Comment Security Hole

That’s not a security hole. It’s totally plausible that multiple people use the same handles, and unless the user is registered on your site, there’s no real way to validate that whatever #1 is the same as whatever #2.

If you want to protect your registered users from being imitated, though, grab https://www.ads-software.com/extend/plugins/impostercide/

Hrm. Good to know. Thanks!

Of course, wouldn’t it be logical that if you have to have an email with a comment [assuming you aren’t registered] the WP system would be able to invalidate multiple uses of the same screenname?

Perhaps this is something that can be worked out in an upcoming release, say by building the impostercide plugin into the core.

Anyway, thanks!

Tried it. The problem is validate with whom, precisely?

I mean, let’s say [email protected] leaves a comment with the name ‘Joe Doe.’ Then someone else leaves a comment, same email, with the name ‘Joseph Doe.’ Which one is the RIGHT name? They both are! Do I reject one over the other? How do I decide who’s right and who isn’t?

The reason WP doesn’t validate against anon users is that there’s no way to do it without causing massive over head (do you really want to scan every comment ever made when someone wants to leave one?). The best we can do is say ‘If you, Tron, want to comment and already have an ID on the grid, please log in.’ Other than that, though, Tron may want to use his [email protected] email, or his [email protected] one. They’re both valid Trons, and it’s too much data to manage.

Actually, that’s why places like blogger use OpenID and all to validate people.