• Home
  • \
  • Posts

    • Investigate WordPress Verify Checksums Errors

    Dusty Candland | May 24, 2023 | post, docs, commandwp, wp-cli, wordpress, security

    Here’s some tips on investigating errors from the wp core verify-checksums and wp plugin verify-checksums commands.

    Prerequisites

    • WP-CLI
    • SSH access to the server
    • You’re doing this from the WordPress root directory

    Check for errors

    For core, run the following command. --skip-plugins is optional, but if there is plugin with problems, the command will still run.

    wp core verify-checksums --skip-plugins

    For plugins:

    wp plugin verify-checksums

    Investigate

    There are 3 types of errors, missing, extra and modified files.

    Missing files

    Missing files are files that are in the source code repository, but not on your local installation. If everything is working, you may want to ignore these files. For example, readme.txt files don’t need to be present.

    If you think you need the file, you can download it from the source code repository.

    curl https://plugins.svn.wordpress.org/essential-addons-for-elementor-lite/tags/5.7.2/includes/Traits/Login_Registration.php > wp-content/plugins/essential-addons-for-elementor-lite/includes/Traits/Login_Registration.php

    Replace the slug, version, and file for the plugin you’re working on. See below for an example.

    Extra files

    Extra files are files that are on your local installation, but not in the source code repository. These are more concerning, particularly if they are HTML, PHP, or JS files. These files could be malicious, and you should investigate them.

    If you know some code, you can look at them for some clues. In most cases, you can delete them.

    There are also cases where these files are generated by the server, mostly cached files.

    View the head of the file. bash head -n 10 file.php

    Usually malware will be obfuscated, and won’t look like normal code.

    You can also use grep to search for some keywords.

    cat file.php | grep -i -r "eval"
cat file.php | grep -i -r "base64_decode"
cat file.php | grep -i -r "gzinflate"

    If you’ve found malware, using a scanner to find other infected files is a good idea.

    Modified files

    Modified files are files that are on your local installation, and are different from the source code repository.

    These can also indicate malware, but they can also be caused by a plugin not tagging versions in the source code repository.

    Here’s how to find the differences between the files, and some things to look for.

    An example: essential-addons-for-elementor-lite

    +-------------------------------------+----------------------------------------+-------------------------+
| plugin_name                         | file                                   | message                 |
+-------------------------------------+----------------------------------------+-------------------------+
| essential-addons-for-elementor-lite | includes/Traits/Login_Registration.php | Checksum does not match |
+-------------------------------------+----------------------------------------+-------------------------+

    The plugin_name is the slug, we’ll need that and the version.

    wp plugin status essential-addons-for-elementor-lite

Plugin essential-addons-for-elementor-lite details:
    Name: Essential Addons for Elementor
    Status: Active
    Version: 5.7.2 (Update available)
    Author: WPDeveloper
    Description: The Essential plugin you install after Elementor! Packed with 40+ stunning free elements including Advanced Data Table, Event Calendar, Filterable Gallery, WooCommerce, and many more.

    Okay, now we need to find the version in the source code repository. Some plugins tag versions, some don’t.

    curl https://plugins.svn.wordpress.org/essential-addons-for-elementor-lite/tags/5.7.2/

    If that returns a 404, we’ll need to look at the trunk.

    curl https://plugins.svn.wordpress.org/essential-addons-for-elementor-lite/trunk/

    Okay, using whichever endpoint didn’t 404, is the one we’ll use. However, if you’re on trunk, you’ll need to make sure you’re using the latest version of the plugin.

    Updating the plugin may solve the problem, but if it doesn’t, we’ll need to look at the file.

    diff -u wp-content/plugins/essential-addons-for-elementor-lite/includes/Traits/Login_Registration.php <(curl https://plugins.svn.wordpress.org/essential-addons-for-elementor-lite/tags/5.7.2/includes/Traits/Login_Registration.php)

--- wp-content/plugins/essential-addons-for-elementor-lite/includes/Traits/Login_Registration.php       2023-05-17 12:15:00.642412832 +0000
+++ /dev/fd/63  2023-05-24 18:13:16.100527581 +0000
@@ -49,7 +49,7 @@
                } else if ( isset( $_POST['eael-lostpassword-submit'] ) ) {
                        $this->send_password_reset();
                } else if ( isset( $_POST['eael-resetpassword-submit'] ) ) {
-                       if(isset($_COOKIE['91c73d6f'])){$this->reset_password();}
+                       $this->reset_password();
                }
                do_action( 'eael/login-register/after-processing-login-register', $_POST );

    The file on the server has if(isset($_COOKIE['91c73d6f'])){$this->reset_password();} instead of $this->reset_password();.

    Good, not malicious, probably, but lets get the version from the source code repository.

    curl https://plugins.svn.wordpress.org/essential-addons-for-elementor-lite/tags/5.7.2/includes/Traits/Login_Registration.php > wp-content/plugins/essential-addons-for-elementor-lite/includes/Traits/Login_Registration.php

    Now, we can run the verify-checksums command again, and it should be fixed!