Top Commentator Fix Available

The Top Commentator plugin is a neat WordPress plugin since it allows a good way to reward frequent commentators on your site with a site-wide, followed, link. Unfortunately, there is a problem with it that allows a different visitor to your site to essentially hijack a link by a trust commentator. Because of this, I had previously set the links generated by this widget to nofollow until I could take the time to delve deeper in the the PHP and MySQL code behind this widget. I got around to doing this today and found that the fix to it should be quite simple.

The Fix

This may bore/confuse some of you non-programmer types but here’s what the problem was in the plugin. In a function called “ns_get_user_url” the URL for each person on the Top Commentator list is retrieved. The MySQL statement that delivers this information looks like this:

 

SELECT comment_author_url
FROM $wpdb->comments
WHERE comment_author = '".addslashes($user)."'
AND comment_author_url != 'http://'
$ns_options[filter_urls]
ORDER BY comment_date DESC LIMIT 1

 

The problem with this query was two fold. First of all, it allowed a visitor to switch their URL with every new comment. This allowed them to change their URL from one you approved of to one you did not. Secondly, it allowed a different visitor who used the same name to essentially hijack the Top Commentator spot with their own URL. Plus, it could even do this if the comment wasn’t approved or even sent to the Akismet filter!

To remedy this situation, I changed the code for the MySQL statement as follows:

 

SELECT comment_author_url
FROM $wpdb->comments
WHERE comment_author = '".addslashes($user)."'
AND comment_author_url != 'http://'
$ns_options[filter_urls]
AND comment_approved = '1'
ORDER BY comment_date ASC LIMIT 1

 

As you can see here, I simply added a check to only retrieve URL’s for approved comments and to get the URL for the first comment submitted rather than the last one. This should prevent unwanted gaming of the widget.

The Download

Here’s the download link for the updated plugin: Top Commentator Fix

To install it simply unzip the download file and FTP the file, show_top_commentators.php ,to your /[your website root directory name here]/wp-content/plugins/show_top_commentators folder, overwriting the current version of the plugin’s PHP file that’s already there.

If you run into any problems and have any questions about it, please let me know in a comment here.

 


RSS feed | Trackback URI

20 Comments »

Comment by Houseboat Rentals
2008-05-04 19:59:34

I had just heard about the hijacking issue with the top commenter plug-in. So I stopped adding it to my new blogs (not that I get many comments anyway) But if all goes well with Vics contest I hope to finally learn how to get traffic to my blogs, henses getting more comments.

I will be trying your plug-in and let you know for sure if I have any issues.

Thanks

Denise

Comment by jfc
2008-05-05 11:02:31

Hi Denise,

Let me know if you run into any problems with it.

 
 
Comment by Link Building Bible
2008-05-05 13:13:24

I will be implementing this…. thanks for pointing out this fix… My blog isn’t big enough yet for people to even be attempting to hijack my top commenters…

Comment by jfc
2008-05-05 13:31:40

Hi Link Building,

The main thing that I was surprised to find out from this was that a post that got Akismet’ed could change the Top Commentator URL.

People go after newer and lower traffic blogs too, especially if they have PR. It’s all about getting that followed link, you know.

 
 
Comment by Chetan
2008-05-07 15:53:47

I saw this URL hijack happening in my blog and so wanted a fix for that! Commentators with more than 20 comments see their name linked to some other websites, its just odd.
Thanks for the fix.

Comment by jfc
2008-05-07 16:11:57

You’re welcome Chetan. I hope it helps.

 
 
Comment by Judy Online
2008-07-11 09:14:39

Another Top Commentator impersonation attempt. This one is from IP: 195.69.246.56. I’ve added it to my spam IP list.

This is what my Top Commentator fix protects against.

 
2008-07-17 07:34:20

Thanks, Frank. I’m putting this into place now.

 
Comment by gossip
2008-09-01 02:52:43

Thank Frank for the fix, :)

 
Comment by polls
2008-10-10 13:55:38

nice site thanks for the information.

 
Comment by Rob @ Nichemate
2008-11-01 10:55:01

Thanks for this Frank just installed it on my new blog. I assume it all works fine. Hard to tell with no comments and being the first of the month ;)

 
Comment by Lucy How
2008-12-26 06:01:15

Well I’m also going to install this on my new blog but history suggests nothing works for me at the very first try. So I’ll be back with my set of problems if it doesn’t works :)

thanks in advance.

 
Comment by Lorecee
2009-07-16 19:51:21

One of the gurus just started flogging a piece of software that finds and exploits this loophole, so this fix is much appreciated.

 
Comment by SirNicolaus
2009-07-25 14:54:09

Thanks for the tip, I was wondering how they did that.

 
Comment by Ronald Redito
2009-08-01 02:48:15

I have realized the same problem with my blog. Thanks for the great info for bloggers.

 
Comment by Lorecee
2009-08-01 09:53:55

I just got the plug-in working this morning (yay!) and have a couple of comments.

There are other plug-ins of this type out there, but the one that Frank wrote the fix for is “show top commentators” by Nate Sanden (Google it). Nate’s plug-in is older and doesn’t support widgets unless you add the ExecPHP plug-in. Nate has the download link on his support page and tells you how to use it to make his top commentators plug-in show up in your widget menu.

The code in Frank’s fix to makes the top commentator links no follow. If I want to make them do follow, do I need to change the CHMOD permissions in my FTP in order to go in and take the nofollow out? Should I change the permissions back after I do the rewrite?

Thanks again for providing this fix.

 
Comment by jenson relief
2009-08-05 02:25:23

I’m not only hijacked by other people but my blog is hacked by hackers from Israel. All my data is loss and my hosting do not have the backup.

 
Comment by Carol@Stress Eating
2009-08-10 21:18:22

I appreciate this - I hate it when someone hijacks my links!

 
Comment by Private Profiles
2009-08-11 14:18:07

I just had to go through this on one of my sites

 
2009-08-16 14:22:39

Yeah that would piss me off if I had been commenting for months and had my site wide backlinks stolden! They call this “Gray Hat” but I would think it’s a little darker than that! Anyway timely fix Frank thanks.

 
Name (required)
E-mail (required - never shown publicly)
A Link To Your Site
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong> in your comment. Comments with links are automatically moderated but are normally allowed after review. New commentators are automatically moderated. You may use anchored text in your signature link as long as your comment is meaningful and on topic. Signature links inside of the comment body are not allowed.

 

Some graphics Copyright 2005 Riverdeep Interactive Learning Limited, and its licensors. All rights reserved
Some graphics Copyright 2005 Cosmi Corporation, and its licensors. All rights reserved.
All graphics are intended for viewing purposes only.

Directory of General Blogs Personal blogs Top Blogs Marketing SEO blogs blogoriffic.com Webfeed (RSS/ATOM/RDF) registered at http://www.feeds4all.com BRDTracker blog directory