WordPress Patches

I use WordPress on my personal blog. I've had a bit of an ongoing battle with spammers, although fortunately not to the extent larger sites have. There are several plugins that can help, but for my relatively low traffic, I felt just a simple fix was all I needed. I won't be surprised if I'm proven wrong though, as I was once already.

Adding a simple validation code to comments

Spammers generally to post to WordPress sites by directly calling the wp-comments-post.php script. One simple way to limit their ability to do this, while still leaving comments open is to add an extra field to the wp-comments.php form that is echekd for valid data by wp-comments-post.php. I've implemented the idea on my own site by requiring posters to enter the first word of the post title in an extra form field I've entered.

The following patches apply to WordPress v1.2.2, and enable the validation code. They also include the regonly feature below, so if you use these patches, you don't need the first tow in the next secion.

wp-comments.vc-ro.patch - patches wp-comments.php to prompt the user for a validation code, checks if a user is registered before allowing comments to be added to posts that have a comment_status of 'registered_only'.
wp-comments-post.vc-ro.patch - patches wp-comments-post.php to check that the validation code filed is present in the http-post data, and that it contains the first letter of the the post_title. It also adds the checkif ure the users name and password are valid for posts with a comment_status of 'registered_only'. A regex logic error that caused an earlier version of this patch to always accept empty validation codes has been fixed.

- updated 2005-02-06

Enabling 'registered_only' comments

The comment_status field in wp_posts table is set to enum('open', 'closed', 'registered_only'), but as far as I could tell, 'registered_only' didn't do anything. At least it didn't do what I expected when I set the comment_status to that value by editing the database directly. I had incorrectly assumed that it meant only registered users could post comments on against the story.

The following patches, which apply to WordPress v1.2.2, change four files to enable registered only commenting:

wp-comments.regonly.patch - patches wp-comments.php to check if a user is registered before allowing comments to be added to posts that have a comment_status of 'registered_only'.
wp-comments-post.regonly.patch - patches wp-comments-post.php so it checks a the users name and password are valid for posts with a comment_status of 'registered_only'. The password check was added to make spoofing of a cookie a little harder to do (i.e., one can't simply set a cookie with a username in it).
options-discussion.regonly.patch - patches wp-admin/options-discussion.php to allow the blog admin to set any of the valid settings for comment_status as the default. It evaluates the enum values from the database to get the list, and creates a radio button list instead of the single checkbox in the stock WordPress.
edit-form-advanced.regonly.patch - patches wp-admin/edit-form-advanced.php to show all valid options for the comment_status by replacing the checkbox with a radio button list of the options.

- updated 2004-12-14

Comments and bug reports are welcome. I've tested the combinations I can think of, but others may find some I didn't consider. The tests of wp-comments-post.php were done with a simple HTML form that tried to post directly to the script without going through WordPress.

All patches are released under the same license as the application being patched.