Title: Problem with Checksum Hashes Last modified: August 31, 2016 --- # Problem with Checksum Hashes * Resolved [François G.](https://wordpress.org/support/users/frg62/) * (@frg62) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/) * Hello, * This morning, all my WPs reported a similar message, like: * **_WordPress Security Firewall has detected files on your site with potential problems. [More Info](http://icwp.io/moreinfochecksum) Site – ” target=”\_blank” >SITETITLE Details for the files are below: _ * The MD5 Checksum Hashes for following core files do not match the official WordPress. org Checksum Hashes: – wp-includes/version.php * You should review these files and replace them with official versions if required. * Reports include various files, from one website to another, like fi: – wp-content/ index.php – wp-content/themes/index.php – wp-content/plugins/index.php * Considering that everyone of my websites, that are hosted on several different locations (and different server types), ALL sent this message at about the same time, I find it hard to believe that there would be a real problem. * Most of my WPs have been installed using application tools that came with the various hosting packages that I submitted. Could it explain that the referenced files are all a bit different from the “standard” ones? * Regards, Francois * [https://wordpress.org/plugins/wp-simple-firewall/](https://wordpress.org/plugins/wp-simple-firewall/) Viewing 15 replies - 1 through 15 (of 29 total) 1 [2](https://wordpress.org/support/topic/problem-with-checksum-hashes/page/2/?output_format=md) [→](https://wordpress.org/support/topic/problem-with-checksum-hashes/page/2/?output_format=md) * [icorp2015](https://wordpress.org/support/users/icorp2015/) * (@icorp2015) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969662) * I have own server and got same email. I’ve checked my WordPress with Wordfence plugin and got nothing. So I hope it is a false alert. * Plugin Author [Paul](https://wordpress.org/support/users/paultgoodchild/) * (@paultgoodchild) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969665) * Actually, all our sites get the same. But once we turn on the automatic repair system and it replaces the files, the warnings go away. * For some reason, the index.php files all have different line-ending characters. Why is this? I don’t have an explanation for you. I have used the data coming straight out of the WordPress.org API. After testing I was tempted to exclude these index.php files, but I opted not to, since they could legitimately be used to host malicious code. * That all said though, I would definitely check your wp-includes/version.php file– that should definitely not be different to the original source. * My best advice here is to enable the automatic repair and the system will clean all this up for you and you wont get the notices again – except to say they’ve been replaced. * I think only WordPress.org could explain why all the index.php files that are shipped with their updates differ to the original coming out of the SVN source repository. * [chfriley](https://wordpress.org/support/users/chfriley/) * (@chfriley) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969711) * Got this message too, glad to see this explanation, BUT this should be reported as a bug report for WP.org then. * Plugin Author [Paul](https://wordpress.org/support/users/paultgoodchild/) * (@paultgoodchild) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969722) * I’ve been digging in to what’s going on with a view to actually posting a bug. * It turns out, I believe that when WordPress introduced (years ago) patch upgrades for the WordPress core, they have built in a mechanism so that nothing gets upgraded that falls below the “wp-content” directory. * They since removed the `?>` from the end of those index.php files meaning that they were never upgraded during WordPress upgrades. So if your site was installed before a given date, your files would have had `?>` at the end and never been brought in-line with the latest versions of the files which don’t have the trailing`? >`. 🙂 * So, to fix the problem, simply remove the `?>` from the ends of those files and/ or enable the automatic repair option for the future. * I believe it’s worth to keep the checks on for the index.php files going forward and I don’t want to exclude them from the checks. * Thoughts? * [EasySiteNowNL](https://wordpress.org/support/users/easysitenownl/) * (@easysitenownl) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969739) * Paul, isn’t it possible to exlude only that last small part (?>) from your checks, it is a bit of a hassle because then I have to change 30+ sites.. * Thread Starter [François G.](https://wordpress.org/support/users/frg62/) * (@frg62) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969747) * Same problem here: I am managing over 150 WPs for my customers and myself. Having to manually correct each of them will take me for ages… * Plugin Author [Paul](https://wordpress.org/support/users/paultgoodchild/) * (@paultgoodchild) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969756) * I’m working on an update to the plugin that will handle this special case. I’ll release it shortly… * Plugin Author [Paul](https://wordpress.org/support/users/paultgoodchild/) * (@paultgoodchild) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969759) * Okay, I’ve released the update to address this issue, and a few others. v4.16.1 * I had no idea you all has so many sites running the plugin. * Small question for you, how would integrating centralised management for this particular plugin into the likes of iControlWP control panel interest you? Would this be worth developing out for you guys? * [Pirate Tayls](https://wordpress.org/support/users/pirate-tayls/) * (@pirate-tayls) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969774) * That’s a great idea! I’m currently tied to InfiniteWP, at least for a while. Any chance of working it into that, also? * [WideSmiler](https://wordpress.org/support/users/widesmiler/) * (@widesmiler) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969775) * Thanks for the fast response and plugin updates, Paul. Getting our sites updated, now… * [gfields108](https://wordpress.org/support/users/gfields108/) * (@gfields108) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969868) * Thanks for the great plugin! * This issue is actually not resolved yet even though the plugin was updated. * I manage over 40 WP websites. Yesterday I installed the update meant to fix the checksum problem on all the sites. This morning I received 18 emails from 18 sites with this: * The MD5 Checksum Hashes for following core files do not match the official WordPress. org Checksum Hashes: – wp-content/themes/index.php (WordPress.org source file)– wp-content/plugins/index.php (WordPress.org source file) – wp-content/index.php( WordPress.org source file) * and a couple of emails from another site that was just created a few weeks ago with this: * The following official WordPress core files are missing from your site: – wp- admin/install.php (WordPress.org source file) * I think it might be a better practice when you roll out a new feature to not automatically enable it. Now I will have to manually login to over 40 sites to either disable the feature or to check the option for “Automatically Repair WordPress Core Files That Have Been Altered” * Thanks! * Plugin Author [Paul](https://wordpress.org/support/users/paultgoodchild/) * (@paultgoodchild) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969872) * I understand the frustration here, but the only way to get a new feature to be used on any scale is to automatically enable it. With automatic updates, fixes can get rolled out relatively quickly. * It’s impossible to foresee such problems as this, where WordPress doesn’t actually keep these files up-to-date. And, their approach to multilingual WordPress is so messy it’s also throwing up `version.php` as a suspect file too because that’s used, in certain circumstances, to determine locale. * Doing new features like this is another reminder of how messy it all is. * I do apologise for the inconvenience of this, but having so many reports of issues actually allows us to better tweak the code more quickly to make it all the more better. * Thankfully nobody was locked out of their site; there were no horrific data corruption issues and no animals were harmed in its production. 😉 Just lots of emails… no-one likes that, but I hope that most folk out there can see their way past that while it’s tweaked and refined. * Cheers! * [Pirate Tayls](https://wordpress.org/support/users/pirate-tayls/) * (@pirate-tayls) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969873) * I am also still getting warnings this morning. * I’m going to take a different view from others. I appreciate the great plugin, and an occasional issue like this is far better than my sites being compromised. I deal with almost 40 sites myself, and I would much rather have to go in and make individual setting changes than have you not keep making improvements to the plugin. * It’s not ideal, but far better than any worst-case alternative. * If you don’t enable new features automatically, then you will hear from a different group who have to go into dozens of sites manually to turn it on. * Thanks! * Plugin Author [Paul](https://wordpress.org/support/users/paultgoodchild/) * (@paultgoodchild) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969875) * Okay, the next update will do the following: * – index.php will be replaced automatically when it’s discovered to be _different _in any way to the original source. If it is discovered to be _missing_, it will be treated like any other normal core WordPress file. * – version.php should now be detected correctly for non- English US installs * – wp-admin/install.php will now be ignored, _only _if it’s missing. * If anyone would like to do me a favour and test this, that’d be great! * Here is a how-to for the beta: [https://icontrolwp.freshdesk.com/solution/articles/3000046787](https://icontrolwp.freshdesk.com/solution/articles/3000046787) * You can use the download zip link from here for the source: [https://github.com/FernleafSystems/wp-simple-firewall/tree/release/4.16.2](https://github.com/FernleafSystems/wp-simple-firewall/tree/release/4.16.2) * If testing betas isn’t your thing… you’ll need to hold on a day or so while I fully it test it further and anyone here provides feedback. * Thanks! * [Wingers574](https://wordpress.org/support/users/wingers574/) * (@wingers574) * [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/#post-6969882) * Just adding more grist to the mill here. I have over 90 WordPress websites that use this firewall. Love the plugin, however as with some other developers that add features into their products, I really do not want something that I have to go around every site and turn on/off because it is flooding me with emails because a new feature has been added. It is not a problem when you have a couple of sites. But for those of us that support lots of people it is a major issue. I have the index.php being reported from all locations. I also do not want to use iControl for security reasons. I am not implying it is insecure, however I do not want multiple methods of accessing all sites through one central console. So that is not a solution for me. So if you add a feature into a plugin please do it quietly. Don’t add something in that sends out lots of messages. Because the only way to turn it off is to enter each site and change something. I do visit every site at least once every 3 months. At this time I could turn something new on, or generally review the plugins and make changes. Please do not misunderstand my comments, great plugin, great work, just bear in mind that there might be some heavyweight users out there, and not everyone has a couple of sites to tweak. Viewing 15 replies - 1 through 15 (of 29 total) 1 [2](https://wordpress.org/support/topic/problem-with-checksum-hashes/page/2/?output_format=md) [→](https://wordpress.org/support/topic/problem-with-checksum-hashes/page/2/?output_format=md) The topic ‘Problem with Checksum Hashes’ is closed to new replies. * ![](https://ps.w.org/wp-simple-firewall/assets/icon-256x256.png?rev=3054572) * [Shield: Blocks Bots, Protects Users, and Prevents Security Breaches](https://wordpress.org/plugins/wp-simple-firewall/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-simple-firewall/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-simple-firewall/) * [Active Topics](https://wordpress.org/support/plugin/wp-simple-firewall/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-simple-firewall/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-simple-firewall/reviews/) * 29 replies * 13 participants * Last reply from: [ChrisSchwan](https://wordpress.org/support/users/christree/) * Last activity: [10 years, 3 months ago](https://wordpress.org/support/topic/problem-with-checksum-hashes/page/2/#post-6969933) * Status: resolved