Comments (3)
I believe that this is actually a feature, not a bug. wp core verify-checksums
will verify the checksum of the WordPress-related files in the root directory, but does not check for the addition of new files in the root directory. This is because you could (and very likely do) have other non-WordPress related files in the root directory of your site, which cannot be verified.
So, having a robots.txt or an /images/ folder or some other unrelated PHP script in the root directory of the site is fine; we just want to be sure that none of the WordPress scripts in the root directory have been modified. But, having some files hidden in wp-includes is bad, as there should not be anything in that directory which isn't WordPress-related.
If we were to start alerting on unexpected files in the root directory, then it would just lead to tons of false positives which would not be ideal.
I think the tool, as it is now, does it's job of making sure that none of WordPress'es core files have been modified, and that nothing else is trying to be included in an area where most webmasters wouldn't look/wouldn't know if it was really created by WordPress or not.
from checksum-command.
Thanks for reply @jasongill.
I agree to your opinion. But at the same time, I think it would be nice to have two options like ‘—include-root’ and ‘—exclude’ to keep current usage safe for current users and provide functions to keep root to be safe too.
For the users who want to keep them root directory safly, they would able to use ‘ wp core verify-checksums —include-root —exclude=images’.
from checksum-command.
I agree 100% with @timoshka-lab. I have come across multiple instance of malware dumping files in the root directory.
from checksum-command.
Related Issues (20)
- flags ancient files as "should not exist" but should flag as "deprecated, can be deleted" HOT 1
- `Could not retrieve the checksums` still visible with `--skip-plugins=<plugin-name>` HOT 5
- Add `--version` param to `wp plugin verify-checksums` HOT 2
- wp-cli core verify-checksums does not check extra themes HOT 2
- During plugin verify-checksum, failed plugins should be listed HOT 2
- --include-root does not work HOT 1
- Adding an exclusion option to `wp core verify-checksums` ? HOT 1
- Add command to check themes integrity in WP-CLI HOT 1
- Verification checks skipped when plugin missing main PHP file HOT 1
- verify-checksums does not list all added files HOT 9
- Plugin
- WordPress installation doesn't verify against checksums HOT 4
- Flag presence of unexpected files HOT 11
- Add an option to skip additional files check HOT 2
- Flag to turn warnings into errors HOT 1
- Random messages: Could not retrieve the checksums for version x.y.z of plugin-name HOT 7
- Warning: Could not retrieve the checksums HOT 1
- Error: RuntimeException: Failed to get url when using `wp core verify-checksums` HOT 6
- Add --format argument to `wp core verify-checksums` HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from checksum-command.