MacStansbury

A while back, when I was still using the concept of ‘comments’ at another site, I had the idea that the WordPress registration system would be infallible. In my fantasy-land, only people with verifiable email addresses would be able to comment on posts. It was a lovely fantasy.

But it didn’t last long. Within days I found out how easy it was to auto-register a log-in, and then post malicious content. It didn’t help that I was using Spam Karma 2, also known as “trust but verify…at some point in the future…maybe….” It changed a lot of behaviors so that it didn’t really stop any spam, but it did let people post without the WordPress built-in moderation controls.

[I should point out, this is how it worked for me, but it might work for you a lot better. YMMV - John]

After removing Spam Karma (which worked about as well as the built-in Akismet), the moderation controls for WordPress returned. That includes moderating trackbacks and first-time comment posts. However, I was looking for a plugin that would keep evil people from registering and commenting on my site. While no such plugin exists (that I know of), I did find something in the WordPress support forum.

It was the work of kwesitn in the WordPress forums that showed me what to do, so here’s what this person said (check the cut and past technique):

I found a solution that worked for me. Instead of having the email with the username and password be sent to the registrant, I tweaked it so that it comes to me. If I want to approve the user I then just forward the email on to the user. Here is a summary of what I changed:

In wp-includes/pluggable-functions.php

I changed this function on line 427 [It’s now about line 478 - John] or so from this:

wp_mail($user_email, sprintf(__(’[%s] Your username and password’), get_settings(’blogname’)), $message);

To this:

wp_mail(’webmaster@mydomain’, sprintf(__(’[%s] Your username and password’), get_settings(’blogname’)), $message);

So the user does not get their username and password without me sending it to them. This could probably be turned into a plugin pretty easily…and would do it when I have some time.

Amazingly, I put in the webmaster@mydomain.com, and it worked. Notice the only thing that changes is the line “$user_email” to “webmaster@whateverdomain.org” (your domain name). Changing that will then send the registration emails to your chosen address, be it your main email address or some Gmail account set up for comments.

The technique I used was to add some content to the registration email, going from something like this:

Username: Hip Now WIth It User
Password: 5555555
http://hip-with-it-domain.org/wp-login.php

To this:

Welcome! We’re glad you registered with us, and we want your user experience to be the best it can be.

Take some time and fill out the user information when you use your log-in:

Username: Hip Now WIth It User
Password: 5555555

Get there by clicking this link:

http://hip-with-it-domain.org/wp-login.php

!!! IMPORTANT !!!

It’s best that you change your password after you first log in, as a human has already seen the password you’re using now. You can change it on the user profile screen.

The benefits are that you will probably remember the password, and the site owner won’t be able to use their blog-given god complex to control all your words and actions. Not that changing your password will help that, it just makes people feel better when I say that.

!!! KEEP UP TO DATE !!!

Also, you can follow all the action that happens by getting the RSS feed here:

http://hip-with-it-domain.org/feed/

And bookmark the site so you can visit the site 17 times a day. Just like me.

Of course, you’re free to edit that reply however you desire, but the one like of code you change will be the most important thing. The rest is just butta.