ArchivioMD

ArchivioMD gives WordPress sites a cryptographic proof layer. Every post, page, and document gets a verifiable integrity record — independently checkable without trusting the platform, the host, or the database.

Built for journalists, compliance teams, legal publishers, and anyone for whom the question «was this changed after it was published?» has a real answer.

Content Hashing

Every post and page is hashed deterministically on publish and update. A verification badge (✓ Verified / ✗ Unverified / − Not Signed) appears on every post. Verification files are downloadable for offline confirmation. Shortcode: [hash_verify].

Supported algorithms include SHA-256/384/512 family, SHA-3, BLAKE2b/2s, BLAKE3, SHAKE, RIPEMD-160, Whirlpool, and GOST variants.

HMAC Integrity Mode adds a shared-secret layer on top of hashing. The key lives in wp-config.php — never the database — so an adversary with database access alone cannot silently update a hash.

Document Signing

All signing methods sign the same canonical message and run independently. Any combination can be active simultaneously.

Ed25519 (recommended for most sites) — uses PHP sodium (ext-sodium). Private key in wp-config.php; public key published at /.well-known/ed25519-pubkey.txt. In-browser keypair generator included. Supports DSSE envelope mode (Sigstore spec) with PAE binding to prevent cross-protocol replay.

SLH-DSA / SPHINCS+ (post-quantum) — pure-PHP implementation of NIST FIPS 205. No extensions, no Composer dependencies; works on any shared host running PHP 7.4+. Security rests on SHA-256 alone — not on factoring or discrete logarithms. Four parameter sets: SLH-DSA-SHA2-128s (default, 7,856-byte signatures), -128f (faster, 17,088 bytes), -192s, -256s. Signing takes 200–600 ms on shared hosting per publish event — front-end rendering is not affected. Running Ed25519 and SLH-DSA together (hybrid mode) provides both classical and quantum verifiability from a single DSSE envelope.

ECDSA P-256 ⚠️ Enterprise/compliance mode only. Enable when an external framework (eIDAS, SOC 2, HIPAA, government PKI) explicitly requires X.509 certificate-backed ECDSA. For all other sites, Ed25519 is recommended. Nonce generation is 100% delegated to OpenSSL.

RSA ⚠️ Legacy compatibility only. Enable when a downstream system cannot accept Ed25519, ECDSA, or SLH-DSA keys.

CMS / PKCS#7 — Detached DER signatures importable into Adobe Acrobat, Windows Explorer, and enterprise DMS platforms. Reuses your ECDSA or RSA key.

JSON-LD / W3C Data Integrity — Produces eddsa-rdfc-2022 and ecdsa-rdfc-2019 proof blocks per post and publishes a did:web DID document at /.well-known/did.json. Compatible with ActivityPub, W3C Verifiable Credentials, and decentralised identity wallets.

All private keys are stored in wp-config.php — never in the database. PEM files uploaded via the admin UI are stored outside DOCUMENT_ROOT, chmod 0600, with an .htaccess Deny guard.

DANE / DNS Key Corroboration

Publishes every active signing key as a DNSSEC-protected DNS TXT record, giving verifiers a trust path entirely independent of your web server and TLS certificate. An attacker must compromise both your web host and your DNS zone simultaneously to forge a key.

Records use the amd1 tag-value format (modelled on DKIM):

When ECDSA P-256 is configured, an optional TLSA record (RFC 6698, DANE-EE, Selector=1) binds the leaf certificate to your HTTPS service. A machine-readable discovery endpoint at /.well-known/archiviomd-dns.json lists all active records and expected values. A self-describing format specification is served at /.well-known/archiviomd-dns-spec.json regardless of whether DANE is enabled.

Weekly passive health checks via wp-cron surface failures as dismissible admin notices. Key rotation mode suppresses false-positive mismatch warnings during DNS TTL expiry. Full WP-CLI support: wp archiviomd dane-check.

DNSSEC is required for DANE to provide actual security. Most registrars offer it with a single toggle.

External Anchoring

RFC 3161 Trusted Timestamps — Sends content hashes to a Time Stamp Authority on every anchor job. The signed .tsr token binds the hash to a specific time and is independently verifiable offline with OpenSSL. Built-in providers: FreeTSA.org, DigiCert, GlobalSign, Sectigo. Custom endpoint supported.

Sigstore / Rekor Transparency Log — Submits a hashedrekord entry to the public Rekor append-only log (rekor.sigstore.dev) on every anchor job. Entries are immutable and publicly verifiable without an account or API key. When Ed25519 keys are configured, entries are signed with the site key; otherwise an ephemeral keypair is generated automatically.

Git Repository Anchoring — Commits integrity records to GitHub or GitLab (public, private, or self-hosted) on every anchor job, creating an independent audit trail in commit history.

All three anchoring methods can run simultaneously on every job.

Document Management

Browser-based editing (no FTP) for Markdown meta-documentation (security.txt, privacy policy, terms of service, etc.) and SEO/compliance files: robots.txt, llms.txt, ads.txt, app-ads.txt, sellers.json, ai.txt. Documents get automatic UUID assignment, SHA-256 checksum tracking, and an append-only changelog. Standard and comprehensive XML sitemaps included.

Compliance & Audit Tools

Metadata CSV, Compliance JSON, and Backup ZIP exports each generate a companion .sig.json integrity receipt (SHA-256 hash + optional cryptographic signature). The Compliance JSON export preserves full relationships between posts, hash history, anchor log entries, and RFC 3161 TSR manifests — suitable for legal evidence packages and SIEM ingestion.

Manual checksum verification (read-only; does not modify anything). Backup & Restore with mandatory dry-run before any restore operation.

WP-CLI: wp archiviomd process-queue, anchor-post <id>, verify <id>, prune-log.

Canary Tokens (Steganographic Fingerprinting)

Entirely opt-in. Nothing is injected unless you explicitly enable it.

Embeds an invisible, HMAC-authenticated fingerprint (post ID + timestamp + 48-bit MAC) into published content at render time — stored content is never modified. Fingerprints survive copy-paste and can identify the source of scraped content. A built-in decoder and DMCA Notice Generator are included. Signed evidence packages (.sig.json) can be generated after a successful decode for use in legal proceedings.

Encoding operates across up to 14 channels in three layers:

Unicode layer (survives copy-paste; stripped by OCR): zero-width characters, thin-space variants, apostrophe variants, soft hyphens.

Semantic layer (survives OCR and Unicode normalisation; each opt-in): contraction encoding, synonym substitution, punctuation choice, spelling variants, hyphenation choices, number/date style, punctuation style II, citation/title style.

Structural layer (CDN-proof): sentence-count parity, word-count parity.

Each bit is encoded three times per active channel with majority-vote redundancy. A cache compatibility layer ensures fingerprints survive HTML minification by WP Super Cache, W3 Total Cache, LiteSpeed Cache, WP Rocket, and similar plugins. The Canary Coverage meta box on the post edit screen shows per-channel slot availability before you publish.

Ideal For

• Journalists and news publishers requiring tamper-evident records
• Legal teams and compliance departments needing auditable document trails
• Organisations subject to HIPAA, ISO 27001, SOC 2, or NIST SP 800-171 requirements
• Whistleblower platforms and activist publishers requiring integrity without platform trust
• Security researchers requiring transparent, verifiable publish records

Important Notes

All metadata is stored in the WordPress database. Regular database backups are required. All verification, export, and backup operations are admin-triggered and read-only — the plugin does not prevent or block modifications. Markdown and SEO files are stored in uploads/meta-docs/ and are preserved on uninstall.

Getting Started

1. Flush Permalinks — Settings → Permalinks → Save Changes. Required for all .well-known/ endpoints.

2. Create your first document — Go to Meta Docs & SEO, pick a predefined file (e.g. security.txt.md), enter content, save. UUID and first changelog entry are created automatically.

3. Enable content hashing — Go to Cryptographic Verification → Settings, choose a hash algorithm (SHA-256 default), save. New and updated posts are hashed automatically from that point.

4. Configure Ed25519 signing (optional) — Use the in-browser keypair generator, add both constants to wp-config.php, enable signing. Posts, pages, and media are signed automatically on save.

5. Configure SLH-DSA (optional) — Navigate to Cryptographic Verification → Settings → SLH-DSA. Select a parameter set, generate a keypair server-side, add the three constants to wp-config.php, enable. Can run alongside Ed25519 (hybrid mode) or standalone.

6. Enable Rekor / RFC 3161 / Git anchoring (optional) — Each is configured independently under the ArchivioMD Tools menu. All three can run simultaneously on every anchor job.

7. Configure DANE (optional) — Requires at least one signing key. Publish the DNS TXT records shown in the admin panel, enable DNSSEC on your zone, then enable DANE Corroboration and run the health check.