Welcome to Dagon Design. In addition to free scripts, WordPress plugins, and articles, we offer a variety of services including custom theme design, plugin creation, and PHP scripting. Contact me for more information.

Updated Friday, February 20th, 2009 at 8:20pm

Prevent author impersonation in WordPress comments

This modification to WordPress prevents unregistered comment authors from using the names or email addresses of the registered authors on your site. It does this by first checking to see if the comment author is logged in. If they are not, it compares their name and email address to the registered author data. If there is a match, the comment is blocked and a custom message is displayed. The name and email address comparison is case-insensitive.


This code modification has been tested in WordPress 2.2 through 2.8+


1) Open /wp-comments-post.php for editing (backup the file first!)

2) Find the following block of code:

Notice: In WordPress 2.8, the code has changed a bit, but should be easy to find near the top of the page.

$comment_author       = trim(strip_tags($_POST['author']));
$comment_author_email = trim($_POST['email']);
$comment_author_url   = trim($_POST['url']);
$comment_content      = trim($_POST['comment']);

3) After it, add the following:

// get list of user (display) names for blog
global $wpdb;
$valid_users = (array)$wpdb->get_results("
  SELECT display_name, user_email FROM " . $wpdb->prefix . "users");
// get ID of logged in user (if there is one)
global $userdata;
$logged_in_name = $userdata->ID;
$logged_in_email = $userdata->user_email;

// see if the comment author matches an existing author
$found_match = FALSE;
foreach ($valid_users as $va) {
  if (trim($va->display_name) != '') {
    if (strtolower($va->display_name) == strtolower($comment_author)) {
      $found_match = TRUE;
  if (trim($va->user_email) != '') {
    if (strtolower($va->user_email) == strtolower($comment_author_email)) {
      $found_match = TRUE;
// if commenter is not logged in, but match was found, block the comment
if (trim($logged_in_name) == '') {
  if ($found_match == TRUE) {
    wp_die( __('You cannot post using the name or email of a registered author.') );

4) Save and close the file


To test this modification, simply log out and try to post a comment using the name that displays when you regularly post comments (when you are logged in).

If you would like to change the message, just modify this line:

wp_die( __('You cannot post using the name or email of a registered author.') );

  If you have found this page useful, please consider donating. Thanks!