Title: [Plugin: Exploit Scanner] 0.97.6 plugin says &quot;hashes-3.1.php missing&quot;
Last modified: August 19, 2016

---

# [Plugin: Exploit Scanner] 0.97.6 plugin says "hashes-3.1.php missing"

 *  Resolved [Fred Chapman](https://wordpress.org/support/users/fwchapman/)
 * (@fwchapman)
 * [15 years, 3 months ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/)
 * Hello,
 * I’m trying the 0.97.6 plugin for the first time on a couple of different WordPress
   3.1 sites. One site is very minimal, with the default Twenty Ten 1.2 theme and
   only one other plugin, namely WordPress HTTPS.
 * After running a scan, I get hundreds of messages! The first message is this:
 * > **hashes-3.1.php missing**
   >  The file containing hashes of all WordPress core
   > files appears to be missing; modified core files will no longer be detected
   > and a lot more suspicious strings will be detected
 * I suspect this is the source of most or all of the other messages.
 * Can anything be done to fix this?
 * Thank you,
 * Fred Chapman
    Bethlehem, PA

Viewing 13 replies - 1 through 13 (of 13 total)

 *  Plugin Author [Jon Cave](https://wordpress.org/support/users/duck_/)
 * (@duck_)
 * [15 years, 3 months ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938027)
 * A new release for WordPress 3.1 will be coming shortly. Just waiting to see if
   I could track down and fix a bug others have been experiencing.
 *  Thread Starter [Fred Chapman](https://wordpress.org/support/users/fwchapman/)
 * (@fwchapman)
 * [15 years, 3 months ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938123)
 * Jon,
 * Thanks for your speedy reply! I look forward to the new version of your plugin.
   Thanks for all your hard work!
 * Fred
 *  Thread Starter [Fred Chapman](https://wordpress.org/support/users/fwchapman/)
 * (@fwchapman)
 * [15 years, 3 months ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938282)
 * Jon,
 * I tried Exploit Scanner 1.0, and the missing hashes message is gone now. Thanks
   for fixing that!
 * Instead of hundreds of messages, I now get only dozens. There are 13 severe messages,
   mostly eval messages, some base64_decode messages. Is this normal? I have a lot
   of security plugins installed and the site seems to be running normally. Should
   I just use this as a baseline indicator to identify possible future attacks?
 * Thanks again,
 * Fred
 *  Plugin Author [Jon Cave](https://wordpress.org/support/users/duck_/)
 * (@duck_)
 * [15 years, 3 months ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938283)
 * > I tried Exploit Scanner 1.0, and the missing hashes message is gone now. Thanks
   > for fixing that!
 * No problem, and thanks 🙂 I try to get hash updates out within hours of a WordPress
   release but just delayed a bit this time for other reasons.
 * > There are 13 severe messages, mostly eval messages, some base64_decode messages.
   > Is this normal?
 * It depends on your choice of plugins — I assume some of the other plugins you
   are running are being flagged. I don’t have anything like that picked up on my
   installs except for testing the scanner.
 * All matches have to be interpreted in context. Those functions can be used for
   non-malicious purposes (otherwise they wouldn’t be provided by PHP!), but they
   are very common in malicious code which is why the plugin searches for them. 
   If you have the understanding to look through at the plugin code (something I
   would do for any plugin I install) to see how these functions are used then it’s
   safe to ignore that output and use it as a baseline. If you’re seeing matches
   in modified core files or in previously unheard of locations (maybe hidden away
   in an innocuous file name in wp-includes) then you should be more worried.
 *  Thread Starter [Fred Chapman](https://wordpress.org/support/users/fwchapman/)
 * (@fwchapman)
 * [15 years, 3 months ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938304)
 * Jon,
 * Thanks for your in-depth reply. Most of the severe messages are from plugins 
   which I recently installed. Only two severe messages are from WordPress core 
   files:
 * wp-includes/class-ixr.php:249
    `$value = base64_decode( trim( $this->_currentTagContents));`
 * php.ini:982
    `; error_reporting(0) around the eval().`
 * Is the first one cause for concern? The second one is just a comment, so I don’t
   know why it’s been flagged.
 * Thanks,
 * Fred
 *  Plugin Author [Jon Cave](https://wordpress.org/support/users/duck_/)
 * (@duck_)
 * [15 years, 3 months ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938305)
 * > Is the first one cause for concern?
 * Possibly yes. The scanner only looks in core files if they have been modified.
   However, I notice that you’re seeing class-ixr.php whereas that file is called
   class-IXR.php in 3.1 and the line that got highlighted was changed between 3.0
   and 3.1 to remove the `trim`. So looks like something weird has happened there,
   although that line is fine.
 * > The second one is just a comment, so I don’t know why it’s been flagged.
 * The scanner doesn’t make any distinction between file type, comments, etc. And
   php.ini isn’t a core WordPress file.
 *  Thread Starter [Fred Chapman](https://wordpress.org/support/users/fwchapman/)
 * (@fwchapman)
 * [15 years, 3 months ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938307)
 * Jon,
 * Thanks for explaining this. I didn’t notice that I had an old version of class-
   ixr.php. I deleted it and reduced my severe messages by one. 🙂
 * What do you think of the idea of allowing users to define their own baseline.
   In other words, would it be feasible and worthwhile to let users tell the scanner
   to ignore a particular error in future scans? That way, if something truly malicious
   does occur, it won’t be buried under a pile of messages which are not cause for
   concern. I think a feature like that would make the scanner much more valuable.
 * Fred
 *  [jwgrendel](https://wordpress.org/support/users/jwgrendel/)
 * (@jwgrendel)
 * [15 years, 1 month ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938522)
 * I just got the missing-hashes-file message running Exploit Scanner 1.0.1 with
   WordPress 3.1.2.
 * Is this also just a case of the plugin needing an update?
 * Jill Williams
 *  [PeacockAndPaisley](https://wordpress.org/support/users/peacockandpaisley/)
 * (@peacockandpaisley)
 * [15 years, 1 month ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938524)
 * Hi, I just got the same message, too, about 3.1.2
 * Thanks!
 *  Plugin Author [Jon Cave](https://wordpress.org/support/users/duck_/)
 * (@duck_)
 * [15 years, 1 month ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938525)
 * Done, sorry for the delay. Update notifications should be visible in dashboards
   soon.
 *  [PeacockAndPaisley](https://wordpress.org/support/users/peacockandpaisley/)
 * (@peacockandpaisley)
 * [15 years, 1 month ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938526)
 * No problem; thank you!
 *  [sokratesagogo](https://wordpress.org/support/users/sokratesagogo/)
 * (@sokratesagogo)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938551)
 * Just downloaded the development version and can’t see the 3.2x hashes..
 *  [Travelgrove](https://wordpress.org/support/users/travelgrove/)
 * (@travelgrove)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938555)
 * [@sokratesagogo](https://wordpress.org/support/users/sokratesagogo/): me neither..
   any info when will that be available?

Viewing 13 replies - 1 through 13 (of 13 total)

The topic ‘[Plugin: Exploit Scanner] 0.97.6 plugin says "hashes-3.1.php missing"’
is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/exploit-scanner.svg)
 * [Exploit Scanner](https://wordpress.org/plugins/exploit-scanner/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/exploit-scanner/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/exploit-scanner/)
 * [Active Topics](https://wordpress.org/support/plugin/exploit-scanner/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/exploit-scanner/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/exploit-scanner/reviews/)

 * 13 replies
 * 6 participants
 * Last reply from: [Travelgrove](https://wordpress.org/support/users/travelgrove/)
 * Last activity: [14 years, 11 months ago](https://wordpress.org/support/topic/plugin-exploit-scanner-0976-plugin-says-hashes-31php-missing/#post-1938555)
 * Status: resolved