WordPress Plugin and Theme Checksums Project – Announcement


WP-CLI provides a way for system administrators to verify the integrity of the WordPress core files. Through wp checksum core, you can easily verify that a given installation has not been tampered with. It not only checks whether the correct files are in place, but also that their content has not been changed. This is possible because WordPress provides an official API to check the expected core file checksums at https://api.wordpress.org/core/checksums/.

Having this kind of functionality for plugins and themes as well would be a huge security benefit. It would allow you to check the file integrity of an entire site, possibly in an automated fashion. However, there is no centralized way of retrieving the file checksums for plugins or themes yet, and the alternative of downloading the plugins and themes from the official servers first just to check against them is wasteful in terms of resources and bandwidth.

The aim of this project is to extend the checksum verification and its underlying infrastructure so that it can reliably and efficiently check the integrity of plugins and themes as well.

Project Stages

The project will be structured into four stages. Each stage will be followed by a detailed report, containing a summary of the stage’s efforts as well as a clear enumeration of decisions and results.

A. Initiation (← we are here)

During this initial project stage, we raise awareness of the project and discuss it with key stakeholders, sponsors, and volunteers.

We’ll evaluate the alternative approaches with all involved parties to distill the most viable path to a maintainable solution.

Finally, we’ll define a clear scope for the project, and the metrics that define its success. We plan for a working beta version by end of November, so we will want to keep the scope tight for this first iteration.

B. Planning

After we’ve decided on a specific route to follow, we can start planning the details of the solution we want to implement.

This stage will result in a project roadmap with milestones and their respective deliverables. It will also produce a list of requirements, like the provisional budget for infrastructure, the decisions needed or the estimated workload for each milestone.

C. Implementation

After we’ve planned all the technical details and broke down the work involved, we’ll start with building the infrastructure and implementing the client and server software.

The specifics of how this stage will be handled should have been laid out during the planning stage already, so this stage is all about execution and monitoring progress.

D. Integration

During the final project stage, we will move all code and infrastructure to reside under the official wordpress.org domain and complete the integration with the WordPress Core and the WP-CLI tool.

Get Involved!

This project will have a huge impact on the perceived and effective security of WordPress installations. It can greatly reduce the amount of malware-infested sites plaguing the internet, and through the substantial market share of WordPress, improve the general browsing experience for all net citizens.

If you want to get involved, you’d ideally meet the following criteria:

  • You have a vested interest in security and/or system administration in a WordPress context.
  • You can spare a consistent average of ~5+ hours/week (hopefully on your employer’s time).
  • You have experience with one or more of the types of components this project requires.

If this is you, please get in touch with us, either by commenting on this post or by joining the discussion in the following GitHub issue: https://github.com/wp-cli/ideas/issues/6.

We will have a formal kickoff during the next WP-CLI office hours in the #cli channel on October 3rd, 2017 at 16:00 UTC. Feel free to join the discussion and help us get this ball rolling.