2020/01/22 Update: We’ve added support for 2x more premium plugins – Smart Slider 3 Pro, and Social Login Pro.
We’ve taken our first step into the wonderful new world of scanning premium WordPress plugins and themes.
If this doesn’t mean anything to you just now, that’s okay, we’re going to explain the new feature in full detail. By the end of this article you’ll come to see the huge significance of what we’re about to bring to WordPress site security.
To kick-off this discussion, we need to talk about WordPress Checksums. In-case you’re not aware of what they are, here’s a quick primer…
Click on this link to see an example: https://api.wordpress.org/core/checksums/1.0/?version=5.3.2&locale=en_US
You’ll see a lot of text, which wont mean much at first glance. WordPress.org provides an official API that anyone can use to get a list of all files included with any WordPress version.
Along with that list of files are what we call “checksums”. These are unique MD5 hashes, or fingerprints, for the content of each of those files.
In this particular example, wp-cron.php
has the MD5 checksum of cfa2960eb1eb763e1b86cdacba480d17
. So what can we do with this information?
These unique hash values allow us to create our own MD5 hash of any file and compare it with the hash from WordPress.org. If the hash is different, then we know with absolutely certainty that the contents of the file we hashed, and the contents of the official file from WordPress.org are different.
We don’t know how they are different, or what’s changed, only that it’s definitely changed.
In 99.9999% of cases there is absolutely no good reason why any core WordPress file sitting on your site will be different to the official file.
If they are different, something strange is going on and in all likelihood we’ll want to restore the file to its original state.
Make sense so far? Here’s a quick summary:
You’ve just learned that WordPress.org provides official MD5 checksums for every official file distributed with each version of WordPress. We can use these hashes to compare files on our sites and detect changes.
What About Checksums for Plugins and Themes?
Unfortunately, WordPress.org only provides checksums for the WordPress Core. We can’t use this same approach for anything else, such as plugins, for example.
This wasn’t good enough – we wanted to use this same method to also scan plugins and themes within Shield Security.
Around the middle of 2019, we decided to build our own API to help us do exactly that: WPHashes.com was born. Ever since then, Shield Security has been using this API to verify WordPress plugin files, just like we’ve always done for Core files.
This has been working really well, allowing our Shield Security customers to quickly detect changes to their plugins, and take corrective action.
Some time after supporting plugins, we added support for themes, too. We also even support ClassicPress core files, where Shield Security is the only professional security plugin that supports the automatic scanning and repair of ClassicPress files.
Building this API was one of the best decisions we made in 2019, and represents a huge leap forward for our collective site security.
However, one problem still remains: our API supports only plugins and themes that are hosted and distributed only by WordPress.org. How can we provide a checksum API for premium plugins and themes?
We need acccess to the files to create the checksums and WordPress.org provides this for all their hosted plugins & themes. For premium plugins, we don’t have the same access.
Here’s the summary for this section:
We built WPHashes.com to provide a standard API for obtaining checksums of WordPress.org plugins and themes, so we could scan them just like we do with WordPress Core. But the challenge now is to extend this API to provide checksums for premium plugins and themes.
Delivering Checksums for Premium WordPress Plugins and Themes
The way to solve this problem is through the support of, and collaboration with, the actual developers of premium plugins/themes.
This article represents the release of our updated WPHashes API that now provides support for premium plugins.
In this case, we have just 1 premium plugin onboard with us: Advanced Custom Fields PRO.
ACF Pro is easily one of the biggest and most popular plugins for WordPress. With such a massive following and over 1+ million current installations, we wanted to work with ACF as early as possible.
For the past few weeks, we’ve been working closely with Elliot, the lead developer of ACF Pro, to allow us access to his private codebase. His openness and enthusiasm for the project has been fantastic! And by allowing us access to all his code for creating checksums of the plugin, he’s the first developer to get on-board with our ambitious project.
And he made it easy for us… so thank you, Elliot!
Check it out, you can get the hashes for ACF Pro v5.8.7 here.
With the release of Shield Security 8.5 (early January 2020), all WordPress sites that run Advanced Custom Fields PRO will benefit from the added protection these new developments offer.
ACF Pro is the first plugin to make it onto the new API, and it certainly wont be the last. We’ll continue to work with other premium plugin developers to bring them onboard. Over time, we’ll standardise how our API works and the process will get smoother.
How Can You Help?
As I mentioned, we want to get as many premium plugins and themes onboard as possible. The more WordPress assets we can scan, the more accurately Shield Security can scan your sites.
We’ll be reaching out to premium developers to ask them to get involved. We don’t charge any fees for developers, so there’s no downside risk for them to collaborate with us. If you have a plugin that you’d like to see included, then please feel free to reach out to them to point them to this article. The more that their customers ask for this, and more likely it is they’ll want to get involved.
With enough of a push toward getting this effort off the ground, we’ll hopefully soon have all the major plugins and themes onboard, so that your sites are covered and can be scanned.
Please do leave us comments below if you have questions about this feature, or suggestion for ways to improve it.