The Top Commentator plugin is a neat WordPress plugin since it allows a good way to reward frequent commentators on your site with a site-wide, followed, link. Unfortunately, there is a problem with it that allows a different visitor to your site to essentially hijack a link by a trust commentator. Because of this, I had previously set the links generated by this widget to nofollow until I could take the time to delve deeper in the the PHP and MySQL code behind this widget. I got around to doing this today and found that the fix to it should be quite simple.
This may bore/confuse some of you non-programmer types but here’s what the problem was in the plugin. In a function called “ns_get_user_url” the URL for each person on the Top Commentator list is retrieved. The MySQL statement that delivers this information looks like this:
SELECT comment_author_url FROM $wpdb->comments WHERE comment_author = '".addslashes($user)."' AND comment_author_url != 'http://' $ns_options[filter_urls] ORDER BY comment_date DESC LIMIT 1
The problem with this query was two fold. First of all, it allowed a visitor to switch their URL with every new comment. This allowed them to change their URL from one you approved of to one you did not. Secondly, it allowed a different visitor who used the same name to essentially hijack the Top Commentator spot with their own URL. Plus, it could even do this if the comment wasn’t approved or even sent to the Akismet filter!
To remedy this situation, I changed the code for the MySQL statement as follows:
SELECT comment_author_url FROM $wpdb->comments WHERE comment_author = '".addslashes($user)."' AND comment_author_url != 'http://' $ns_options[filter_urls] AND comment_approved = '1' ORDER BY comment_date ASC LIMIT 1
As you can see here, I simply added a check to only retrieve URL’s for approved comments and to get the URL for the first comment submitted rather than the last one. This should prevent unwanted gaming of the widget.
Here’s the download link for the updated plugin: Top Commentator Fix
To install it simply unzip the download file and FTP the file, show_top_commentators.php ,to your /[your website root directory name here]/wp-content/plugins/show_top_commentators folder, overwriting the current version of the plugin’s PHP file that’s already there.
If you run into any problems and have any questions about it, please let me know in a comment here.