Check WordPress Core Files for Hacks

Over the last 2 years I’ve worked on literally dozens of client WordPress projects. Many of these projects have been the simple cut the theme and go. Wham-Bam Thank You, Pay me, projects. The rest have been like normal projects. Tons of code written, different developers between phases of the site, custom plugins, themes from hell with very dynamic functionality. I hate to admit but in my early days exposed to WordPress, I found it easier to make mode direct to the core files before writing a plugin to extend the core functionality. This of course creates a problem because I don’t always remember what changes I’ve.

In more recent projects I’m been hired to make changes to an existing client WordPress site. Many of these project involve upgrading WordPress from some version 2 years ago to the most current. Not knowing the previous developer’s changes this has always been a concern of mine since a flat upgrade would mean potentially killing custom changes to some of the core files. So going in I will normally zip the entire tree of files. And pull a dump of the database just to be safe. Then perform the upgrade and do some visual and functional checks on the site to see if I can find things before the client sees the site.

At best this process is haphazard. Without doing a full diff on each and every file it would be near impossible to find file differences. Until now.

Announcing a new plugin Hash Checker

This plugin will help you determine changed file in your WordPress core before you upgrade.


Download the plugin from the link above. Unzip this into the plugin directory. This should create a folder named ‘hashchecker’. Open your browser to your WordPress Admin interface. Go to the Plugins page and activate.

Checking your site

To check your WordPress installation, find ‘Hash Checker’ on your Options menu. The plugin will automatically determine your current WordPress version and start comparing files. In this version there are two types of errors reported.

  • Errors reported because the hash values do not match.
  • Errors because the code file from the hash config are not found on your site

Customizing the Hash config files

Let’s say for example you like to secure your WordPress installation by removing the wp-admin/upgrade.php file or some other file. And you don’t want to see this error all the time when running the check.

Simple enough. Under the plugin install directory is a sub-folder ‘wp_version_cfg’. This folder contains a cfg file for many of the latest WordPress version. Each config file is a full set of files distributed for that release. To get the error off the screen simply edit the config file, find the line for the file and remove it.

Want to add files to the config? Well this can be done but it’s all manual at this point. The config file format is your basic format

Filename=hash value.

The filename is the path relative to where WordPress is installed. This is not your site root in all cases. The hash is a simple md5 hash of the file. The filename part is pretty easy. But how do you generate an md5 for a file? If you are lucky enough to run OS X or Linus you can easily do this from the command line:


The returned alphanumeric value returned is the md5 hash. This goes on the right of the equal sign in the config.

Testing and Problems

I’ve tested this plugin under versions 2.3.3, 2.2.2 and 2.1. I’ve not been able to test this fully under all WordPress version. so please if you run into problems please give me a note using the comment form below. Will be glad to on this with you.

Also, this plugin assumes you are using the core WordPress files as downloaded from If you are running some SVN version or some ISP’s one-click custom installed version this plugin may not work. My apologies.

Future Plans

I’ve already started thinking about other options to put into the next release. Some of these are:

  • Adding the output to the Dashboard
  • Having the checker run on a cron at selectable intervals and emailing the admin on erros
  • Adding the ability to generate hash for non-core file via an interface.

If you think of anything please tell me below.

About Paul Menard

Mis-placed Texas Geek now living on North Carolina. Lover of all things coding especially WordPress, Node.js, Objective-C and Swift. Love to work on interesting projects and come away with some new knowledge. Trying to keep my head on while I try to staying abreast of all the latest technologies. Lover of books and cats.