New tricks for the Checksum API

Dog with new trick

As a step in preparing for new features in Integrity Checker and wp-checksum, the backend API that powers the two packages has learned a new trick. Alternative hashes, a way of saying that a specific file may have more than one acceptable MD5 hash.

Why are alternative hashes needed?

Lots of WordPress plugins and themes sometimes has small changes made to them without the version number getting bumped. The most common example of this that the readme.txt of a plugin is often changed when a new version of WordPress is released.

The readme file contains information about the latest version of WordPress that it was tested with. This information is shown to users in the plugin repository and can be a vital piece of information before deciding to install a plugin. So it’s quite natural that after a new release of WordPress, plugin authors update the readme file to reflect successful testing on the new version. The content of readme.txt doesn’t change the plugin functionality at all, so it’s quite OK to update it without bumping the plugin version.

The problem is that an updated readme.txt forces the MD5 hash to change and both Integrity Checker and wp-checksum will see this as a sign of a modified file and alert the user. Integrity Checker (and soon wp-checksum) has the concept of a SOFT change and will flag a modified readme.txt as one. But the modified file is still shown and may cause concern.

It’s not too uncommon for plugin authors to modify other files without bumping the version number. We’ve seem a lot of different files get a lot of different modifications within the same plugin version number. Sometimes it’s a corrected typo, other times it’s a quite dramatic change.

The end result is that for any given official version of  a plugin or theme there may be multiple actual versions, one actual version for each commit into the WordPress repository.

 

How does alternative hashes help?

By having alternative hashes defined for a file, the clients that are using the API will have far fewer false positives. The contents of a file in your WordPress installation might differ slightly from what that same file looks like in the WordPress repository. But that doesn’t mean that your files was modified in a malicious manner, it might just mean that the plugin  author modified the file without bumping the plugin version.

For any type of security related software, avoiding false positives is a good thing for several reasons. Most importantly, it means that whenever a real modification is found, you are much more likely to take it seriously. Another benefit is to avoid causing uncalled for worries, the less experience a user has, the more likely he/she is to become overly worried about something that turns out to be a false positive. All in all, reducing false positives is a win.

Next steps

With the upgraded backend API in place, both wp-checksum and Integrity Checker now needs to get support for the added feature.  We expect to have both clients updated within a week. Having said that, we’re not 100% in control over when the updated version of the plugin in the WordPress repository will be made available since the repository maintainer has a stricter upgrade procedure in place these days.

Access to the API

For the majority of users, accessing the API is mostly done via one of the clients we provide, Integrity Checker and wp-checksum, but the API is public and to some extent free to anyone.  If you’re interested in developing your own client, please don’t hesitate to contact us for API keys as well as developer documentation.

Your thoughts

We’d be glad to hear back from you. Ping us if you want to know more about the API, get an API key or just to say hi. We’d be especially happy if you have any ideas on how to improve client functionality or if you want to contribute to the development.

Introducing Integrity Checker

integrity-checker-logo

I’m very proud to introduce the newest member in the WordPress Essentials family: The WordPress Integrity Checker plugin, or just Integrity Checker for short. Download it straight from the WordPress plugin repository or stay here and read more about it.

Integrity Checker is an admin plugin that will help you find potential security issues with your WordPress installation. It uses three different strategies to do so:

  1. Verifying file integrity by comparing the checksum of each file in WordPress core, plugins and themes against it’s original version
  2. Verifying file and folder permissions for all important WordPress files and folders
  3. Checking for some well known security problems related to WordPress settings.

File Integrity

Integrity Checker uses the same powerful technique and back end API as it’s older brother wp-checksum. It will go through all individual files in your WordPress core as well as all plugins and themes and compare the exact content of the file with the original version of each file. Any difference between your local version is reported back to you.

Issues in plugin
Integrity Checker reporting about suspicious issues in a plugin

Our back end database keeps MD5 signatures (fingerprints) of how each file looked in the WordPress official repositories at the time of it’s release. So even if you’re not running the latest version of every plugin, we’re almost always able to find the original version to compare to. What makes Integrity Checker (and wp-checksum) a little bit unique is that while many other tools can compare files in WordPress core, our back end API also covers plugins and themes (and even som premium plugins too).

Knowing that a file has changed is one thing. But Integrity Checker takes one more important step and lets you see a visual diff between your file and the original, making it extremely easy to understand what’s going on. Sometimes a detected change is just a few added spaces in a harmless place, sometimes it’s an outright security problem. Integrity Checker helps you tell the difference.

Showing a diff in Integrity Checker
Integrity Checker highlights the actual row that is different between the local version and the original version.

File Permissions

Another important aspect of WordPress security is keeping an eye on the permissions for all files and folders. WordPress.org has a very clear recommendation on what they should be and it’s easy enough to change. The only problem is that it’s quite difficult to determine what they actually are without using an external ftp or sftp client. Integrity Checker can scan all files and folder in your installation and report if any issues are found.

Permission issues
Integrity Checker reports about permission issues found in a WordPress installation.

Settings and related issues

The last tool in Integrity Checker is checking up on common problems caused by configuration and settings. While WordPress is mostly secure from out of the box, there are multiple things that we as users can get wrong and that compromises the overall security. This includes problems with:

  • Bad or weak database credentials (database)
  • Bad or non existing keys and salts (wp-config.php)
  • Lack of SSL security to protect the admin area (webserver)
  • Directory indexing allowed (webserver)
  • Old versions of core, plugins or themes (user related)
  • User enumeration (WordPress weakness)

By checking up on these common issues, Integrity Checker helps you highlight issues that you might have just forgotten or even didn’t know about.

Free for all, but with opportunity to contribute

Integrity Checker uses our powerful back end API to do a lot of its work. While we’d like to be all generous and give this away for free, we’d also like to find a compromise that works for as many users as possible and at the same time allows us to focus our time to maintain and enhance our products.

We’ve settled on a business model where small sites with a casual usage of either Integrity Checker or wp-checksum (the cli version) can use the back end api for free. When usage is scaled up with more frequent checks of more and larger sites, there is a cost associated with using the api.

As an anonymous user, you can query our API 25 times per hour(subject to change). We think (but would love your input) that this is sufficient for most small and medium sized WordPress installations with 20-25 plugins and a theme. There are some caching going on in the background, so repeated scans doesn’t always result in more queries to us. We create an anonymous user in our database and assign an API key to that user, that API key is sent back to your WordPress installation and stored in your database. You can see your API key in the About section in Integrity Checker as well as your current API usage.

If you are willing to share your email address with us, we increase that hourly quota up to 75 requests per hour(subject to change).

The API key’s can be reused between sites, so once you have registered with us, you can use that key on more than one site.

If you need more than 75 requests per hour assigned to one API key, you can purchase a premium subscription from this site

 

At last

We’re quite proud of this new offering and we’re hoping that other members of the WordPresser community agrees with us. Do you have a question or comment about Integrity Checker or wp-checksum, please let us know in the comment section below or on Twitter.