files for Hacks”

Ryan Joy Says:
March 1st, 2008 at 10:29 pm
Wow, this is a great plugin, Paul! I’ve run into the same problem before, knowing that I would regret editing core files. I would add a TODO to remind myself of the change in the future, but that was always making the dangerous assumption that I would even be the next developer touching this code.
WordPress Plugins fÃ¼r mehr Sicherheit - bueltge.de [by:ltge.de] Says:
April 23rd, 2008 at 10:51 pm
[...] Hash Checker [...]
Paul Menard Says:
April 24th, 2008 at 9:21 am
Working on a newer version of this plugin for 2.5. The new plugin will auto-generate the hash for theme code.
berny Says:
May 11th, 2008 at 5:23 am
hi paul,

nice plugin. – it not only helps me on increasing the security, but also saves times, because i don’t need to check which files i changed in the core.

one thing: your download on wordpress.org consists of two complete versions (one in the root and one in the trunk directory). – maybe you could check your svn source…

greetz
berny
Paul Menard Says:
May 11th, 2008 at 7:41 am
berny »

Thanks for the comment. And thanks for the heads up on the SVN issues.
Wordpress plugins that I am using | Information Technology Blog Says:
May 31st, 2008 at 5:54 am
[...] Hash Checker – “Compare your installed WP core file against the released version. This will help identify possibly hacks applied.” [...]
Newc Says:
August 5th, 2008 at 10:58 am
I appreciate this plug-in. … Will this plug in work for WordPress v2.6? … I tried it, and after about 10 minutes of nothing happening, I decided it must have malfunctioned, so I exited it by logging out of the dashboard. Is this plugin supposed to run slower on v2.6 than on v2.5? Thanks.
Paul Menard Says:
August 5th, 2008 at 11:20 am
@Newc:
Sorry. I need to update the check file for WP 2.6. This is currently still manual. I’ve been meaning to automate this for the user but not ale to get back to it yet.
David Says:
September 24th, 2008 at 12:06 pm
Paul, great plugin… how do you create new cfg files for new releases of wp?
berny Says:
December 17th, 2008 at 4:35 pm
hi paul,

any news on the cfg-files?

greetz,
berny
Paul Menard Says:
December 17th, 2008 at 6:07 pm
@berny: Sorry dude. You need a cfg for which WP version?
berny Says:
December 17th, 2008 at 7:39 pm
no worries paul. – i’m currently using two instances of wp 2.7.

just a thought: maybe your work can be decreased if you publish the name of the tool (and a howto) which you use to create the hashes?

anyway, thanks for your effort!
Paul Menard Says:
December 17th, 2008 at 9:17 pm
@berny: Just updated the plugin version 1.2.1. This update is just to the hash config files. There really is no trick to generating your own hash files.

In the plugin folder there is a php file ‘generate_hash.php’. Create a tmp folder on your own system. Copy this file into the tmp directory. Also unzip a version of WordPress. Make sure the unzippped WordPress is in a sub-folder named ‘wordpress’. Just to be clear. In the tmp folder you have one file ‘generate_hash.php’ and and directory ‘wordpress’. Open a command prompt or terminal window into that tmp directory. From the command line execute the php ‘php -f generate_hash.php’. Redirect the output to a file named ‘version-x.x.x.cfg’ as in ‘version-2.7.cfg’, ‘version-2.5.1.cfg’. Move the cfg file into the plugin folder ‘wp_version_cfgs’.
berny Says:
December 17th, 2008 at 10:30 pm
hi paul,

thanks for the update and the infos. i’ll try that soon on my webserver. maybe i can write a cronjob which will do the job automatically.

my first thoughts: use wget to download http://wordpress.org/latest.zip. unzip to /wp-content/hashchecker/wordpress/

thanks to your work, the only cheesy thing seems to be automatic renaming of the cfg-file. i’m thinking of including the version.php in /wp-content/hashchecker/wordpress/wp-includes/ for retrieving the version number.

finally executing generate_hash.php and redirecting it to /wp-content/hashchecker/wp_version_cfgs/version-x.x.x.cfg should write everything to the hash-file.

hmm, to avoid unnecessary traffic: do you have an idea on how to compare the size of the zip-archives (current local and on wordpress server) without actually downloading them say e.g. once daily? as the structure of the wordpress.org page changes frequently, parsing the necessary version-information seems unreliable.

greetz,
berny

berny Says:
December 18th, 2008 at 6:43 am

here is my solution (which is currently running as a weekly cron-script as i still didn’t figure out an efficient way to check the version number without paring wordpress.org prior to the download of latest.zip):

rename_hash.php (in the same directory as generate_hash.php)

1
2
3
4
5
6
7
8
9

=")) {
$hash_file=$hash_path."version-".$wp_version.".cfg";

if (rename($hash_path."version-x.x.x.cfg", $hash_file)) {
echo("Hash File has been renamed to ".$hash_path."version-".$wp_version.".cfg");
}
}
}
?>

bash-script

1
2
3
4
5
6
7
8
9
10
11
12
13

#!/bin/sh

cd /users/home/username/web/public/wp-content/plugins/hashchecker/

/usr/sfw/bin/wget http://wordpress.org/latest.zip

/usr/local/bin/unzip latest.zip

/usr/local/bin/php -f generate_hash.php > ./wp_version_cfgs/version-x.x.x.cfg
/usr/local/bin/php -f rename_hash.php

rm ./latest.zip
rm -R ./wordpress/

greetz,
bemy

berny Says:
December 18th, 2008 at 6:45 am
oh, wordpress killed the code.

again, the rename_hash.php:

$ABSPATH = dirname(__FILE__);
$version_file=$ABSPATH.”/wordpress/wp-includes/version.php”;
$hash_path=$ABSPATH.”/wp_version_cfgs/”;

if (file_exists($version_file)) {
include_once($version_file);
global $wp_version;

if (version_compare($wp_version, “2.0″, “>=”)) {
$hash_file=$hash_path.”version-”.$wp_version.”.cfg”;

if (rename($hash_path.”version-x.x.x.cfg”, $hash_file)) {
echo(“Hash File has been renamed to “.$hash_path.”version-”.$wp_version.”.cfg”);
}
}
}
Hash Checker Says:
January 30th, 2009 at 9:23 pm
[...] Provide a method to verify your WordPress core files match the original downloaded version. …..read more Download Plugin! Version 1.2.1 Last Updated: December 18, 2008 Visit Plugin’s Home Visit [...]
kookimebux Says:
February 1st, 2009 at 12:41 pm
Hello. And Bye.
Faintdreams Says:
July 2nd, 2009 at 4:29 pm
Thanks for writing this really useful tool. One question, – having recently updated to 2.8 I am confused as to how to see the output. There is no obvious ‘options’ menu in 2.8. Any help much appreciated.
baron Says:
July 16th, 2009 at 8:42 am
Works great, thank you
floultalp Says:
October 8th, 2009 at 10:55 pm
Consuetudo est altera natura
Daniel Says:
October 18th, 2009 at 7:04 pm
Hello, is there a version that will work with wordpress 2.8.4?

Thanks
amateri Says:
June 8th, 2010 at 8:20 am
Thank you for taking the time to discuss this, I feel strongly about information and love learning more on this. If possible,it was very helpful for me.
Shizuko Winsky Says:
July 19th, 2010 at 8:22 pm
I’ve had my Chocolate Touch since it came out. I applied to have a Razr. I’ve been searching around at the filesystem on Bitpim and just began putting flash wallpapers on it. I’ve also checked to see how EnV Touch themes look on it. I’d like to start trying to make themes and wallpapers in Adobe Flash CS4. But I just commenced, so it’ll almost certainly be awhile before I get anything. Tongue