NOTICE: I have permanently disabled the test implementation of this plugin. (2004-12-16)
Current Version: 1.6
Download tgz: commentauth.tgz
Download zip: commentauth.zip
I've made my first plugin for WordPress. When activated, this plugin will send an email to people who comment (and supply a valid email address) with a unique link. Clicking on the link will approve the comment for immediate posting, without waiting for an administrator's approval.
The basic idea is that if the user supplies a valid email address, and they check that email account, then the commenter is most likely not a spammer. It's not foolproof, but it's a step in the right direction.
The unique URL is calculated using an md5 sum of the comment text plus a "seed". The formula could be brute-forced by someone who really wants to bypass your authorization process; but the burden of effort is on them. Edit the $seed variable in both files to use something unique for your site. Make sure the seed is identitical in both sites, or people will never be able to authorize their own posts!
There are two files included in this plugin:
- commentauth.php
- moderate.php
Install moderate.php into your WordPress root directory, and commentauth.php in your wp-content/plugins/ directory. Ensure that comment moderation is activated, and then activate this plugin. That's all there is to it.
UPDATE: the original version of this plug-in was incompatible with the WordPress 1.2 Release Candidate. I've fixed that. Please download this package again, or edit moderation.php to remove the following line:require_once('./wp-includes/functions.php');
UPDATE #2: I'm not currently using this plugin on this site, so please don't comment just to see it in action. You can do that over on my test installation!
UPDATE #3: Thanks to David, I've added a few extra headers to the generated mail so it should play nice with anti-spam systems. The download link has been updated to the newest version.
UPDATE #4 (2004-09-23): Thanks to Mark for suggesting a fix to help people who have their blog homepage in a different directory than the one in which they installed WordPress.
Nice work on the plugin Skippy! I think you're one of the first out the door with one other than the project devs.
teste
Really useful plug-in, I think most people are missing it though. thanks
I've followed the instructions, but clicking on the link in the email gets the error message:
Fatal error: Cannot redeclare wptexturize() (previously declared in /homepages/45/d28723249/htdocs/blog/wp-includes/functions-formatting.php:3) in /homepages/45/d28723249/htdocs/blog/wp-includes/functions-formatting.php on line 3I assume there's a simple fix for this (and I could probably find it ... maybe) but have you had this on other setups and an easy solution to hand?
Superb customer service, Scott. Commenting out the second line of moderation.php worked for my build too.
This looks really useful I can't wait to try it. Thanks!
[...] m. By adding offenders to your blacklist you can affectively keep out known spammers. This plugin takes the prevention of comment spam a step further by requiring a second step in order for [...]
Comment Approval
Comment spam is a growing problem that is not expected to go away anytime soon. WordPress come packaged with some nice features to help prevent comment spam. By adding offenders to your blacklist you can affectively keep out known spammers. This plugin...
What happens when someone does a trackback? Trackbacks do not include email addresses and therefore following your system, it would all fail right?
"What happens when someone does a trackback?"
(like comment no 9.) Does trackback work with this pugin ?
I forget, truthfully, whether trackbacks bypass comment moderation by default. If trackbacks do get held in the moderation queue, and the trackback includes a valid email address, then this plugin would send the authorization request to the supplied email address.
If there is no valid email address (and I'm not sure trackbacks include them by default), then no authorization message will be sent.
Regardless of all of that, though, a blog operator can still manually approve or deny messages being held in the moderation queue. So if trackbacks do get held in the queue, you can approve or deny them just as you always do.
testing this great plugin
Testing to see if this is installed here...
OK, I've installed it and it seems to be working fine!
However, I've noticed that on the Edit : Comments tab in the WP back-end, I can't edit or delete the self-approved comment like I can for other comments listed there. I hope I can change this!
I'm not using this to fight spam as much as to fight anonymous cowards posting on my site.
Hey, I just wanted to say I got it working fine. It was my mistake with the permissions. Thanks so much for this software and for your support!
Testing it too...
Great plugin! I was just wondering though, would there be an easy way to use this in conjunction with the Optional Comment Moderation plugin at ubergeeks.net?
Meaning, once a post hits the 7 days mark and goes into comment moderation mode using their plugin, a person could be sent an email to automatically approve their post like in your plugin. Right now it doesn't work together because you have to activate comment moderation in the preferences for yours to work, but the other plugin bases it individually on age.
Did you get anywhere with the ubergeeks.net plugin (I saw your comment on their pages and wondered if you'd had a reply). I'd like to have your plugin work for the first 7 days and then disable commenting completely, but am not 100% (or even 10%) sure how to achieve this in WP1.2 ...
Can't get this to work with WP1.2. I've checked both boxes at Options/Discussion/Before a comment appears, installed the plugin files with the seed correctly, activated the plugin, and it just sends comments to the admin. I'm missing something--apart from my brain--but can't figure what. Any ideas?
I've got this installed and working great on WP 1.2. I use it primarily as an accountability tool (against anonymous cowards), rather than a spam-fighting tool. I have two questions/requests:
1. It would be great to make the e-mail sent to the user be HTML-formatted. Since I allow some HTML in the comments, this would be their chance to make sure the code is formatted correctly in the comment. As it is, the code shows up as code (just like it looks when they compose the message).
2. It would be great to have a "disapprove" link as well as the link to approve the comment. In the current set-up, I have to go through and periodically sweep out the comments that haven't been approved yet, but I can't be sure whether it's because the poster changed her mind or just hasn't checked her e-mail yet.
Thanks for writing this great plug-in! Do you have a tip jar or wish list?
test
Great plugin Skippy, though I only have one gripe. The redirection from the approval page is incorrect. You use
get_settings('siteurl')when it should beget_settings('home')to account for those who do not have their index.php files located in the same directory as WordPress. You might want to also consider using "blogfilename" instead of "index.php".test
[...] .0; we’ll see how that goes. If it doesn’t do the trick, I suppose I could try Skippy’s Email Comment Auth plugin, or one of the other techniques list [...]
I can't get your plugin to work. It gets called by the do_action('comment_post') hook in wp-comments-post.php, but then returns immediately becase the comment has already been marked as "approved". If I comment out that test in the plugin, I get what looks like an attempted redirect but than a blank window with "No input file specified".
Ideas? thx
[...] yet and I’m still being plauged by comment spam, I’ve turned on Skippy’s Email Comment Auth plugin. It took a little hacking to get it working—I [...]
no, i can't make it work :( i don't know what's going wrong but i think there's something i'm skipping
Just doesn't work on my WP 1.2 mingus... :(
Test
I'm perplexed - I've installed the two files, reset the seed, activated it, turned on all the Discussion Options checkboxes... yet whenever I leave a comment, i just seen the normal results page - i never get emailed a authentication request.
Any thoughts or troubleshooting advice?
[...] have to monitor things quite as closely now. The plugin is made by Scott Merrill, over at skippy.n [...]
I am using a styleswitcher plugin, and therefore not using the default wp-style.css. I have changed the @import url to reflect the stylesheets used by index.php, and followed all other instructions, but when a user posts a comment, all that happens is that they are returned to the comment posting page, and the comment authorization page never turns up. neither does their comment! any ideas please?
Hi Jewel,
First, make sure you have the curent version. Go to your plugins page within wordpress and make sure it says version 1.6 (NOT 1.5). For me, the link on the developers site lead to 1.5
The 1.6 version should be the latest and greatest version. If you're still having trouble, please send me an email!
[...] ings so that every comment required authorization from me. I could use something like the Comment Authorization Plugin to allow commenters who provide a valid email ad [...]
There is a 1.6 version? Could someone please post a link? There seems to be no mention of it besides here in the comments.
Sam
its a test
[...] spam recommencent. J’ai donc décider d’installer le plugin de Skippy pour la modération des commentaires. Pour qu’un commentai [...]
Testing your crap.
This doesn't seem to work -- 1215
Thats awesone
Hi,
moderate.php file is not included in the archive.
Can you say tell me if it's ok or not.
Thanks.
Best regards.
I can't seem to get this to work on my blog. I changed the seed word to the same thing in both files, and I uploaded them to the appropriate directories. I activated the plugin, and then I made a test comment. The comment automatically appeared with no confirmation email.
I figured out my problem. I didn't have the following checked under Options--->Discussion:
"An administrator must approve the comment (regardless of any matches below)"
After I checked the box, the comment authorization worked fine. Great plugin!
Is it possible to move this comments away from moderation queue and delete them after some days?
I get tons of spam comments and they are sent to the moderation queue, so I receive an email for every comment sent by automatic spammer's scripts...
If you're getting a lot of spam comments, other plugins may be better suited to help you. Take a look at MooKitty's Spaminator or Spam Words, and also Dr. Dave's Spam Karma. All three have received positive responses from the WordPress community. I haven't had a need to use any of them yet, though, so I can't provide anything more in the way of recommendation.
I've gotten this to work on my school blog no problem, but I'm having difficulty on my personal blog http://cariadsrealm.net/journal probably due to the fact that I've changed so many things to combat spammer. The problem is, I don't know which change is stopping the authorization pluggin from working.
2 things I've changed.
Once you've made a comment, you are redirected to comment.htm - a page which tells people their comment is waiting moderation.
The second thing I've changed is the comment-post.php to a different name.
Would either one of these stop your comment authorization from working?
Thanks.
Hey Skippi, thanks for the excellent idea for this plugin. But... I'm having problems installing it; the commentauth.tgz archive includes a single file called commentauth (and no extension). I can't figure out which parts of it belong to which of the two files. Could you perhaps provide the two files in a zip instead of a tgz? It may be the fault of my decompressor (FilZip) handing the tgz archives badly (although it would be the first time it's not working). Thanks in advance!
Installation can't get any easier than this, and it works perfectly. Thanks again for providing the .zip as alternate download!
You're welcome! I'm glad it works for you.
This plugin is not the solution to comment spam -- it is only one part. As noted in the post, I've taken down the live demo because this plugin on its own is, in fact, not a good solution to comment spam at all. Spammers don't leave real email addresses in their spams, so all the authorization emails generated by this plugin will bounce.
But this plugin behind something like Spam Karma that filters obviously spammy comments, might be a good solution to provide reliable authenticity for comments.
Thanks to everyone who's helped me troubleshoot this.
[...] ing the comments, otherwise the comments will be disregarded. I’m also trying to get Skippy’s Comment Authorization plugin to work - this way, posters will [...]
Indeed, this is not a plugin to fight back spam. It helps real people who post real comments authorise their own messages, so I don't have to manually approve them. This way, the moderation queue should contain only comments with fake e-mail addresses, mostly from spammers.
Spammers rarely manually submit messages themselves - that would simply be inefficient. Instead, they rely on specialized computer programs, a specialized form of web spiders, to identify possible targets and automatically submit messages through default settings. Web forums used to be attacked this way - spam bots would find the registration script (the same filename and location for all forums using phpBB or vBulletin, for example) and submit a reply that included all form data required for registration. This way, a bunch of usernames advertising various porn sites were common on most web forums out there. Now, they are targeting WordPress blogs, they only have to submit the same HTTP request for each post to sitename/wp-comments-post.php ; the request has the name, e-mail, url and message filled in.
In both cases (forums and WP), the simplest solution to prevent such automatic submissions is to alter the default fields for the submission script. Either rename the submission script, or change the field names, or add a new mandatory field which requires human interaction. The last seems best to me; use a plugin to generate some random text and display it in an image, so only a real person can figure out what the text is and enter it manually. Most bots will not send that field because they don't actually request the page with the form prior to submitting the comments. Very, very few bots do so, and they may include OCR algorithms to find out what the text is - but this can be prevented by using non-standard fonts or adding some random lines to confuse the OCR script.
So, if you use such a plugin to block out spam bots, and then rely on another plugin to allow real people with real e-mail addresses to activate their own posts, all you should have left in the moderating queue are spam messages added manually. Voila :)
We would like to use this plugin for WordPress.Com
However, we also need it for wp-register.php
If you can add a CAPTCHA and keep it as a true plug-in, we would love to use it.
Thank you very very much! You made my life so much easier!
[...] will work, or that it’ll match anything on this site. I’m starting out with an e-mail confirmation script first, then will move on to testing others in the [...]
It's great plugin, but I can't make it work yet.
Please allow me to test it here.
Thank you very much!!
[...] test Filed under: geeky — dodo @ Jan 18, 2005 07:05 pm modifying this hack coz i only want it to work when a p [...]
I love this plug-in, I've been using it successfully since last summer. I wish I could also use WP's built-in comment moderation/spam words. I have a particularly awful troll and I'd like to block his known e-mail addresses from posting at all. Any suggestions?
[...] , I’ve implemented yet another little plug-in against the rising tide o’ crap: Skippy’s Comment Authorization plug-in. Not anything super special, it [...]
[...] Någon form av spamskydd vore nog bra att installera. Hash Cash [ Comment Authorization] (http://www.skippy.net/blog/2004/04/27/plugin-comment-authorization/) Spam Karma 2 This entry was posted on Wed [...]
Is there a way to still force the comment to go through moderation? I'd like to use the plugin to validate good email address so we can respond privately to posts if necessary. We are finding that some of those commenting are providing bogus email addresses.
"The basic idea is that if the user supplies a valid email address, and they check that email account, then the commenter is most likely not a spammer"
not true.. :)
I love your plugin!
Testing it too - very good plugin
Thx for the sharing.
Really good plugin. It's very useful. Thanks a lot!
I love this idea!
sounds great, cant wait to implement it!
Very good your plugin!!!!!
I really like this plug-in. I had some issues then I upgraded to WordPress 1.6, though.
At the same time I did that, I decided to move the blog to it's own directory (/wordpress) to keep the site clean. (A nice clean fresh install.)
I kept having issues with the plug-in until I moved 'moderation.php' to the root directory and modify the script in it to point back to the '/wordpress' directory to find the files it was trying to use that was not in the root.
I'm happy I was able to figure it out because I really missed this plug-in. It is a huge convenience.
[...] I’ve only just scratched the surface with all the plugins available for WordPress, but at the moment I’m using Ultimate Tag Warrior to feed my metadata obsession, Comment Authorization to check people are who they say they are and Smart Update Pinger to only send out pings when I post new entries (not when I edit). Anyone have any suggestions on some ‘must-have’ plugins for WordPress? [...]
Howto: Comment Email Authentication
Digital Kaleidoscope readers who have posted a comment will know that I have a system in place where your email address must be verified before comments get posted. Hopefully you only found it a small inconvenience since you only ever need to do ...
When will this plugin be updated, Skippy?
Spam Control within WordPress Blogs?
I have set up a blog using WordPress and it works well, though, unfortunately, it doesn't write itself. :-) My question is two-fold. First, what do you use to set up your weblog, or what service do you use? And, second, is there any way to keep *##@ t...
[...] My first officially released plugins was “Comment Authorization”: http://www.skippy.net/blog/2004/04/27/plugin-comment-authorization/ This plugin sends to the address used when commenting an email containing a unique link. If the link is visited, it automatically approves the comment. Have you ever met any other developers? [...]
I like this plug-in...
Did anyone try with WP2 ?
I can install the Plug-in without any problem, but not action after activating it !!!
Please Help...
CQD, CQD, CQD...
Vinu: I've not tested this at all with WordPress 2.0. There are, in truth, much better anti-spam solutions now available.
Hi Skippy,
After two hours of messing with it, it doesn't work with WP2. Yes, there are better anti spam solutions available and I've always been using them -- I used this to ensure that I get legit email addresses -- at least from those who do not use mailinator.
A lot of us really liked this plugin -- please consider updating...
Dear Skippy,
I didn't find any plug-in to verify the commenters email address. Akismat Spam plug-in is available by default with WP2 Duke and it's activated already. But still we need this plug-in for comment authorization. Please help us...
Thanks...
Vinu
There is a serious security vulnerability in this plugin; russian spammers directly accessed the mailer function to send massive amounts of spam *FROM* my blog, i.e. it looked like the spam was coming from me. This is obviously terrible. Please fix the plugin ASAP.
Reuben, I don't speak for Skippy, but are you sure the Russians are just using your domain name? Anyone can use a domain name to make it look like email is coming from your site--it's entirely possible that the spam from your domain has nothing to do with this plugin. Then again, it's entirely possible that I don't know what I'm talking about :)
FYI... I upgraded my Wordpress from 1.5.2 to 2.0.1, and everything seems to be working fine with the plugin. :)
[...] If you’ve ever left a comment on any of my stories, you know that I leave the process of authorizing your comment in you hands, through an email that gets sent to you with a link to finalize the posting of your comment. I do this through the use of the Comment Authorization plugin from Skippy.net. [...]
hmmm... well, I left the previous comment a couple of months ago, and apparently I was wrong. The plugin appeared to be working, but it prevents the Comment Author cookie from being written. I didn't even notice until I tried to add functionality based on that cookie.
I really love this plugin. Any chance there will be a 1.7?
[...] I recently made some changes to the way comments get posted. For a long time I had been using the Comment Authorization plugin to help fight comment spam, and make people verify their email address. But, as it turns out, that plugin isn’t totally compatible with Wordpress 2.0x. I thought it was, but I didn’t realize it was preventing the Comment Author cookie from being written. If you’re unfamiliar with this… wordpress writes a cookie when you leave a comment. That’s why your info is already in the form fields when you come back, after leaving a comment. The cookie is also used by the Subscribe to Comments plugin. Without it, that feature gets broken. [...]
I was wondering if there is confirmation or not if this works with WP2.02?
If so, is there a way that I cna customize the comment awaiting confirmation page as well as the accepted page once people click on the link in their email? I want these two pages to look like my site not just standard pages.
Thanks
doug: I have not tested this plugin with WordPress 2.0+, and am unlikely to do so. In my experience, this plugin exacerbated the problems of comment spam by generating bounce notification messages sent to me every time some spammer posted with a bogus email address.
[...] e-mail megerősítéses komment - mielőtt megjelenne a komment, kap a hozzászóló egy e-mailt. A komment csak a benne levő linkre kattintás után jelenik meg. A baj vele ugyanaz, mint a captchával. A sok extra “munka” elriasztja a kommentelőket. [...]
[...] E-mail Comment AuthorizationThese plugins force commenters to verify their “humanity” by clicking a link sent within an e-mail. Again, this method requires too much visitor involvement, and does not stop manual comment spamming. [...]
I have WP 2.0.4 here and it works fine. But SK2 (Spam Karma 2) ist changing the status to "approved" before Skippy's plugin can send out a link. I have now released a patch and will place a post on my weblog with trackbacks.
Hi Skippy,
I have patched SK2 to get it working with your plugin. Check my blog entry out.
Roland
I can't seem to get this to work on my blog. I uploaded them to the appropriate directories (I think). I activated the plugin, and then I made a test comment. The path does not seem to help either.
working like a charm for me...was getting in excess of 40 garbage spam and up to 100 sometimes a day...thanks a lot for this!!
[...] By coincidence, this is 15 days — half a month — after I started. And yes, they are all spams; as most of you know, real people approve their own comments by email (I love that plug-in!). [...]
[...] And in case you’re wondering, not one spam made it to visibility, and not one legitimate comment was blocked. This is because I use the Comment Authorization plug-in for WordPress. Despite its disclaimers, it works just fine for me on WP 2.0.4. (And in case you’re wondering what happens if somebody doesn’t supply an email address: I get to approve it myself. It’s rare, though.) [...]
Good plugin. I would still like to have more control over comments by approving them myself. Any chance of sending verified e-mail address comments to moderation instead of approval? Is that easy enough to do?
I tried testing this on my own blog, but I'm not actually getting the email.
Wait, nevermind. It's a little slow, but I got the email
Does this plugin also require email notification from registered and logged-in users? Is so, I'm not included to use it.
Billy Dennis: this plugin has not been updated for a very long time. I'd be surprised if it works at all with recent versions of WordPress.