Top Commentators List Hijack
Sat, 8 March, 2008 – 12:11 pm
For those of you who use the Top Commentators plugin, beware of name hijacking. Jalaj first wrote about this last month at Top Commentators List Hijack, and recently I've been suffering from this myself.
To briefly explain, the plugin creates the top commentators list by counting the number of comments made per name which is easily forged, by accident or on purpose. It then links the name using the last URL given on that name's comment. So all you need is someone to forge someone else's name and use a different URL and they get a nice little, usually no followed, link from your site.
I'd forgotten about this (my heads pretty fuzzy right now with this cold!) but this morning suddenly twigged about comments sitting in my moderation queue, plus one that I'd actually allowed through. So a quick line change later in the plugin and it's all working again, instead it counts the number of comments made per email not per name, the email address being the one thing no one else can copy.
So big thanks to Jalaj for making me realise this, and if you want the modified plugin you can grab it here – Show Top Commentators Modified.
I hate spammers with a vengence. Anything that stops these low lifes getting some dodgy link on a good website is always a good thing.
I've had alot of referral spam lately, if it's not one thing it's another. I have started blocking IP ranges now
By Si Philp on Sat, 8 March, 2008
Spam is certainly getting to be a bigger and bigger problem. I've noticed more humanised spam (as opposed to automated) appearing on particular posts.
By Sarah on Sat, 8 March, 2008
Thanks Sarah, for bringing out the modified plugin. I was not aware of this branch (or whatever we call it, as it is different from that available at wordpress.org). I will include reference to this version and the modified plugin from you site…
Congratulations for being the first one (at least in my knowedge) to implement hack-proof Top Commentator List
By Jalaj on Sun, 9 March, 2008
No problem Jalaj, thanks for bringing the issue to my attention
By Sarah on Sun, 9 March, 2008
Hi, Sarah
How are you?
You have an interesting blog. I do not use the top commentators WP plugin on my blogs but anyway, thanks for the heads up.
Abas
aispecial.blogspot.com
By Abas on Tue, 11 March, 2008
I noticed this. That's why I took it off my site. Plus I haven't been getting any good commenters anyway. Just spam. No real people. So I see no point in it anymore
By Jenny on Tue, 11 March, 2008
Jenny, you get tonnes of comments! Or do you just wonder whether they're actually interested in what you've written, or just commenting for the sake of getting a link back to their site?
I know the plugin allows you to blacklist certain names, of course now that should really be email addresses. If someone isn't actually adding to the comments then why let them into the prestigious top commentators list?
By Sarah on Tue, 11 March, 2008
Thanks Sarah for this pickup and modified plugin. I had wondered myself what happened if more than one user with the same name was leaving comments.
By Ian on Sat, 15 March, 2008
No problem Ian
By Sarah on Sat, 15 March, 2008
Woow thanks! I have been suffering from this myself. Bloody spammers!
By Anon on Sun, 16 March, 2008
No problem, although I'd rather have your real name in the comments
By Sarah on Tue, 18 March, 2008
Wow. That is a pretty big issue with the plugin. Man… if I wasn't a nice girl I'd be really tempted to try that out. But alas… my morals prevail
By Kate B on Tue, 18 March, 2008
Kate, I know the feeling. I'm surprised it's not been written about more to be honest. I guess a lot of people aren't realising the plugin is being abused.
By Sarah on Tue, 18 March, 2008
thanks for this pickup and modified plugin. I had wondered myself what happened if more than one user with the same name was leaving comments.
By amrita on Thu, 29 January, 2009