By default, WordPress does not enforce any kind of restrictions on the email address used by commenters. I'm actually quite surprised that to date no one has posted a comment to this site trying to masquerade as me, because they certainly could have done so before today.
To prevent this from ever happening, and to ensure that you, my dear readers, can sleep easy at night knowing that every comment on this site purporting to be from me really is from me, I have written Impostercide!
This plugin checks the email address submitted by a commenter against the list of registered users in the blog. If the email address is assigned to a registered user, this plugin then checks to see if the person attempting to comment is a signed-in user of the blog. If they are not, the comment is rejected with a stern rebuke.
So no more imposters pretending to be Skippy here (of which there were none to begin with...)!
Currently this plugin only checks for the first instance of a given email address in the registered user list. If you have multiple accounts, all with the same email address, you're going to have to ask me very politely to update the plugin to accomodate your bizarre usage patterns.
Many thanks to Mark for the catchy name!
Hey thanks for this. :)
Ha! I can't believe you used it!
Sounds like a good Plug in to add to my sites, Pagan Students Espeshaly, due to the numbver of potential users for that
What if I'm not a registered user and I want to leave a comment?
Elfboy: there's no change in behavior if you're not a registered user, so long as you're not trying to use the email address of a registered user. As you can see, your comment came through just fine!
Great idea for a plugin! *downloads and activates*
[...] I discovered a rather dreadful flaw in Impostercide: it was blocking trackbacks and pingbacks! [...]
You say, "If you have multiple accounts, all with the same email address, you’re going to have to ask me very politely to update the plugin to accomodate your bizarre usage patterns." I've thought a lot over the years about what should constitute the unique identifier for a user account. I've come to believe that *in most cases* the user's email address should be their login. However, there should also be a unique auto-numbered identifier for the account. So, for example, a user record would look like this:
UserID: Assigned by db or system, never seen by user
UserEmail: may be set or changed by user
UserScreenName: may be set or changed by user
UserPassword: may be set or changed by user
Here's what I think this solves:
1. Users don't forget their email address (unlike login).
2. Makes it impossible to create duplicate accounts.
3. Makes it possible to add some sort of "password reminder" tool per whatever security standards you wish to use. It emails them whatever info you wish if their email address matches an account.
4. Since email addresses really are unique, you don't have to worry about the issue of two users having the same login. Probably you would want to continue constraining as unique the screen names. My point is that since email addresses are unique in the world, you can leverage the benefit of that uniqueness benefit in your own world.
I agree that people don't tend to forget their email addresses; and email-based logins are certainly something to consider.
In the context of WordPress, though, there may well be valid reasons to support multiple login names that use the same email address in the profile. As an author on a WordPress blog, you can elect to receive email notification whenever someone comments on one of your posts. There may be instances where one would like to post an item using a different name, but still receive the comment notification at your primary email address... The current mechanism allows for this without requiring any kind of mail aliases.
I totally agree that there are cases where email address should not be used for login, and probably WordPress is one of them. With Impostercide you stumbled upon one of the many difficulties with multiple email addresses in the system, and attempting to do an account verification accordingly.
I haven't looked at your code, but when faced with multiple email addresses, it should be easy enough to iterate through them all with an incrementing flag counter, eg.:
intFlag = 0;
while ( i=0; i
oops, WordPress didn't like my posted code block.
[...] Plugins: A list of the plugins I use will be posted here. myMooMus version 1.23 Gravatar Iimage Browser Impostercide Now Reading JÄÅ Preview AJAX Shoutbox WP-Amazon Word Press Contact Form WP Data Base Backup WP Grins [...]
(Skippy, since this post is the first result on google when looking for "impostercide", you should probably update the download link to the latest version)
Note to my Other Self
Someone posting with my nick and email. WTF.
...
It doesn't work for me. I upload, activate, and I can still post as "Poromenos" (logged off, of course). I don't care about users using my email, emails don't show up anywhere anyway. I want to prevent them from using my name, how do I do that?
So what is the URL to the latest version? Is it still 1.0?
My apologies.
I found the latest version on this page: http://www.skippy.net/blog/category/wordpress/plugins/
Sorry for the confusion. Thanks for the plugin!
Interesting. The new version works great, thanks a lot. You might want to link to it from this page because people might look for it here.
--
Poromenos
http://porocrom.poromenos.org
Excellent, thank you!
Hmm I want to screen the names only, not the email. Is this duable with this pluging? if not a request:
I admin the option to choose between:
1- Check email
2- Check user names
Also a topic here:
http://wordpress.org/support/topic/55020
Thx
Greetz
Null: you can edit the code to remove any of the checks you deem necessary. The source is fairly well commented, so it should be obvious which bits to remove.
Ah I see ok thx
Hmmm will this also work with the wordspew plugin? It's a shoutbox where quests can post too. A guest can change his name in the name box. Will this plugin check this too? And what if someone is online AND using a verified guest name and another person want to type something and enter also that name, will the script check these temp names to?? Cause if Jack has signed out, the name Jack is free for all again, but if guest Jack is online someone else cannot call himself jack too...
The pluging can be found here:
http://blog.jalenack.com/ajax/
Maybe some adjustment would be needed to make it work with it...
Further on GREAT MOD, why isn't it on the wp page?
Impostercide will not work with WordSpew without some tinkering, none of which I am going to do. Impostercide was written specifically for WordPress comments, and only checks comments.
Hi,
So no izi fix, well no problem, I was just wondering if it would work on plugins too.
Still a great plugin, a must have!
I tried to find this plugin via http://www.skippy.net/blog/plugins/ but it seems to not be the most recent version. Most of the other links there point to multiple versions. Perhaps this one should be updated.
On juvenile commenting behavior....
If you glance over to the “Recent Comments” segment of the sidebar, you may notice a few unusual comments. I’ve had a jackass (or maybe multiple jackasses) attempting to disturb or malign me. It’s one thing to insult me, but i...