I’m very proud to introduce the newest member in the WordPress Essentials family: The WordPress Integrity Checker plugin, or just Integrity Checker for short. Download it straight from the WordPress plugin repository or stay here and read more about it.
Integrity Checker is an admin plugin that will help you find potential security issues with your WordPress installation. It uses three different strategies to do so:
- Verifying file integrity by comparing the checksum of each file in WordPress core, plugins and themes against it’s original version
- Verifying file and folder permissions for all important WordPress files and folders
- Checking for some well known security problems related to WordPress settings.
Integrity Checker uses the same powerful technique and back end API as it’s older brother wp-checksum. It will go through all individual files in your WordPress core as well as all plugins and themes and compare the exact content of the file with the original version of each file. Any difference between your local version is reported back to you.
Our back end database keeps MD5 signatures (fingerprints) of how each file looked in the WordPress official repositories at the time of it’s release. So even if you’re not running the latest version of every plugin, we’re almost always able to find the original version to compare to. What makes Integrity Checker (and wp-checksum) a little bit unique is that while many other tools can compare files in WordPress core, our back end API also covers plugins and themes (and even som premium plugins too).
Knowing that a file has changed is one thing. But Integrity Checker takes one more important step and lets you see a visual diff between your file and the original, making it extremely easy to understand what’s going on. Sometimes a detected change is just a few added spaces in a harmless place, sometimes it’s an outright security problem. Integrity Checker helps you tell the difference.
Another important aspect of WordPress security is keeping an eye on the permissions for all files and folders. WordPress.org has a very clear recommendation on what they should be and it’s easy enough to change. The only problem is that it’s quite difficult to determine what they actually are without using an external ftp or sftp client. Integrity Checker can scan all files and folder in your installation and report if any issues are found.
Settings and related issues
The last tool in Integrity Checker is checking up on common problems caused by configuration and settings. While WordPress is mostly secure from out of the box, there are multiple things that we as users can get wrong and that compromises the overall security. This includes problems with:
- Bad or weak database credentials (database)
- Bad or non existing keys and salts (wp-config.php)
- Lack of SSL security to protect the admin area (webserver)
- Directory indexing allowed (webserver)
- Old versions of core, plugins or themes (user related)
- User enumeration (WordPress weakness)
By checking up on these common issues, Integrity Checker helps you highlight issues that you might have just forgotten or even didn’t know about.
Free for all, but with opportunity to contribute
Integrity Checker uses our powerful back end API to do a lot of its work. While we’d like to be all generous and give this away for free, we’d also like to find a compromise that works for as many users as possible and at the same time allows us to focus our time to maintain and enhance our products.
We’ve settled on a business model where small sites with a casual usage of either Integrity Checker or wp-checksum (the cli version) can use the back end api for free. When usage is scaled up with more frequent checks of more and larger sites, there is a cost associated with using the api.
As an anonymous user, you can query our API 25 times per hour(subject to change). We think (but would love your input) that this is sufficient for most small and medium sized WordPress installations with 20-25 plugins and a theme. There are some caching going on in the background, so repeated scans doesn’t always result in more queries to us. We create an anonymous user in our database and assign an API key to that user, that API key is sent back to your WordPress installation and stored in your database. You can see your API key in the About section in Integrity Checker as well as your current API usage.
If you are willing to share your email address with us, we increase that hourly quota up to 75 requests per hour(subject to change).
The API key’s can be reused between sites, so once you have registered with us, you can use that key on more than one site.
If you need more than 75 requests per hour assigned to one API key, you can purchase a premium subscription from this site
We’re quite proud of this new offering and we’re hoping that other members of the WordPresser community agrees with us. Do you have a question or comment about Integrity Checker or wp-checksum, please let us know in the comment section below or on Twitter.