---
title: "Best Practices for Using Checksums"
description: "In this article: ChecksumsBest Practices Checksums Defense in depth involves layers of security, and file management is a core part of it. If you offer or recommend downloadable content, it's..."
url: https://www.inmotionhosting.com/support/security/best-practices-for-using-checksums/
date: 2019-09-24
modified: 2021-11-04
author: "InMotion Hosting Contributor"
categories: ["Security"]
type: post
lang: en
---

# Best Practices for Using Checksums

**In this article:**

- [Checksums](#checksums)
- [Best Practices](#practices)

## Checksums

Defense in depth involves layers of security, and file management is a core part of it. If you offer or recommend downloadable content, it's important to understand the importance of verifying [checksums on your Linux server](/support/security/verify-checksums-ssh/), [PC, or Mac](/support/security/create-checksum-locally/). Whether you use a content managment system (CMS), framework, or static HTML, you must be proactive to mitigate the possibility of any malicious activity affecting end users' workstations. Providing [checksums](https://www.inmotionhosting.com/support/security/reasons-your-checksum-doesnt-match-the-original/) for end users to ensure their downloads are legitimate is one way to do this.

Below we'll cover some **best practices for implementing ****checksums**.

**Want better server security?** Our [VPS Hosting](https://www.inmotionhosting.com/vps-hosting) has over a dozen security features between cPanel and WebHost Manager (WHM). Our [Dedicated Hosting](https://www.inmotionhosting.com/dedicated-servers) plans offer a hardware firewall.

## Checksum Practices

### Store Checksums on an External Site

We often recommend storing verified backups on at least two other devices. Download your [cPanel backup](https://www.inmotionhosting.com/support/edu/cpanel/cpanel-backups/) to a computer that's backed up regularly. Now, you have 3-4 backups including the server (and [WHM backup](/support/edu/cpanel/setup-scheduled-cpanel-backups/) for VPS / Dedicated servers). This disaster recovery practice provides redundancy that protects you from most data corruption and intrusion issues.

Similarly, its best to list checksums in an external location to protect users against malicious files. Otherwise, if your website is hacked, someone can change the file (and/or destination to it) **and** the checksum with the same credentials to appear valid. Something similar happened to [Linux Mint a few years ago](https://blog.linuxmint.com/?p=2994). Their long list of download mirrors (externally hosted web servers) reduced the impact as users had multiple download options. A hacker isn't likely to be able to hack all available download mirrors.

**Recommended:** Host a checksum list on your website and another reputable platform such as [Gitlab](https://about.gitlab.com/) and [Github](/support/website/git/using-your-github-account/)

### Multiple Checksums

After you identify multiple locations to show your checksums, make sure you include the strongest hash algorithms. **SHA512** is the strongest commonly supported SHA function as of 2019. It's preinstalled in many popular Linux installations. The lesser **SHA384** is popular with [subresource integrity (SRI)](/support/security/subresource-integrity-sri/).

**MD5** and **SHA1** algorithms are fast but not recommended because they're weak and prone to hash collision. Users without command line access can be directed to websites suh as [VirusTotal.com](https://www.virustotal.com/) and [SRIhash.org](https://www.srihash.org/).

**Recommended:** Provide checksums starting with the strongest hash - e.g. SHA512, SHA384, SHA256, MD5

### Instructions

Concise instructions can ease less technical users intimidated by the command line interface (CLI). Whether you instruct users to use a website or CLI, multiple checksums may discourage users from verifying their download.

To mitigate this, provide clear steps with CLI commands a user can copy and paste with screenshots, how to compare their checksum to the original, and troubleshooting tips. If you recommend Virus Total or a similar tool, provide a quick GIF or video explaining how to navigate the website.

**Recommended:** Clear copy-and-paste steps, screenshots, troubleshooting tips if it does not match the expected checksum

Here's an example from our [Linux checksum guide](/support/security/verify-checksums-ssh/):

[![Screenshot of md5sum and sha1sum for wordpress-4.9.8.tar.gz file in SSH](https://www.inmotionhosting.com/support/images/stories/hashsums/hashsum-1-ssh-md5sum-sha1sum-bigger.png)](https://www.inmotionhosting.com/support/images/stories/hashsums/hashsum-1-ssh-md5sum-sha1sum-bigger.png)

### Overall Hardening

As a general tip, research ways to improve security within your website, .htaccess file, [server](/support/security/server-security-best-practices/), and [DNS](/support/email/strengthen-overall-email-authentication/)[ records](/support/email/strengthen-overall-email-authentication/). Many CMSs have security plugins. There's also online tools such as [Mozilla Observatory](https://observatory.mozilla.org/) for .htaccess hardening.

**Recommended:** Follow best security practices for your CMS and server.

### Privacy Policy

Your site may be the first to teach a new user about hashing for file verification. It could create a positive impression on technical visitors. There's one major thing that can cement that impression and cover legal matters: a **human-readable privacy policy** that's easily accessible on every page.

Also, all websites - not just e-commerce sites - can benefit from working towards [General Data Protection Regulation (GDPR) compliance](https://www.inmotionhosting.com/gdpr). It shows you care about user privacy and personally indentifiable information (PII) in case of an intrusion. Many popular CMSs added privacy features for easier compliance following its implementation in 2018 - [WordPress](/support/edu/wordpress/privacy-policy-page-wordpress/)*, *[PrestaShop 1.7](/support/edu/prestashop/gdpr-prestashop-17/)*, *[MatomoAnalytics](/support/website/analytics/opt-out-notification-matomo-analytics/)*, etc*.

**Recommended:** Work towards GDPR compliance to support user privacy

### Realize That Some Won't Use it

Security and convenience many times clash, as if on a balancing scale, with convenience winning in the end. However, you should facilitate better security practices to the best of your ability. One's privacy and peace of mind are valuable with the current cyber threats. Do your part to help provide that.

**Recommended:** Remember, user error is the most vulnerable attack vector

> Security everyone’s job. Technology cannot negate user error.[6 Ways to Secure Your Web Activity from Your Computer](https://www.inmotionhosting.com/blog/6-ways-to-secure-your-web-activity-from-your-computer/)

Learn more about improving security from our [partners at ](https://sucuri.net/lp/promo/inmotion/?clickid=xIhUOpS7QxyLT9tQy%3ASR0UvEUkBWzk0DhTDQUQ0)[Sucuri](https://sucuri.net/lp/promo/inmotion/?clickid=xIhUOpS7QxyLT9tQy%3ASR0UvEUkBWzk0DhTDQUQ0).
