[resolved] Anonymous Posters Can Spoof Registered Users? (4 posts)

  1. I have anon posting on with email required. I was fiddling around and realized that, if I was logged out, and I posted with my user name (Ipstenu) and the email I used with my registered ID (me@bar.com), it would let me post. If I posed with a different user name (jhdgsd) and the email, it wouldn't post.

    It occurs to me that having a person be able to 'spoof' registered users is kinda a bad thing.

    I saw this post - http://wordpress.org/support/topic/39025?replies=5 - but that's three years old. Is there any way to easily say 'If this email is also used by a registered user, prompt for user to login'?

  2. Okay, I came up with a solution that SEEMS to be working.

    Based on

    function wp_prevent_imposters( $commentdata){
    // get list of user (display) names for blog
    global $wpdb;
    $valid_users = (array)$wpdb->get_results(" SELECT display_name, user_email FROM " . $wpdb->prefix . "users");
    global $userdata;
    // get email of current user
    $logged_in_email =  $commentdata['comment_author_email'];
    $logged_in_name  =  $commentdata['comment_author'];
    // see if the comment author matches an existing author
    $found_match = FALSE;
    foreach ($valid_users as $va) {
      if (trim($va->display_name) != '') {
        if (strtolower($va->display_name) == strtolower($logged_in_name)) {
          $found_match = TRUE;
      if (trim($va->user_email) != '') {
        if (strtolower($va->user_email) == strtolower($logged_in_email)) {
          $found_match = TRUE;
    // if commenter is not logged in, but match was found, block the comment
      if ($found_match == TRUE) {
        wp_die( __('You cannot post using the name or email of a registered author.') );
      else {
        return $commentdata;
    add_filter('preprocess_comment', 'wp_prevent_imposters');
  3. whooami
    Posted 7 years ago #

  4. Awesome! :)

Topic Closed

This topic has been closed to new replies.

About this Topic