This service is provided, built, and maintained by the team behind Shield Security for WordPress.
With this API you can query to get the full set of MD5 / SHA1 / SHA512 hashes for any WordPress.org plugin, just like you can with WordPress core files. It also supports ClassicPress official releases, as well as WordPress itself.
We use CloudFlare caching extensively in order to provide the service without ridiculous bandwidth costs so our API implementation is very strict. That is, you must provide the request parameters precisely, or you’ll face an API error.
- API is built on WP REST API.
- There are 3 API Endpoints:
- All requests are
- There are 4 request parameters and depending on the
endpoint, certain parameters are required where others are to be excluded. The order of parameters is critical also, and you can see the order in the examples below.
hash– the hashing algorithm you prefer (
version– the version of WordPress, or the particular plugin or theme, e.g.
Note: For WordPress, version 5.0.0 doesn’t exist – it’s 5.0 instead. You need to be precise with your versions, as the API will not attempt a fuzzy search for you.
slug– the WordPress.org item slug, e.g.
wp-simple-firewall(our Shield Security plugin). This field may only be included on the
locale– only for use with
- All parameters that are required must be provided – there are no defaults. Shortcuts to “latest” for the version etc. will be handled at a later date.
- Don’t include parameters that aren’t required (see below on errors):
- e.g. if endpoint is
wordpress, don’t include
- e.g. if endpoint is not
wordpress, don’t provide
- e.g. if endpoint is
* – denotes parameters that are always required with every request.
The following scenarios will result in an API error response:
- Error: Extra parameters are included with the request that are not specified above or are not required. This activity is cache-busting, and so such requests are not processed.
- Error: A parameter or its value has upper-case characters (this is cache-busting also).
- Error: Non-HTTP GET requests.
- Error: Invalid parameters, for example those that include characters that would never be seen in any correct parameters, or slugs that don’t exist, or versions that don’t exist.
Successive API errors from the same IP address will result in an IP ban.
- All responses are JSON encoded.
- Unpacked responses will provide an array of 2 elements,
meta(array) – meta information about the asset requested, including:
ts(unix timestamp for date of hashing)
hashes(array) – the list of files (array keys) and their respective hashes (array values). Just like WP hashes, all files are relative to the plugin/theme installation directory on a site, with no leading slash (
API Request Examples
- Get the MD5 hashes for the plugin with slug ‘wp-simple-firewall’, and version 7.4.2:
- Get SHA1 hashes for the Yoast SEO plugin, version 11.7
https://wphashes.com/api/apto-wphashes/v1/hashes/plugin/wordpress-seo/11.7/sha1(note the version should be as precise as it was released: it’s
- Get the SHA1 hashes for WordPress 5.2.2, for locale en_US:
https://wphashes.com/api/apto-wphashes/v1/hashes/wordpress/5.2.2/en_us/sha1(note that you need to supply
locale, and there’s no
- Get the SHA512 hashes for ClassicPress 1.0.1:
API Usage Cost
This API is free to use, unless any or all of the following scenarios apply to you:
- You are using this for commercial purposes
- You are using this for a free product with commercial upgrade options
- You distribute any product (e.g. WordPress plugin) or service that uses this API. The license to use this API applies to you, the developer/distributor/service provider, not the end user.
- You provide a central service, like a SaaS, that uses this API.
Basically, if you’re not using it for your own internal projects, then please contact us to discuss licensing options.
- Themes – we’ll add WP themes supports in due course.
- User accounts – so you can get your own API key for authentication and usage tracking.
- Premium plugins and themes.
Use of this API implies absolutely no warranty or guarantee or liability on our part, of any kind, whatsoever. If you use this service, you do so at your own risk and we are not liable in any way, or for any reason, for any trouble caused either directly or indirectly by using it due to errors, instability, inaccuracy, or for any other reason. Reliance on it for any purpose whatsoever is done so at your own personal and professional risk.
If you do not agree with the foregoing you are not permitted to use the service in any way.