Welcome to Dagon Design. In addition to free scripts, WordPress plugins, and articles, we offer a variety of services including custom theme design, plugin creation, and PHP scripting. Contact me for more information.

Updated Saturday, April 5th, 2008 at 5:17pm

Prevent author impersonation in WordPress comments

This modification to WordPress prevents unregistered comment authors from using the names or email addresses of the registered authors on your site. It does this by first checking to see if the comment author is logged in. If they are not, it compares their name and email address to the registered author data. If there is a match, the comment is blocked and a custom message is displayed. The name and email address comparison is case-insensitive.

Requirements

This code modification has been tested in WordPress 2.2 through 2.5.

Instructions

1) Open /wp-comments-post.php for editing (backup the file first!)

2) Find the following block of code:

$comment_author       = trim(strip_tags($_POST['author']));
$comment_author_email = trim($_POST['email']);
$comment_author_url   = trim($_POST['url']);
$comment_content      = trim($_POST['comment']);

3) After it, add the following:

// get list of user (display) names for blog
global $wpdb;
$valid_users = (array)$wpdb->get_results("
  SELECT display_name, user_email FROM " . $wpdb->prefix . "users");

// get ID of logged in user (if there is one)
global $userdata;
get_currentuserinfo();
$logged_in_name = $userdata->ID;
$logged_in_email = $userdata->user_email;
 
// see if the comment author matches an existing author
$found_match = FALSE;
foreach ($valid_users as $va) {
  if (trim($va->display_name) != '') {
    if (strtolower($va->display_name) == strtolower($comment_author)) {
      $found_match = TRUE;
      break;
    }
  }
  if (trim($va->user_email) != '') {
    if (strtolower($va->user_email) == strtolower($comment_author_email)) {
      $found_match = TRUE;
      break;
    }
  }  
}

// if commenter is not logged in, but match was found, block the comment
if (trim($logged_in_name) == '') {
  if ($found_match == TRUE) {
    wp_die( __('You cannot post using the name or email of a registered author.') );
  }
}

4) Save and close the file

Notes

To test this modification, simply log out and try to post a comment using the name that displays when you regularly post comments (when you are logged in).

If you would like to change the message, just modify this line:

wp_die( __('You cannot post using the name or email of a registered author.') );

Topic: WordPress Plugins and Mods | RSS Feed

5 Comments on “Prevent author impersonation in WordPress comments”

5

admin

5-4-08 5:32PM

asdad
4

Admin

4-5-08 6:30PM

Tracey: That is a good idea. I just made a modification to the code.

I also tested to see if this modification will work in WordPress 2.5, and indeed it does.
3

Tracey

4-2-08 6:40PM

How would you tweak this to prevent someone inserting a registered user’s email address instead of their own?

For example, my site uses gravatars but a user could ‘impersonate’ someone else if they know that person’s email, at which point the gravatar will display for a user who may not have made the comment.

Hope this makes sense!
2

tommi

2-25-08 5:17PM

Nice hack, great explanation!
1

ekinturkmen

8-3-07 12:57AM

thanks

Before you comment: If you are having an issue with a script, please make sure you have read the entire article. Also, please read through the comments because most common issues have already been discussed many times. Thanks.

Be sure to wrap all code in <code></code> tags.