May
19
2010

Small Security Hole in WordPress Comments

by   |  Posted in Tutorials  |  22 comments

I was just cleaning up some code on my site and noticed a small security hole in my comments sections. Every time I posted a comment, WordPress automatically added a class that pretty much told everyone my admin login name. The offending class is the “comment-author-admin” class. If you had changed your admin name to bavotasan, then it would read “comment-author-bavotasan”. Not too secure if you ask me.

I created a code snippet that can quickly remove the offending class from every comment. Just add this to your functions.php file:

function remove_comment_author_class( $classes ) {
	foreach( $classes as $key => $class ) {
		if(strstr($class, "comment-author-")) {
			unset( $classes[$key] );
		}
	}
	return $classes;
}
add_filter( 'comment_class' , 'remove_comment_author_class' );

About the author:

A freelance web developer living in Montreal who spends most of his time writing for this site and building Premium themes for WordPress. You can find him on Twitter @bavotasan.

Site5 Affiliate Link
If you liked this, please share it.

Tags: , , , , , , , , , , , ,

Short URL: http://bit.ly/9xi9PL

Discussion 22 Comments

Newer Comments →
  1. eavasi on May 20, 2010 at 3:58 am

    Thanx! Immediately use it in my blog

  2. Guy on May 21, 2010 at 9:12 am

    thanks for the heads up. Another change to make to all my blogs

  3. Knut on May 24, 2010 at 6:07 am

    From my point of view this is not really an issue of wordpress itself but of the theme you are using. I only use self-written themes and my comment section is free of this glitches.

    If you want to check you could look into your comments.php to check if it’s coded in there and remove it. (You wouldn’t need the filter you described above and your wordpress can work a few nanoseconds faster ;) )

    • c.bavota on May 24, 2010 at 11:27 am

      It is an issue for WordPress seeing how a core function, comment_class(), displays the username of the person who posted the comment. The default comment list displayed by wp_list_comments() uses the comment class function. If your theme happens to define a custom callback for the comment display and it doesn’t use the comment class function, then this would not be an issue for you. Not using the comment class function, though, removes the ability to style your comments according to who has posted them. See how my comment is styled differently? That is due to the comment class function.

      If you are not going to take advantage of the latest features of WordPress then you are going to miss out on a lot. Sometimes, though, certain things pass under the radar and little fixes like the one above help people out.

      Also, comment.php does show the format for the comment list. If it has been defined in your theme it would be in the functions.php file.

  4. Theo on May 24, 2010 at 10:33 pm

    Nice and useful piece of code. Thanks

  5. Tom on May 26, 2010 at 5:32 am

    Thank from Germany too! :)

  6. Dadhakumar on May 28, 2010 at 2:25 pm

    Thanx for sharing this info to fix the bug. Keep up the good work.

  7. James Parsons on August 27, 2010 at 4:19 pm

    Somebody should file this as a bug on WordPress.org, maybe it will be fixed in the next update!

  8. Andrew Nacin on August 27, 2010 at 4:43 pm

    This is not a bug, this is intended behavior. Here, it is to allow for the styling of comments by logged in users, authors, and the like. WordPress makes no attempts to hide your login name — it is public, as it would be on most web applications and services — and a sanitized version of it is available both here and in author URLs, for example http://example.com/author/nacin/.

    • c.bavota on August 27, 2010 at 5:25 pm

      In my opinion, displaying your login name for all to see is a bad idea. If you use the above code, you can still style comments if they are by the post author because you have the .bypostauthor class.

      The author page and the comment class function take the user_nicename field from the user database. It just so happens that it’s the same as the user_login field. I guess I should write a function to make the user_nicename be based off of your display name instead and that would give the user control over what name is displayed.

    • Andrew Nacin on August 27, 2010 at 7:07 pm

      Display names are not guaranteed to be unique. Nor are they sanitized for class names or URLs (though it is easy to do that, but you’d still have to ensure uniqueness).

      The post author is covered, but what about other contributors on the site? These kinds of subject-specific classes for the tag (body_class()), posts (post_class()), menu markup, and comment markup are very important for an extensible system such as WordPress to enable customization every direction possible.

      Do you use Twitter? You might call it a bad idea in your opinion, but really it’s called commonplace. We need to appropriately balance security by obscurity (which generally doesn’t get you far) and user friendliness.

  9. Tom@Dresses For Girls on February 1, 2011 at 1:25 pm

    You can use “bypostauthor” class instead

  10. Videncia on February 1, 2011 at 7:17 pm

    Thank from Germany too!

  11. proximity card on February 22, 2011 at 11:28 am

    Yikes! That certainly doesn’t seem very secure at all. I wonder why WordPress comments would show personal information like that. I guess it goes to show ya that people can access any sort of information nowadays. . .even if they aren’t even looking for it. Not only do we have to up the security on our online activity, but yes, we need to clean up our code so it’s neat and tidy. ;)

  12. cheap retro jordans shoes on March 5, 2011 at 9:16 pm

    Thank from Germany too!

  13. Ginom on March 6, 2011 at 5:57 am

    Thanks, added the solution to your blog. We are waiting for new solutions from you

  14. Andres LondoƱo on March 26, 2011 at 8:13 pm

    Hello,

    i’m having problems with the comments form of a website. It displays the information of another users in the input fields, so when a user wants to comment a post, he can see the mail and the name of another user. This is a serious security issue, anyone can help me?

    • c.bavota on March 28, 2011 at 10:59 am

      Are you using any plugins for your comments?

  15. Bret Sallee on April 5, 2011 at 2:01 pm

    Thanks for the heads up. Have you dropped a line to WordPress on this. Seems like something they would want to clean up.

    • Andrew Nacin on April 9, 2011 at 9:18 am

      I’m on the core team. You can see my comments above.

  16. yohimbine hcl on April 28, 2011 at 12:31 pm

    Have you dropped a line to WordPress on this. Seems like something they would want to clean up.

  17. marry on May 2, 2011 at 7:40 am

    i really love this post can i add it to my website trendy boy