May
19
2010
Small Security Hole in WordPress Comments
I was just cleaning up some code on my site and noticed a small security hole in my comments sections. Every time I posted a comment, WordPress automatically added a class that pretty much told everyone my admin login name. The offending class is the “comment-author-admin” class. If you had changed your admin name to bavotasan, then it would read “comment-author-bavotasan”. Not too secure if you ask me.
I created a code snippet that can quickly remove the offending class from every comment. Just add this to your functions.php file:
function remove_comment_author_class( $classes ) { foreach( $classes as $key => $class ) { if(strstr($class, "comment-author-")) { unset( $classes[$key] ); } } return $classes; } add_filter( 'comment_class' , 'remove_comment_author_class' ); |
Thanx! Immediately use it in my blog
thanks for the heads up. Another change to make to all my blogs
From my point of view this is not really an issue of wordpress itself but of the theme you are using. I only use self-written themes and my comment section is free of this glitches.
If you want to check you could look into your comments.php to check if it’s coded in there and remove it. (You wouldn’t need the filter you described above and your wordpress can work a few nanoseconds faster
)
It is an issue for WordPress seeing how a core function,
comment_class(), displays the username of the person who posted the comment. The default comment list displayed bywp_list_comments()uses the comment class function. If your theme happens to define a custom callback for the comment display and it doesn’t use the comment class function, then this would not be an issue for you. Not using the comment class function, though, removes the ability to style your comments according to who has posted them. See how my comment is styled differently? That is due to the comment class function.If you are not going to take advantage of the latest features of WordPress then you are going to miss out on a lot. Sometimes, though, certain things pass under the radar and little fixes like the one above help people out.
Also,
comment.phpdoes show the format for the comment list. If it has been defined in your theme it would be in thefunctions.phpfile.Nice and useful piece of code. Thanks
Thank from Germany too!
Thanx for sharing this info to fix the bug. Keep up the good work.
Somebody should file this as a bug on WordPress.org, maybe it will be fixed in the next update!
This is not a bug, this is intended behavior. Here, it is to allow for the styling of comments by logged in users, authors, and the like. WordPress makes no attempts to hide your login name — it is public, as it would be on most web applications and services — and a sanitized version of it is available both here and in author URLs, for example http://example.com/author/nacin/.
In my opinion, displaying your login name for all to see is a bad idea. If you use the above code, you can still style comments if they are by the post author because you have the
.bypostauthorclass.The author page and the comment class function take the
user_nicenamefield from the user database. It just so happens that it’s the same as theuser_loginfield. I guess I should write a function to make theuser_nicenamebe based off of your display name instead and that would give the user control over what name is displayed.Display names are not guaranteed to be unique. Nor are they sanitized for class names or URLs (though it is easy to do that, but you’d still have to ensure uniqueness).
The post author is covered, but what about other contributors on the site? These kinds of subject-specific classes for the tag (
body_class()), posts (post_class()), menu markup, and comment markup are very important for an extensible system such as WordPress to enable customization every direction possible.Do you use Twitter? You might call it a bad idea in your opinion, but really it’s called commonplace. We need to appropriately balance security by obscurity (which generally doesn’t get you far) and user friendliness.
You can use “bypostauthor” class instead
Thank from Germany too!
Yikes! That certainly doesn’t seem very secure at all. I wonder why WordPress comments would show personal information like that. I guess it goes to show ya that people can access any sort of information nowadays. . .even if they aren’t even looking for it. Not only do we have to up the security on our online activity, but yes, we need to clean up our code so it’s neat and tidy.
Thank from Germany too!
Thanks, added the solution to your blog. We are waiting for new solutions from you
Hello,
i’m having problems with the comments form of a website. It displays the information of another users in the input fields, so when a user wants to comment a post, he can see the mail and the name of another user. This is a serious security issue, anyone can help me?
Are you using any plugins for your comments?
Thanks for the heads up. Have you dropped a line to WordPress on this. Seems like something they would want to clean up.
I’m on the core team. You can see my comments above.
Have you dropped a line to WordPress on this. Seems like something they would want to clean up.
i really love this post can i add it to my website trendy boy