New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include checksums for themes on WordPress.org #149
Comments
Yes please! I'm so surprised that this doesn't exist yet. I would believe it to be quite similar to implement compared to the plugin equivalent. |
It would be extremely useful for checking/monitoring sites for malware. Both |
The main issue here is that there is no infrastructure for this on the wordpress.org servers yet. Surprisingly, the infrastructure for managing and distributing themes is completely different than the infrastructure for managing and distributing plugins. From a discussion at https://meta.trac.wordpress.org/ticket/3192:
@dd32 Are there any updates about the themes infrastructure and how the ZIP storage method works? |
No changes have been made there yet. Theme zips are also regenerated occasionally, although the files contained within should remain static. Given the time since the above meta ticket, waiting for an eventual change to happen probably isn't ideal, and adding checksums for themes can probably be done sooner than later. |
This would be very useful specially for security issues, I usually use: wp checksum core && wp checksum plugins --all I'd love to have the theme part also check themes on wpdotorg repo. |
This'd be really neat to have in wp-cli :) |
I would like to have |
I'd be very happy to contribute something to make this happen. |
Perhaps the Wordpress theme installer can keep a copy of the installed zips on the server, so wp-cli or other can verify against what was installed? |
@paulharris in the case of a compromised website where the attacker is able to modify files in the theme, it would be easy for the attacker to also alter the zips on the server, making the checksum verification less trustworthy. |
I've been thinking about how to implement this feature in the current situation (i.e. not waiting on wp.org to provide the checksums, as this doesn't seem to be priority). First, I thought about generating the checksums on the fly:
This implies that we download the plugin/calculate the checksums every time we run the command, which is not very optimal. One could think of adding a local cache... but it could get overly complicated for a temporary solution. It's also a lot of added code that will need to be cleaned up once the checksums are available on wp.org. Not ideal... Given the above, I would like to offer the following solution:
This way, the command is ready to be used whenever wp.org is ready (and then, the proxy idea can be trashed), but can also be used before that by deploying a "checksum-proxy" and using the |
I was wondering about that. From what I've seen so far, the attacks against us have only allowed modifications within public_html, I was thinking you could store the zips outside of public_html. |
It would be similar to the checksum command which exists for plugins.
wp theme verify-checksums --all
https://developer.wordpress.org/cli/commands/plugin/verify-checksums/
The text was updated successfully, but these errors were encountered: