Welcome to Dagon Design. In addition to free scripts, WordPress plugins, and articles, we offer a variety of services including custom theme design, plugin creation, and PHP scripting. Contact me for more information.

Updated Friday, February 20th, 2009 at 8:20pm

Prevent author impersonation in WordPress comments

This modification to WordPress prevents unregistered comment authors from using the names or email addresses of the registered authors on your site. It does this by first checking to see if the comment author is logged in. If they are not, it compares their name and email address to the registered author data. If there is a match, the comment is blocked and a custom message is displayed. The name and email address comparison is case-insensitive.

Requirements

This code modification has been tested in WordPress 2.2 through 2.8+

Instructions

1) Open /wp-comments-post.php for editing (backup the file first!)

2) Find the following block of code:

Notice: In WordPress 2.8, the code has changed a bit, but should be easy to find near the top of the page.

$comment_author       = trim(strip_tags($_POST['author']));
$comment_author_email = trim($_POST['email']);
$comment_author_url   = trim($_POST['url']);
$comment_content      = trim($_POST['comment']);

3) After it, add the following:

// get list of user (display) names for blog
global $wpdb;
$valid_users = (array)$wpdb->get_results("
  SELECT display_name, user_email FROM " . $wpdb->prefix . "users");

// get ID of logged in user (if there is one)
global $userdata;
get_currentuserinfo();
$logged_in_name = $userdata->ID;
$logged_in_email = $userdata->user_email;
 
// see if the comment author matches an existing author
$found_match = FALSE;
foreach ($valid_users as $va) {
  if (trim($va->display_name) != '') {
    if (strtolower($va->display_name) == strtolower($comment_author)) {
      $found_match = TRUE;
      break;
    }
  }
  if (trim($va->user_email) != '') {
    if (strtolower($va->user_email) == strtolower($comment_author_email)) {
      $found_match = TRUE;
      break;
    }
  }  
}

// if commenter is not logged in, but match was found, block the comment
if (trim($logged_in_name) == '') {
  if ($found_match == TRUE) {
    wp_die( __('You cannot post using the name or email of a registered author.') );
  }
}

4) Save and close the file

Notes

To test this modification, simply log out and try to post a comment using the name that displays when you regularly post comments (when you are logged in).

If you would like to change the message, just modify this line:

wp_die( __('You cannot post using the name or email of a registered author.') );

  If you have found this page useful, please consider donating. Thanks!

  1. 26
    wpbloggy
    2-25-10 12:52AM

    A VERY USEFUL bit of code! Thank you for sharing this useful technique, I’ve wanted such a feature for some time.

  2. 25
    Nothing
    2-16-10 7:14PM

    i just test its working on Version 2.9.2 , great thing thanks alot :D

  3. 24
    Chip D
    1-25-10 7:20PM

    Has anyone tried this in WP 2.9.1 yet?

  4. 23
    Jake
    1-7-10 10:01PM

    I really like how this works, however I would like it to ONLY check the email. I don’t care if someone uses the same name, but if they use the same email it will use their gravatar. I get way too many comments and have already seen many users with the same names.

    Could you post a version that only checks email?

    Thank you, I appreciate it and this works great even on 2.9.1

  5. 22
    right foot
    12-8-09 3:35PM

    WOW!!!
    This is absolutely amazing (and if left open, dangerous!)

    I can’t believe the boffins who wrote WP didn’t think about something like this and implement a fix!

    I have started to update all my (38) blogs… muchos grassears dude!

  6. 21
    Road Rage
    11-30-09 10:30PM

    I love this – thanks so much for it. Is there a way to edit the output so that if someone wrote a long comment, that their text won’t be lost?

    For example, someone could have no intentions of impersonating anyone, write a very good and long comment using the name “Mike”, and understandably not know that it was already registered. How can they be notified that their comment won’t be submitted until they change their name, but not lose what they wrote?

    I imagine it would involve notifying them without leaving the page they’re on.

  7. 20
    BadGirl45
    10-23-09 5:13AM

    There are certainly a number of biological differences between men and women. ,

  8. 19
    BadGirl40
    10-22-09 5:58AM

    Where all content is aggregated for you, ready to be consumed. ,

  9. 18
    Sooran
    9-15-09 5:23AM

    tancks.
    This Post Helped me
    Good Time

  10. 17
    Brad H - Insurance Guru
    8-26-09 11:13PM

    Fantastic, thank you for sharing this. It works like a champ. Now websites cannot be stolen from people who post a lot.

  11. 16
    andol
    7-27-09 6:14AM

    that is bloody cool, i love that tip.

  12. 15
    rap dinle
    7-22-09 12:53PM

    I have written a small plugin, so one doesn’t have to change any core files.

  13. 14
    Admin
    7-7-09 8:34PM

    This has been tested, and works, in the latest release of WordPress – 2.8

    (The code you look for has changed a bit, but should be easy to find near the top of the file)

  14. 13
    wordpress professionals
    7-3-09 12:32AM

    Is this working for wp 2.8 ? I am gonna check and will update here if it does not. I believe it should

    Thanks

  15. 12
    top Wordpress Plugins
    7-3-09 12:28AM

    great plugins, that one must have. Appreciate them

  16. 11
    Sajid
    5-12-09 2:04AM

    Great for OEM author’s. Nice i also try this. Thanks for sharing with us.

  17. 10
    boilr
    5-10-09 9:23PM

    nice hack/code.

    how would i add a back button to the error message to help commenters try to comment again. as is, just brings up an error page with the message.

    also, is it possible to show the message without revealing the location of the wp_comments_post file?

    thanks

  18. 9
    ListenUp
    4-1-09 10:41PM

    Fantastic. Thanks. Was having trouble with some funny guys at my site using admin (that’s me) to reply to other people visiting the site. Best part is it doesn’t allow variants of the name say admin such as Admin or AdMin etc.
    Super stuff. Thanks. Works for 2.7 Wordpress by the way.

  19. 8
    Admin
    2-22-09 11:10PM

    This code has been tested in the latest release of WordPress (2.7.1)

  20. 7
    Brokakeroko
    10-20-08 3:05PM

    I like your site. Brokakeroko

  21. 6
    Ipstenu
    10-17-08 10:52AM

    I heavily cribbed from both you and Marco Luthe to make this plugin. It seems to be working right now, though I’m sure someone could hack it:

    function wp_prevent_imposters( $commentdata){

// get list of user (display) names for blog
global $wpdb;
$valid_users = (array)$wpdb->get_results(" SELECT display_name, user_email FROM " . $wpdb->prefix . "users");

global $userdata;
get_currentuserinfo();

// get email of current user
$logged_in_email =  $commentdata['comment_author_email'];
$logged_in_name  =  $commentdata['comment_author'];

// see if the comment author matches an existing author
$found_match = FALSE;
foreach ($valid_users as $va) {
  if (trim($va->display_name) != '') {
    if (strtolower($va->display_name) == strtolower($logged_in_name)) {
      $found_match = TRUE;
      break;
    }
  }
  if (trim($va->user_email) != '') {
    if (strtolower($va->user_email) == strtolower($logged_in_email)) {
      $found_match = TRUE;
      break;
    }
  }
}

// if commenter is not logged in, but match was found, block the comment
  if ($found_match == TRUE) {
    wp_die( __('You cannot post using the name or email of a registered author.') );
  }
  else {
    return $commentdata;
  }

}

add_filter('preprocess_comment', 'wp_prevent_imposters');

  22. 5
    Marco Luthe
    10-14-08 12:17PM

    Thanks for the inspiration! I have written a small plugin, so one doesn’t have to change any core files.

    http://www.saphod.net/2008/10/14/how-to-prevent-commenters-from-using-your-email/

  23. 4
    Admin
    4-5-08 6:30PM

    Tracey: That is a good idea. I just made a modification to the code.

    I also tested to see if this modification will work in WordPress 2.5, and indeed it does. :)

  24. 3
    Tracey
    4-2-08 6:40PM

    How would you tweak this to prevent someone inserting a registered user’s email address instead of their own?

    For example, my site uses gravatars but a user could ‘impersonate’ someone else if they know that person’s email, at which point the gravatar will display for a user who may not have made the comment.

    Hope this makes sense!

  25. 2
    tommi
    2-25-08 5:17PM

    Nice hack, great explanation!

  26. 1
    ekinturkmen
    8-3-07 12:57AM

    thanks

Leave a Comment

Before you comment: If you are having an issue with a script, please make sure you have read the entire article. Also, please read through the comments because most common issues have already been discussed many times. Thanks.


Be sure to wrap all code in <code></code> tags.