Plugin: Comment Authorization feed icon

NOTICE: I have permanently disabled the test implementation of this plugin. (2004-12-16)

Current Version: 1.6
Download tgz: commentauth.tgz
Download zip: commentauth.zip

I've made my first plugin for WordPress. When activated, this plugin will send an email to people who comment (and supply a valid email address) with a unique link. Clicking on the link will approve the comment for immediate posting, without waiting for an administrator's approval.

The basic idea is that if the user supplies a valid email address, and they check that email account, then the commenter is most likely not a spammer. It's not foolproof, but it's a step in the right direction.

The unique URL is calculated using an md5 sum of the comment text plus a "seed". The formula could be brute-forced by someone who really wants to bypass your authorization process; but the burden of effort is on them. Edit the $seed variable in both files to use something unique for your site. Make sure the seed is identitical in both sites, or people will never be able to authorize their own posts!

There are two files included in this plugin:

Install moderate.php into your WordPress root directory, and commentauth.php in your wp-content/plugins/ directory. Ensure that comment moderation is activated, and then activate this plugin. That's all there is to it.

Download this plugin!

UPDATE: the original version of this plug-in was incompatible with the WordPress 1.2 Release Candidate. I've fixed that. Please download this package again, or edit moderation.php to remove the following line:
require_once('./wp-includes/functions.php');

UPDATE #2: I'm not currently using this plugin on this site, so please don't comment just to see it in action. You can do that over on my test installation!

UPDATE #3: Thanks to David, I've added a few extra headers to the generated mail so it should play nice with anti-spam systems. The download link has been updated to the newest version.

UPDATE #4 (2004-09-23): Thanks to Mark for suggesting a fix to help people who have their blog homepage in a different directory than the one in which they installed WordPress.

  • wantmoore
    April 28th, 2004 at 2:05am
    Nice work on the plugin Skippy! I think you're one of the first out the door with one other than the project devs.
  • milhouse
    May 1st, 2004 at 5:03pm
    teste
  • Andy
    May 11th, 2004 at 2:03am
    Really useful plug-in, I think most people are missing it though. thanks
  • Emrys Hopkins
    May 16th, 2004 at 2:59pm
    I've followed the instructions, but clicking on the link in the email gets the error message: Fatal error: Cannot redeclare wptexturize() (previously declared in /homepages/45/d28723249/htdocs/blog/wp-includes/functions-formatting.php:3) in /homepages/45/d28723249/htdocs/blog/wp-includes/functions-formatting.php on line 3 I assume there's a simple fix for this (and I could probably find it ... maybe) but have you had this on other setups and an easy solution to hand?
  • Emrys Hopkins
    May 16th, 2004 at 6:57pm
    Superb customer service, Scott. Commenting out the second line of moderation.php worked for my build too.
  • Ruby
    May 23rd, 2004 at 12:28am
    This looks really useful I can't wait to try it. Thanks!
  • Blogging Pro - Blog News, Tools and Hacks » Comment Approval
    May 25th, 2004
  • Blogging Pro - Blog News, Tools and Hacks
    May 25th, 2004
  • chuckg
    May 27th, 2004 at 2:41am
    What happens when someone does a trackback? Trackbacks do not include email addresses and therefore following your system, it would all fail right?
  • catch
    May 31st, 2004 at 7:37am
    "What happens when someone does a trackback?" (like comment no 9.) Does trackback work with this pugin ?
  • skippy
    May 31st, 2004 at 1:23pm
    I forget, truthfully, whether trackbacks bypass comment moderation by default. If trackbacks do get held in the moderation queue, and the trackback includes a valid email address, then this plugin would send the authorization request to the supplied email address. If there is no valid email address (and I'm not sure trackbacks include them by default), then no authorization message will be sent. Regardless of all of that, though, a blog operator can still manually approve or deny messages being held in the moderation queue. So if trackbacks do get held in the queue, you can approve or deny them just as you always do.
  • test
    June 2nd, 2004 at 3:29am
    testing this great plugin
  • Ruby
    June 2nd, 2004 at 4:43pm
    Testing to see if this is installed here...
  • Ruby Sinreich
    June 3rd, 2004 at 2:13am
    OK, I've installed it and it seems to be working fine! However, I've noticed that on the Edit : Comments tab in the WP back-end, I can't edit or delete the self-approved comment like I can for other comments listed there. I hope I can change this! I'm not using this to fight spam as much as to fight anonymous cowards posting on my site.
  • Ruby Sinreich
    June 3rd, 2004 at 9:56pm
    Hey, I just wanted to say I got it working fine. It was my mistake with the permissions. Thanks so much for this software and for your support!
  • David
    June 10th, 2004 at 5:39pm
    Testing it too...
  • Jennifer
    June 11th, 2004 at 6:13pm
    Great plugin! I was just wondering though, would there be an easy way to use this in conjunction with the Optional Comment Moderation plugin at ubergeeks.net? Meaning, once a post hits the 7 days mark and goes into comment moderation mode using their plugin, a person could be sent an email to automatically approve their post like in your plugin. Right now it doesn't work together because you have to activate comment moderation in the preferences for yours to work, but the other plugin bases it individually on age.
  • Emrys Hopkins
    July 16th, 2004 at 7:09pm
    Did you get anywhere with the ubergeeks.net plugin (I saw your comment on their pages and wondered if you'd had a reply). I'd like to have your plugin work for the first 7 days and then disable commenting completely, but am not 100% (or even 10%) sure how to achieve this in WP1.2 ...
  • Trebol
    August 3rd, 2004 at 10:12pm
    Can't get this to work with WP1.2. I've checked both boxes at Options/Discussion/Before a comment appears, installed the plugin files with the seed correctly, activated the plugin, and it just sends comments to the admin. I'm missing something--apart from my brain--but can't figure what. Any ideas?
  • Ruby Sinreich
    August 11th, 2004 at 1:28pm
    I've got this installed and working great on WP 1.2. I use it primarily as an accountability tool (against anonymous cowards), rather than a spam-fighting tool. I have two questions/requests: 1. It would be great to make the e-mail sent to the user be HTML-formatted. Since I allow some HTML in the comments, this would be their chance to make sure the code is formatted correctly in the comment. As it is, the code shows up as code (just like it looks when they compose the message). 2. It would be great to have a "disapprove" link as well as the link to approve the comment. In the current set-up, I have to go through and periodically sweep out the comments that haven't been approved yet, but I can't be sure whether it's because the poster changed her mind or just hasn't checked her e-mail yet. Thanks for writing this great plug-in! Do you have a tip jar or wish list?
  • test
    September 18th, 2004 at 12:58am
    test
  • Mark
    September 23rd, 2004 at 6:53pm
    Great plugin Skippy, though I only have one gripe. The redirection from the approval page is incorrect. You use get_settings('siteurl') when it should be get_settings('home') to account for those who do not have their index.php files located in the same directory as WordPress. You might want to also consider using "blogfilename" instead of "index.php".
  • kano
    September 28th, 2004 at 11:24am
    test
  • dwelle.org » Controlling WP comment spam
    September 29th, 2004
  • Bowen
    October 2nd, 2004 at 12:02am
    I can't get your plugin to work. It gets called by the do_action('comment_post') hook in wp-comments-post.php, but then returns immediately becase the comment has already been marked as "approved". If I comment out that test in the plugin, I get what looks like an attempted redirect but than a blank window with "No input file specified". Ideas? thx
  • dwelle.org » Email Comment Auth working
    October 2nd, 2004
  • rusinho
    October 21st, 2004 at 2:06am
    no, i can't make it work :( i don't know what's going wrong but i think there's something i'm skipping
  • Orlando
    October 23rd, 2004 at 8:39am
    Just doesn't work on my WP 1.2 mingus... :(
  • dtc
    October 25th, 2004 at 9:50am
    Test
  • Dennis
    October 25th, 2004 at 10:12pm
    I'm perplexed - I've installed the two files, reset the seed, activated it, turned on all the Discussion Options checkboxes... yet whenever I leave a comment, i just seen the normal results page - i never get emailed a authentication request. Any thoughts or troubleshooting advice?
  • one digital life: a paul burd blog
    October 27th, 2004
  • Jewel
    November 5th, 2004 at 1:50pm
    I am using a styleswitcher plugin, and therefore not using the default wp-style.css. I have changed the @import url to reflect the stylesheets used by index.php, and followed all other instructions, but when a user posts a comment, all that happens is that they are returned to the comment posting page, and the comment authorization page never turns up. neither does their comment! any ideas please?
  • paul
    November 5th, 2004 at 10:42pm
    Hi Jewel, First, make sure you have the curent version. Go to your plugins page within wordpress and make sure it says version 1.6 (NOT 1.5). For me, the link on the developers site lead to 1.5
  • skippy
    November 11th, 2004 at 10:02pm
    The 1.6 version should be the latest and greatest version. If you're still having trouble, please send me an email!
  • unconscious inertia » comment spam
    November 11th, 2004
  • Sam Snow
    November 13th, 2004 at 11:56am
    There is a 1.6 version? Could someone please post a link? There seems to be no mention of it besides here in the comments. Sam
  • mefju
    November 14th, 2004 at 11:27pm
    its a test
  • Dive The Web » Emcore du Spam
    November 15th, 2004
  • Mat
    November 15th, 2004 at 9:10pm
    Testing your crap.
  • Mat
    November 15th, 2004 at 9:14pm
    This doesn't seem to work -- 1215
  • John
    November 23rd, 2004 at 1:04am
    Thats awesone
  • Luc-Marie
    November 29th, 2004 at 3:40am
    Hi, moderate.php file is not included in the archive. Can you say tell me if it's ok or not. Thanks. Best regards.
  • Lindsay Lohan
    November 30th, 2004 at 1:18am
    I can't seem to get this to work on my blog. I changed the seed word to the same thing in both files, and I uploaded them to the appropriate directories. I activated the plugin, and then I made a test comment. The comment automatically appeared with no confirmation email.
  • Lindsay Lohan
    November 30th, 2004 at 1:27am
    I figured out my problem. I didn't have the following checked under Options--->Discussion: "An administrator must approve the comment (regardless of any matches below)" After I checked the box, the comment authorization worked fine. Great plugin!
  • Alessandro Ronchi
    December 1st, 2004 at 12:07pm
    Is it possible to move this comments away from moderation queue and delete them after some days? I get tons of spam comments and they are sent to the moderation queue, so I receive an email for every comment sent by automatic spammer's scripts...
  • skippy
    December 1st, 2004 at 2:40pm
    If you're getting a lot of spam comments, other plugins may be better suited to help you. Take a look at MooKitty's Spaminator or Spam Words, and also Dr. Dave's Spam Karma. All three have received positive responses from the WordPress community. I haven't had a need to use any of them yet, though, so I can't provide anything more in the way of recommendation.
  • Lynne
    December 11th, 2004 at 10:53pm
    I've gotten this to work on my school blog no problem, but I'm having difficulty on my personal blog http://cariadsrealm.net/journal probably due to the fact that I've changed so many things to combat spammer. The problem is, I don't know which change is stopping the authorization pluggin from working. 2 things I've changed. Once you've made a comment, you are redirected to comment.htm - a page which tells people their comment is waiting moderation. The second thing I've changed is the comment-post.php to a different name. Would either one of these stop your comment authorization from working? Thanks.
  • Titel
    December 17th, 2004 at 12:32pm
    Hey Skippi, thanks for the excellent idea for this plugin. But... I'm having problems installing it; the commentauth.tgz archive includes a single file called commentauth (and no extension). I can't figure out which parts of it belong to which of the two files. Could you perhaps provide the two files in a zip instead of a tgz? It may be the fault of my decompressor (FilZip) handing the tgz archives badly (although it would be the first time it's not working). Thanks in advance!
  • Titel
    December 17th, 2004 at 3:14pm
    Installation can't get any easier than this, and it works perfectly. Thanks again for providing the .zip as alternate download!
  • skippy
    December 17th, 2004 at 3:28pm
    You're welcome! I'm glad it works for you. This plugin is not the solution to comment spam -- it is only one part. As noted in the post, I've taken down the live demo because this plugin on its own is, in fact, not a good solution to comment spam at all. Spammers don't leave real email addresses in their spams, so all the authorization emails generated by this plugin will bounce. But this plugin behind something like Spam Karma that filters obviously spammy comments, might be a good solution to provide reliable authenticity for comments. Thanks to everyone who's helped me troubleshoot this.
  • Random Synapses » I’ve been spammed
    December 17th, 2004
  • Titel
    December 17th, 2004 at 6:24pm
    Indeed, this is not a plugin to fight back spam. It helps real people who post real comments authorise their own messages, so I don't have to manually approve them. This way, the moderation queue should contain only comments with fake e-mail addresses, mostly from spammers. Spammers rarely manually submit messages themselves - that would simply be inefficient. Instead, they rely on specialized computer programs, a specialized form of web spiders, to identify possible targets and automatically submit messages through default settings. Web forums used to be attacked this way - spam bots would find the registration script (the same filename and location for all forums using phpBB or vBulletin, for example) and submit a reply that included all form data required for registration. This way, a bunch of usernames advertising various porn sites were common on most web forums out there. Now, they are targeting WordPress blogs, they only have to submit the same HTTP request for each post to sitename/wp-comments-post.php ; the request has the name, e-mail, url and message filled in. In both cases (forums and WP), the simplest solution to prevent such automatic submissions is to alter the default fields for the submission script. Either rename the submission script, or change the field names, or add a new mandatory field which requires human interaction. The last seems best to me; use a plugin to generate some random text and display it in an image, so only a real person can figure out what the text is and enter it manually. Most bots will not send that field because they don't actually request the page with the form prior to submitting the comments. Very, very few bots do so, and they may include OCR algorithms to find out what the text is - but this can be prevented by using non-standard fonts or adding some random lines to confuse the OCR script. So, if you use such a plugin to block out spam bots, and then rely on another plugin to allow real people with real e-mail addresses to activate their own posts, all you should have left in the moderating queue are spam messages added manually. Voila :)
  • Ric
    December 29th, 2004 at 4:09am
    We would like to use this plugin for WordPress.Com However, we also need it for wp-register.php If you can add a CAPTCHA and keep it as a true plug-in, we would love to use it.
  • Pietro
    January 5th, 2005 at 4:56pm
    Thank you very very much! You made my life so much easier!
  • Stephen Yeargin - Personal Web Site
    January 6th, 2005
  • Mochi
    January 16th, 2005 at 9:46pm
    It's great plugin, but I can't make it work yet. Please allow me to test it here. Thank you very much!!
  • Pure-Essence.Net » test
    January 19th, 2005
  • Ruby Sinreich
    January 20th, 2005 at 2:03am
    I love this plug-in, I've been using it successfully since last summer. I wish I could also use WP's built-in comment moderation/spam words. I have a particularly awful troll and I'd like to block his known e-mail addresses from posting at all. Any suggestions?
  • A curious mind » Spam Update
    February 6th, 2005
  • apan » Blog Archive » Spamskydd
    May 25th, 2005
  • Martin
    June 3rd, 2005 at 1:10pm
    Is there a way to still force the comment to go through moderation? I'd like to use the plugin to validate good email address so we can respond privately to posts if necessary. We are finding that some of those commenting are providing bogus email addresses.
  • zoza
    June 4th, 2005 at 6:30pm
    "The basic idea is that if the user supplies a valid email address, and they check that email account, then the commenter is most likely not a spammer" not true.. :)
  • joost
    June 9th, 2005 at 7:27pm
    I love your plugin!
  • Alex
    July 22nd, 2005 at 11:30pm
    Testing it too - very good plugin Thx for the sharing.
  • juegos
    July 23rd, 2005 at 3:54pm
    Really good plugin. It's very useful. Thanks a lot!
  • Danmeister
    July 25th, 2005 at 10:23pm
    I love this idea!
  • JJ
    August 11th, 2005 at 1:37pm
    sounds great, cant wait to implement it!
  • Carlos
    August 15th, 2005 at 12:42pm
    Very good your plugin!!!!!
  • Dennis
    September 27th, 2005 at 4:57pm
    I really like this plug-in. I had some issues then I upgraded to WordPress 1.6, though. At the same time I did that, I decided to move the blog to it's own directory (/wordpress) to keep the site clean. (A nice clean fresh install.) I kept having issues with the plug-in until I moved 'moderation.php' to the root directory and modify the script in it to point back to the '/wordpress' directory to find the files it was trying to use that was not in the root. I'm happy I was able to figure it out because I really missed this plug-in. It is a huge convenience.
  • Digital Kaleidoscope » Behind the Scenes #1 — Guessing Game
    November 12th, 2005
  • Digital Kaleidoscope
    November 13th, 2005
  • Jonathan
    December 5th, 2005 at 1:04am
    When will this plugin be updated, Skippy?
  • Ask Dave Taylor!
    December 20th, 2005
  • An Interview with “Skippy” at WordPress Station
    January 6th, 2006
  • Vinu
    January 12th, 2006 at 10:25pm
    I like this plug-in... Did anyone try with WP2 ? I can install the Plug-in without any problem, but not action after activating it !!! Please Help... CQD, CQD, CQD...
  • skippy
    January 13th, 2006 at 2:34am
    Vinu: I've not tested this at all with WordPress 2.0. There are, in truth, much better anti-spam solutions now available.
  • Cal
    January 13th, 2006 at 8:23am
    Hi Skippy, After two hours of messing with it, it doesn't work with WP2. Yes, there are better anti spam solutions available and I've always been using them -- I used this to ensure that I get legit email addresses -- at least from those who do not use mailinator. A lot of us really liked this plugin -- please consider updating...
  • Vinu
    January 16th, 2006 at 7:39pm
    Dear Skippy, I didn't find any plug-in to verify the commenters email address. Akismat Spam plug-in is available by default with WP2 Duke and it's activated already. But still we need this plug-in for comment authorization. Please help us... Thanks... Vinu
  • Reuben
    January 18th, 2006 at 6:14pm
    There is a serious security vulnerability in this plugin; russian spammers directly accessed the mailer function to send massive amounts of spam *FROM* my blog, i.e. it looked like the spam was coming from me. This is obviously terrible. Please fix the plugin ASAP.
  • ThePete
    January 22nd, 2006 at 7:16pm
    Reuben, I don't speak for Skippy, but are you sure the Russians are just using your domain name? Anyone can use a domain name to make it look like email is coming from your site--it's entirely possible that the spam from your domain has nothing to do with this plugin. Then again, it's entirely possible that I don't know what I'm talking about :)
  • paul
    February 4th, 2006 at 9:05pm
    FYI... I upgraded my Wordpress from 1.5.2 to 2.0.1, and everything seems to be working fine with the plugin. :)
  • one digital life » Blog Archive » Wordpress Plugin: Auto-delete comments?
    March 4th, 2006
  • paul
    April 2nd, 2006 at 5:47am
    hmmm... well, I left the previous comment a couple of months ago, and apparently I was wrong. The plugin appeared to be working, but it prevents the Comment Author cookie from being written. I didn't even notice until I tried to add functionality based on that cookie. I really love this plugin. Any chance there will be a 1.7?
  • one digital life » Blog Archive » Fighting Comment Spam
    April 4th, 2006
  • doug
    April 29th, 2006 at 3:34am
    I was wondering if there is confirmation or not if this works with WP2.02? If so, is there a way that I cna customize the comment awaiting confirmation page as well as the accepted page once people click on the link in their email? I want these two pages to look like my site not just standard pages. Thanks
  • skippy
    April 29th, 2006 at 1:18pm
    doug: I have not tested this plugin with WordPress 2.0+, and am unlikely to do so. In my experience, this plugin exacerbated the problems of comment spam by generating bounce notification messages sent to me every time some spammer posted with a bogus email address.
  • harc a spam kommentek ellen - kobak pont org
    June 23rd, 2006
  • blogHelper » Handling Spam on WordPress
    July 7th, 2006
  • Quix0r
    September 9th, 2006 at 12:41am
    I have WP 2.0.4 here and it works fine. But SK2 (Spam Karma 2) ist changing the status to "approved" before Skippy's plugin can send out a link. I have now released a patch and will place a post on my weblog with trackbacks.
  • Quix0r
    October 13th, 2006 at 6:57pm
    Hi Skippy, I have patched SK2 to get it working with your plugin. Check my blog entry out. Roland
  • Lindsay Lohan
    October 20th, 2006 at 9:51pm
    I can't seem to get this to work on my blog. I uploaded them to the appropriate directories (I think). I activated the plugin, and then I made a test comment. The path does not seem to help either.
  • al-fallujah
    October 22nd, 2006 at 12:45am
    working like a charm for me...was getting in excess of 40 garbage spam and up to 100 sometimes a day...thanks a lot for this!!
  • Domain of the Bored » Blog Archive » 1095 and still counting
    November 29th, 2006
  • Domain of the Bored » Blog Archive » One month of spam
    December 14th, 2006
  • steve
    December 29th, 2006 at 4:45am
    Good plugin. I would still like to have more control over comments by approving them myself. Any chance of sending verified e-mail address comments to moderation instead of approval? Is that easy enough to do?
  • Claire
    January 9th, 2007 at 3:32am
    I tried testing this on my own blog, but I'm not actually getting the email.
  • Claire
    January 9th, 2007 at 3:48am
    Wait, nevermind. It's a little slow, but I got the email
  • Billy Dennis
    February 5th, 2007 at 9:56pm
    Does this plugin also require email notification from registered and logged-in users? Is so, I'm not included to use it.
  • skippy
    February 5th, 2007 at 11:05pm
    Billy Dennis: this plugin has not been updated for a very long time. I'd be surprised if it works at all with recent versions of WordPress.

About | Policies | skippy.net