Need help? Check out our Support site, then


WordPress comments flaw

  1. Using someone’s nickname…

    I did: I made fake comment in my blog using Andy Skelton’ info: http://skeltoac.com

    I saw: fake comment in my blog.

    I expected: at least moving that kind of comments in spam.

    Why I can make comments in any wordpress blog using any other wordpress blog info?
    How it can be?

    See here: http://anpuopu.wordpress.com/2009/09/18/wordpress-comments-flaw/#more-2185

    The blog I need help with is anpuopu.wordpress.com.

  2. There is absolutely no way for wordpress, or any other website for that matter, to absolutely verify the identity of a commenter. It simply cannot be done.

    1. I use someone else's computer to post a comment on your blog under the computer owner's name and email address. Even if you somehow required an email verification, I have access to the other person's email program (assuming they have automatic login set in their email program) and I can then confirm the comment, and then delete the email. I have just posted a bogus comment on your blog and deleted any easily identifiable tracks.

    2. I use the above computer to post a comment using my information? How can you verify it is really me? I'm on a different computer, perhaps in a totally different area, or perhaps in a totally different country.

    3. I have three computers: one at work, one at home, and a laptop I use for traveling. I comment on your blog from work, I comment on your blog from home (different IP addresses) and then I take a trip to Istanbul, Turkey and make another comment on your blog under the same username and email address. The IP address is now in another country. How can you verify that it IS or is NOT me?

    4. Now, I head to Paris, France and post another comment on your blog from my iPhone. How do you tell if it is really me? You cannot.

    5. IP addresses? Completely meaningless for the most part since ISP's now do not assign unique IP addresses to individual users. Each IP address could have hundreds of users assigned to it. The main reason this is done now is because of costs. It simply is not feasible to buy large blocks of IP addresses so that each user can have a unique address. And besides, with wi-fi hot spots all over the place, and everyone using smartphones and laptops and netbooks, it simply isn't possible to track and verify a users/commenter's identity.

    6. One last example: From my home computer, I can log onto 4 different wireless networks that neighbors have since they have left them wide open. Again, how can you verify that it is me making the comment?

    This is one of those problems without a solution I'm afraid.

  3. One other little note:

    I can check the IP address that I'm using with my ISP and find myself in different locations. One time I'm shown as in Cheyenne, Wyoming, the next time perhaps Denver, Colorado, and the next time I might be shown as being in Salt Lake City, UT. I'm at least 350 miles from the closest of those locations. I'm never shown where I actually am since my ISP does not have a local datacenter.

  4. thesacredpath, what about this:

    Solution:

    If commentator is not logged in or doesn’t have wordpress account,
    fields «Name», «Email», and «Website» should be inactive and field «Name» has to have word «anonymous».

  5. Go to settings > discussion and select "Users must be registered and logged in to comment" but that is still no guarantee that the person did not sign up with bogus information and a freebee email account at yahoo or gmail or live.com.

    Also, anyone coming to your blog that does not have a wordpress.COM account, is not likely to sign up for one just to make a comment on your blog. I resisted signing up for a google account so that I could comment on two blogs there for two years, and if I had not gotten a google webmaster account, I probably never would have signed up just to comment on those blogs.

  6. One other thing to think about. Like me, I think most people are reaching the point of "register to comment" overload as it seems virtually anywhere you go now days, you are required to register to comment, and I'm getting tired of trying to remember all those usernames and passwords and if I have registered at that particular site or not. Basically now, unless I can see myself becoming a regular commenter on a particular site, I'm not about to register just to leave one comment, so the discussion there will never benefit from my perspective. Their loss or mine? Who knows?

  7. "Users must be registered and logged in to comment" will prevent not registered people commenting, which is not acceptable.
    There is not necessary to verify the identity of a commenter. Why?
    I still don't understand why it is not fixed the way I suggested.

  8. So you want all comments on your blog, where the user is not logged into wordpress to have "anonymous" as the name by default that cannot be changed?

    Sorry - and don't take this the wrong way - but that is simply ludicrous. 90% of the comments on your blog would appear like they were made by the same person. How would anyone know they were made by different people?

    Why don't you tell me how you can verify with certainty the identity of a commenter, and I'll blow big holes in each and every one of your ideas with simple workaround.

    No blogging platform that I know of does what you want. Not blogspot, not LiveJournal, not TypePad, none.

  9. "How would anyone know they were made by different people?" :)
    Who cares, can you tell me that?

    Check this:
    http://pioneer-lj.livejournal.com/1284544.html

    People commenting anonymously with no problem. It's called freedom of speech :)

  10. All someone has to do is type "anonymous" into the name field here and put in a fake email address to be anoymous if they wish.

    I just left an anoymous comment on this post on your blog with a fake email address: http://anpuopu.wordpress.com/2009/09/18/wordpress-comments-flaw/ .

    I seriously doubt that wordpress is going to rewrite the core wordpress code and then modify 75+ themes to allow this anytime soon.

    If it is so important to you, then move over to livejournal.

  11. "All someone has to do is type "anonymous" into the name field here and put in a fake email address to be anoymous if they wish."

    Check comment #2 I made using your info and fake email address. Any comments on that? :)

    "If it is so important to you" - this is important to everyone.

    Obviously you don't understand the problem... sorry for bothering you.

  12. mekcm,

    Honestly, I still don't see the real problem. Yes, anyone can pretend to be someone else, but so what? Why would I want to do that?

    That's why you have the option to moderate your comments as a safety barrier against such attempts. Besides, I assume that you are monitoring your comments for any fake comments, are you not? If the commenter has been on your site before you will know if the required email matches the website and vice versa. If the website is unrelated to the comment that would be a tell-tale sign also. I really don't see the issue.

  13. @mekcm, yes you were able to change your comment #2 to my username here, but what would stop you from doing that to anyone's comment including someone who commented anonymously with a system where there was a selection to make an anonymous comment?

    If it were that important to everyone, then these forums would be flooded with people requesting just what you are asking for, and in my nearly three years in these forums, this is the first time this has ever come up for discussion.

    /nod to husdal, I too simply do not see this as a real problem either.

  14. With the system they now have at livejournal, basically if I don't have a LJ account or an open ID, you are forcing me to be a non-person and leave an anonymous comment, when that may not be what I want to do. I may want to be identified but I may not want to get an open ID or a LJ account. I don't like it when I'm forced into being a non-person.

    How would I get around that? Use the ancient yahoo email address I have that has none of my personal information attached to it and get an open ID and then comment on your a LJ blog with the name Michael Jackson. It must be my real name, because I have an open ID to go with it, right?

  15. /nod back to the sacredpath

    I didn't think of the changing existing comments option. True. Even if someone makes a logged in comment it is possible for the blog owner to change anything in the comment (name, URL and the comment itself), so anonymity doesn't really make a difference or not.

    If commenters want to play pranks on a blog, there's nothing to stop them.
    If blog owners want to play pranks on comments, there's nothing to stop them.

  16. "yes you were able to change your comment #2 to my username" - incorrect, thesacredpath.

    I made comment #2 using your info as not logged commenter, from different computer. This is the difference and problem.

  17. "Yes, anyone can pretend to be someone else, but so what? Why would I want to do that?"

    husdal, if you ask like this I cannot explain more, sorry.

  18. What exactly am I looking at? First off, that is a self-hosted wordpress blog, not one hosted here at wordpress.COM.

    We can go back and forth on this forever, but the fact is that I doubt any sort of LJ-type comment thing is going to be implemented here because like with everything, there are more sides to the story than just what you want, and my opinion is that far more people are going to be upset with being forced into being a non-person than are going to be worried about fake comments. And again, I can get around the LJ solution easily and make fake comments and you would never know (if I wrote and spoke your language).

    If the LJ solution will work for you, then head over there. You can get a free account with ads in the sidebar and other limitations, or pay $20 per year to get rid of the ads (less than $2 per month as they say).

  19. This is not "LJ-type comment", I already explained above what I mean.

    Thanks guys, sorry for bothering you. It doesn't make sense to spend my time anymore...

  20. mekcm: Your comment was never published on Grocery Joke because I use moderation and your comment was very suspicious.

  21. andy:

    Yes, I know :)
    Sorry for using your blog to show the flaw. People don't understand the problem.

  22. This is not a problem. You're essentially expecting everyone on the internet who comment on your blog to have only a single and unique nickname, and expecting wordpress to somehow differentiate each individual.

    When that's clearly undoable, you ask for the opposite end of the spectrum, and that's making almost everyone anonymous.

    There is a way to do it, and that's manually changing the name of everyone who's not logged in to wordpress into "anonymous".
    The gravatar also serves as a way to differentiate between people since email is not shown, so theoretically, only the "real" poster would know what email he put down. Each email is assigned a unique gravatar, so you can do that.

  23. I am wondering what the specific issue is: that people cannot positively be identified online? If the OP made a fake comment, he can easily see the IP is different.

    If he's willing to pay my consulting rate, I'm happy to educate him on ways to determine who is really who online. Internet drama is my fastest-growing consulting area, but I am not cheap.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags