On October 29, 2020, there was a bit of a mixup from WordPress when they tried to push out an update to the WordPress core files. Many sites, instead of getting the 5.5.3 update ended up installing the 5.5.3 alpha.
Our site was one of those fortunate enough to get the alpha. And, BlogSafe scanner handled it just as it was told to do.
One of the really annoying things this alpha update did was install a bunch of new stock themes. Ranging from theme Twenty Ten to Twenty Sixteen, we woke to a nasty email from BlogSafe Scanner that dozens and dozens of modified theme files had suddenly been installed on our server. The curious part is, all of these theme files were listed as modified and not new files even though they looked identical when we compared them.
So, here’s the tests we ran to figure out why they’re considered ‘modified’ and not new files.
As an example: Let’s say you have a Windows computer and run a MD5 checksum on a file and it comes up d45d493d402d5712ff78878a1d34b6a2. Now, let’s say you FTP that same file to a Linux server and run a checksum, it’ll be: aef2880581a7226882780ffee6f8566e. The main reason for this difference is the way Linux and Windows do carriage returns and line feeds. Windows uses a carriage return + line feed at the end of lines. Linux uses a newline.
So here’s the problem with the alpha debacle. The WordPress update server apparently runs Windows. When it installed the themes, BlogSafe Scanner came up with the same exact checksums as if you had FTP’d the files from a Windows computer.
But, the WordPress API server where you download or install themes is a Linux machine. When BlogSafe Scanner downloads those themes and looks at the checksums, they are Linux files.
When BlogSafe Scanner tries to compare the same Linux file to a Windows file, the checksums come up very different. As a result, every single theme file that the alpha debacle installed on our server was found to be a modified file because the checksums didn’t match.
In this case, it was an easy fix. We just uninstalled all those themes and the problem went away. But this doesn’t solve the problem of what happens when official WordPress files and themes or plugins available from the WordPress site get uploaded with Windows checksums.
That, unfortunately, all depends on WordPress.org