After downloading a file, it’s always helpful to validate it to ensure its not corrupt or malicous. You can accomplish this by comparing checksums – md5sum, sha1, sha256, sha512, etc. – against the original file if its published on the official website. You can use your computer, SSH, and websites such as VirusTotal.com to achieve this. Below we’ll demonstrate how to do this using SSH with a manual download of WordPress 4.9.8.

Note: The higher the number in the algorithm – sha224, sha384, etc. – the stronger the authentication process. Also, this along with the larger the file being validated determines the time before validation completes.

Warning: Verifying the checksum against the website only checks that it wasn’t corrupted during the download. It doesn’t guarantee the file isn’t malicious. If the website is hacked, the checksum could also be modified to that of the malicious file. If you believe you may have malicious content on your server, please request a free server scan and review our hack recovery guide.

Verify Checksum with SSH

1. Upload the file(s) into the correct directory.
2. SSH into the cPanel account using the correct steps for your hosting plan – Shared or VPS/Dedicated.
3. Type the preferred checksum command and the path to the file –
   e.g. md5sum file.jpg or sha1sum public_html/file.png.
   For example, here’s the md5sum and sha1sum output for the downloaded WordPress 4.9.8:
   
4. Check that the checksum(s) match the original file. Both checksums above match the md5 and sha1 checksum respectively from WordPress.org.

If your SSH checksum matches what’s on the official site, congratulations. If not, you may want to try another validation program or method of downloading the original file such as from a reputable location.