Welcome to WP Hashes *beta

This service is provided, built, and maintained by the team behind Shield Security for WordPress.

With this API you can query to get the full set of MD5 / SHA1 / SHA512 hashes for any WordPress.org plugin, just like you can with WordPress core files. It also supports ClassicPress official releases, as well as WordPress itself.

We use CloudFlare caching extensively in order to provide the service without ridiculous bandwidth costs so our API implementation is very strict. That is, you must provide the request parameters precisely, or you’ll face an API error.

API Requests:

  • API is built on WP REST API.
  • There are 4 API Endpoints:
    1. https://wphashes.com/api/apto-wphashes/v1/hashes/wordpress
    2. https://wphashes.com/api/apto-wphashes/v1/hashes/plugin
    3. https://wphashes.com/api/apto-wphashes/v1/hashes/theme
    4. https://wphashes.com/api/apto-wphashes/v1/hashes/classicpress
  • All requests are GET
  • There are 4 request parameters and depending on the endpoint, certain parameters are required where others are to be excluded. The order of parameters is critical also, and you can see the order in the examples below.
    1. *hash – the hashing algorithm you prefer (md5, sha1, sha512)
    2. *version – the version of WordPress, or the particular plugin or theme, e.g. 7.3.5
      Note: For WordPress, version 5.0.0 doesn’t exist – it’s 5.0 instead. You need to be precise with your versions, as the API will not attempt a fuzzy search for you.
    3. slug – the WordPress.org item slug, e.g. wp-simple-firewall (our Shield Security plugin). This field may only be included on the plugin endpoint.
    4. locale – only for use with wordpress endpoint.
  • All parameters that are required must be provided – there are no defaults. Shortcuts to “latest” for the version etc. will be handled at a later date.
  • Don’t include parameters that aren’t required (see below on errors):
    • e.g. if endpoint is wordpress, don’t include slug.
    • e.g. if endpoint is not wordpress, don’t provide locale.

* – denotes parameters that are always required with every request.

API Errors

The following scenarios will result in an API error response:

  • Error: Extra parameters are included with the request that are not specified above or are not required. This activity is cache-busting, and so such requests are not processed.
  • Error: A parameter or its value has upper-case characters (this is cache-busting also).
  • Error: Non-HTTP GET requests.
  • Error: Invalid parameters, for example those that include characters that would never be seen in any correct parameters, or slugs that don’t exist, or versions that don’t exist.

Successive API errors from the same IP address will result in an IP ban.

API Responses

  • All responses are JSON encoded.
  • Unpacked responses will provide an array of 2 elements,
    • meta (array) – meta information about the asset requested, including:
      • slug
      • type
      • version
      • hash
      • ts (unix timestamp for date of hashing)
      • api_version
    • hashes (array) – the list of files (array keys) and their respective hashes (array values). Just like WP hashes, all files are relative to the plugin/theme installation directory on a site, with no leading slash (/).

API Request Examples

  1. Get the MD5 hashes for the plugin with slug ‘wp-simple-firewall’, and version 8.4.4:
  2. Get SHA1 hashes for the Yoast SEO plugin, version 11.7
    (note the version should be as precise as it was released: it’s 11.7, not 11.7.0)
  3. Get the SHA1 hashes for WordPress 5.2.2, for locale en_US:
    (note that you need to supply locale, and there’s no slug field)
  4. Get the SHA512 hashes for ClassicPress 1.0.1:

API Usage Cost

This API is free to use, unless any or all of the following scenarios apply to you:

  • You are using this for commercial purposes
  • You are using this for a free product with commercial upgrade options
  • You distribute any product (e.g. WordPress plugin) or service that uses this API. The license to use this API applies to you, the developer/distributor/service provider, not the end user.
  • You provide a central service, like a SaaS, that uses this API.

Basically, if you’re not using it for your own internal projects, then please contact us to discuss licensing options.

API Plans

  • Themes – we’ll add WP themes supports in due course.
  • User accounts – so you can get your own API key for authentication and usage tracking.
  • Premium plugins and themes. Effort underway…


Use of this API implies absolutely no warranty or guarantee or liability on our part, of any kind, whatsoever. If you use this service, you do so at your own risk and we are not liable in any way, or for any reason, for any trouble caused either directly or indirectly by using it due to errors, instability, inaccuracy, or for any other reason. Reliance on it for any purpose whatsoever is done so at your own personal and professional risk.

If you do not agree with the foregoing you are not permitted to use the service in any way.

Click to access the login or register cheese