Protecting registered users from user spoofing

At the moment, it is possible by default to “spoof” an identity simply by doing an anon posting using the same name as the admin.

As with any system that does not require registration, yes, spoofing is always a possibility. However, WordPress does contain a feature that would require users to be registered and logged in to post comments. Look for both “Anyone can register” and “Users must be registered and logged in to comment” under Options/General.

The poster gets email whenever there’s a comment on his post, so unless it’s a big group blog, I’d think it would be pretty easy to see the comment and think, “Hey, I didn’t write that” and delete it.

I currently use this hack in wp-comments-post.php:

$author_exists = @$wpdb->get_var("SELECT ID FROM $wpdb->users WHERE user_nickname = '$comment_author' OR user_email = '$comment_author_email'");
if($author_exists && ($user_nickname != $comment_author || $user_email != $comment_author_email))
die("Error: Sorry, but you don't seem to be who you claim you are.");

This goes in just after the “If the user is logged in” code block.

Hacking reminders: Back up file, comment your changes, etc.

A great hack – it should be a part of the core of WP – it’s an important feature if you still want to allow anon posters, and not at all hard to implement. Hats off to you, Kafkaesqui ??

(Though I must admit, I would prefer it to throw an error gracefully rather than outright die ??