Sometimes people use checksums simply to make sure that files haven’t been corrupted accidentally. For example, suppose you’re downloading a big file for offline use later: you might want to check that the download didn’t stop part way through. Non-secure checksums like MD5 are only suitable for purposes like that, since it’s possible for a malicious user to tamper with a file in such a way that it retains the same MD5.

A common use for cryptographically secure checksums is to verify files downloaded from a third-party mirror or from a P2P network, since clearly the creator of the file has no control over those.

> Let’s say I hack VLC’s website to modify their download file to add something malicious. Now the checksum of the new file is going to be different from the checksum of the website but wouldn’t I just change the checksum of the website too?

When it comes to a prominent open-source project like VLC, it’s likely that someone would notice that the checksum on the website had changed for no apparent reason.

But in general, yeah, there is no magic way of preventing websites from being hijacked and filled with malware. Checksums are just one of many tools that can be used to make it more difficult or more obvious.