• Hi,

    I have a question; Is there any way you can tell WordPress to do a quick check of registered user names when an anonymous user posts? At the moment, it is possible by default to “spoof” an identity simply by doing an anon posting using the same name as the admin.

    Surely this should be something WordPress protects against by default? Or have I missed an option somewhere?

    Whilst turning off anon commenting is a kind of a hack workaround, it’s not an ideal one. Thoughts, ideas appreciated ??

    — Mike

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator James Huff

    (@macmanx)

    At the moment, it is possible by default to “spoof” an identity simply by doing an anon posting using the same name as the admin.

    As with any system that does not require registration, yes, spoofing is always a possibility. However, WordPress does contain a feature that would require users to be registered and logged in to post comments. Look for both “Anyone can register” and “Users must be registered and logged in to comment” under Options/General.

    The poster gets email whenever there’s a comment on his post, so unless it’s a big group blog, I’d think it would be pretty easy to see the comment and think, “Hey, I didn’t write that” and delete it.

    I currently use this hack in wp-comments-post.php:

    $author_exists = @$wpdb->get_var("SELECT ID FROM $wpdb->users WHERE user_nickname = '$comment_author' OR user_email = '$comment_author_email'");
    if($author_exists && ($user_nickname != $comment_author || $user_email != $comment_author_email))
    die("Error: Sorry, but you don't seem to be who you claim you are.");

    This goes in just after the “If the user is logged in” code block.

    Hacking reminders: Back up file, comment your changes, etc.

    Thread Starter dthought

    (@dthought)

    A great hack – it should be a part of the core of WP – it’s an important feature if you still want to allow anon posters, and not at all hard to implement. Hats off to you, Kafkaesqui ??

    (Though I must admit, I would prefer it to throw an error gracefully rather than outright die ??

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Protecting registered users from user spoofing’ is closed to new replies.