WordPress.org

Ready to get started?Download WordPress

Forums

Protecting registered users from user spoofing (5 posts)

  1. dthought
    Member
    Posted 8 years ago #

    Hi,

    I have a question; Is there any way you can tell WordPress to do a quick check of registered user names when an anonymous user posts? At the moment, it is possible by default to "spoof" an identity simply by doing an anon posting using the same name as the admin.

    Surely this should be something WordPress protects against by default? Or have I missed an option somewhere?

    Whilst turning off anon commenting is a kind of a hack workaround, it's not an ideal one. Thoughts, ideas appreciated :)

    -- Mike

  2. James
    Happiness Engineer
    Posted 8 years ago #

    At the moment, it is possible by default to "spoof" an identity simply by doing an anon posting using the same name as the admin.

    As with any system that does not require registration, yes, spoofing is always a possibility. However, WordPress does contain a feature that would require users to be registered and logged in to post comments. Look for both "Anyone can register" and "Users must be registered and logged in to comment" under Options/General.

  3. tomhanna
    Member
    Posted 8 years ago #

    The poster gets email whenever there's a comment on his post, so unless it's a big group blog, I'd think it would be pretty easy to see the comment and think, "Hey, I didn't write that" and delete it.

  4. Kafkaesqui

    Posted 8 years ago #

    I currently use this hack in wp-comments-post.php:

    $author_exists = @$wpdb->get_var("SELECT ID FROM $wpdb->users WHERE user_nickname = '$comment_author' OR user_email = '$comment_author_email'");
    if($author_exists && ($user_nickname != $comment_author || $user_email != $comment_author_email))
    die("Error: Sorry, but you don't seem to be who you claim you are.");

    This goes in just after the "If the user is logged in" code block.

    Hacking reminders: Back up file, comment your changes, etc.

  5. dthought
    Member
    Posted 8 years ago #

    A great hack - it should be a part of the core of WP - it's an important feature if you still want to allow anon posters, and not at all hard to implement. Hats off to you, Kafkaesqui :D

    (Though I must admit, I would prefer it to throw an error gracefully rather than outright die ;)

Topic Closed

This topic has been closed to new replies.

About this Topic