Welcome to Dagon Design. In addition to free scripts, WordPress plugins, and articles, we offer a variety of services including custom theme design, plugin creation, and PHP scripting. Contact me for more information.

Updated Friday, February 20th, 2009 at 8:20pm

Prevent author impersonation in WordPress comments

This modification to WordPress prevents unregistered comment authors from using the names or email addresses of the registered authors on your site. It does this by first checking to see if the comment author is logged in. If they are not, it compares their name and email address to the registered author data. If there is a match, the comment is blocked and a custom message is displayed. The name and email address comparison is case-insensitive.

Requirements

This code modification has been tested in WordPress 2.2 through 2.8+

Instructions

1) Open /wp-comments-post.php for editing (backup the file first!)

2) Find the following block of code:

Notice: In WordPress 2.8, the code has changed a bit, but should be easy to find near the top of the page.

$comment_author       = trim(strip_tags($_POST['author']));
$comment_author_email = trim($_POST['email']);
$comment_author_url   = trim($_POST['url']);
$comment_content      = trim($_POST['comment']);

3) After it, add the following:

// get list of user (display) names for blog
global $wpdb;
$valid_users = (array)$wpdb->get_results("
  SELECT display_name, user_email FROM " . $wpdb->prefix . "users");

// get ID of logged in user (if there is one)
global $userdata;
get_currentuserinfo();
$logged_in_name = $userdata->ID;
$logged_in_email = $userdata->user_email;
 
// see if the comment author matches an existing author
$found_match = FALSE;
foreach ($valid_users as $va) {
  if (trim($va->display_name) != '') {
    if (strtolower($va->display_name) == strtolower($comment_author)) {
      $found_match = TRUE;
      break;
    }
  }
  if (trim($va->user_email) != '') {
    if (strtolower($va->user_email) == strtolower($comment_author_email)) {
      $found_match = TRUE;
      break;
    }
  }  
}

// if commenter is not logged in, but match was found, block the comment
if (trim($logged_in_name) == '') {
  if ($found_match == TRUE) {
    wp_die( __('You cannot post using the name or email of a registered author.') );
  }
}

4) Save and close the file

Notes

To test this modification, simply log out and try to post a comment using the name that displays when you regularly post comments (when you are logged in).

If you would like to change the message, just modify this line:

wp_die( __('You cannot post using the name or email of a registered author.') );

  If you have found this page useful, please consider donating. Thanks!

Pages: « 2 [1] Show All

  1. 15
    rap dinle
    7-22-09 12:53PM

    I have written a small plugin, so one doesn’t have to change any core files.

  2. 14
    Admin
    7-7-09 8:34PM

    This has been tested, and works, in the latest release of WordPress – 2.8

    (The code you look for has changed a bit, but should be easy to find near the top of the file)

  3. 13
    wordpress professionals
    7-3-09 12:32AM

    Is this working for wp 2.8 ? I am gonna check and will update here if it does not. I believe it should

    Thanks

  4. 12
    top Wordpress Plugins
    7-3-09 12:28AM

    great plugins, that one must have. Appreciate them

  5. 11
    Sajid
    5-12-09 2:04AM

    Great for OEM author’s. Nice i also try this. Thanks for sharing with us.

  6. 10
    boilr
    5-10-09 9:23PM

    nice hack/code.

    how would i add a back button to the error message to help commenters try to comment again. as is, just brings up an error page with the message.

    also, is it possible to show the message without revealing the location of the wp_comments_post file?

    thanks

  7. 9
    ListenUp
    4-1-09 10:41PM

    Fantastic. Thanks. Was having trouble with some funny guys at my site using admin (that’s me) to reply to other people visiting the site. Best part is it doesn’t allow variants of the name say admin such as Admin or AdMin etc.
    Super stuff. Thanks. Works for 2.7 Wordpress by the way.

  8. 8
    Admin
    2-22-09 11:10PM

    This code has been tested in the latest release of WordPress (2.7.1)

  9. 7
    Brokakeroko
    10-20-08 3:05PM

    I like your site. Brokakeroko

  10. 6
    Ipstenu
    10-17-08 10:52AM

    I heavily cribbed from both you and Marco Luthe to make this plugin. It seems to be working right now, though I’m sure someone could hack it:

    function wp_prevent_imposters( $commentdata){

// get list of user (display) names for blog
global $wpdb;
$valid_users = (array)$wpdb->get_results(" SELECT display_name, user_email FROM " . $wpdb->prefix . "users");

global $userdata;
get_currentuserinfo();

// get email of current user
$logged_in_email =  $commentdata['comment_author_email'];
$logged_in_name  =  $commentdata['comment_author'];

// see if the comment author matches an existing author
$found_match = FALSE;
foreach ($valid_users as $va) {
  if (trim($va->display_name) != '') {
    if (strtolower($va->display_name) == strtolower($logged_in_name)) {
      $found_match = TRUE;
      break;
    }
  }
  if (trim($va->user_email) != '') {
    if (strtolower($va->user_email) == strtolower($logged_in_email)) {
      $found_match = TRUE;
      break;
    }
  }
}

// if commenter is not logged in, but match was found, block the comment
  if ($found_match == TRUE) {
    wp_die( __('You cannot post using the name or email of a registered author.') );
  }
  else {
    return $commentdata;
  }

}

add_filter('preprocess_comment', 'wp_prevent_imposters');

  11. 5
    Marco Luthe
    10-14-08 12:17PM

    Thanks for the inspiration! I have written a small plugin, so one doesn’t have to change any core files.

    http://www.saphod.net/2008/10/14/how-to-prevent-commenters-from-using-your-email/

  12. 4
    Admin
    4-5-08 6:30PM

    Tracey: That is a good idea. I just made a modification to the code.

    I also tested to see if this modification will work in WordPress 2.5, and indeed it does. :)

  13. 3
    Tracey
    4-2-08 6:40PM

    How would you tweak this to prevent someone inserting a registered user’s email address instead of their own?

    For example, my site uses gravatars but a user could ‘impersonate’ someone else if they know that person’s email, at which point the gravatar will display for a user who may not have made the comment.

    Hope this makes sense!

  14. 2
    tommi
    2-25-08 5:17PM

    Nice hack, great explanation!

  15. 1
    ekinturkmen
    8-3-07 12:57AM

    thanks

Pages: « 2 [1] Show All

Leave a Comment

Before you comment: If you are having an issue with a script, please make sure you have read the entire article. Also, please read through the comments because most common issues have already been discussed many times. Thanks.


Be sure to wrap all code in <code></code> tags.