Howto: Comment Email Authentication

Topic: Meta 14 years, 10 months ago

(Note: Just in case it wasn’t obvious, this method quickly became problematic thanks to bouncing emails from spammers, and in any case is now obsolete thanks to Akismet.)

Digital Kaleidoscope readers who have posted a comment will know that I have a system in place where your email address must be verified before comments get posted. Hopefully you only found it a small inconvenience since you only ever need to do it once (per email address).

What Does It Do? Why?

The benefit of this system is that it helps stops comment spam from appearing on the site. When a comment is posted here, an email is sent out to the email address given and you need to visit a link in the email before the comment will show up here on the blog. In the meantime, the comment sits in a moderation queue.

Spammers (whether real people or automated) who post comment spam usually use fake email addresses and thus those comments will remain in the moderation queue and not show up at all. I regularly check the moderation queue to delete those comments (or approve other comments). This is still a bit of a hassle as it requires work from me, but at least it means readers never have to see unsightly and often obscene comment spam.

There is also a chance of them figuring out their spam comments aren’t posting, so they’ll stop trying to post comment spam here in the future. I’m sure this is just wishful thinking, but hey it’s good to be optimistic! :D

How To Set It Up

Today, I received a message from a reader who left a comment on my blog earlier this year, wanting to know how to implement something similar on his blog. I’ve decided to post a guide here so that anybody who is interested in doing this can learn from my experiences.

First of all, I’ve only done this with WordPress 1.5.2, the blogging software that powers this blog. So if you’re using another tool to run your blog, you’ll need to look elsewhere for help. Sorry!

  1. What makes all this possible is the wonderful plugin for WordPress over at called Comment Authorization. (Thanks, Skippy!) Download this plugin.
  2. Follow the instructions provided to install it, remembering to change the $seed variable in both the PHP files and to put moderation.php in the root directory of your blog — not the plugin directory. Don’t forget to activate the plugin!
  3. Next, you’ll want to change a few settings for your blog.
    • Login to your WordPress installation and go to Options for Discussions.
    • Under the group ‘Before a comment appears’, make sure ‘Comment author must fill out name and e-mail’ is checked. WordPress will then check to make sure people supply a valid email address when entering a comment (or they’ll never get the email asking them to verify it).
    • Also check the option ‘Comment author must have a previously approved comment’. This will put in the moderation queue any comments from email address not previously manually approved or verified (and for a verification email to be sent out), like what current happens here.
    • If you want to be a bit more paranoid, you can also check the first option, ‘An administrator must approve the comment (regardless of any matches below)’. This will put all comments to the moderation queue every single time. This has the advantage of making sure you can’t just put in someone else’s email address that has already been verified, but increases the inconvenience for your readers dramatically. When Digital Kaleidoscope first launched, enough people complained that I had to scrap this immediately. But hey, it’s still used by sites like Engadget. I guess if your readership wants to post comments badly enough, they’ll live with it.
  4. If you can be bothered, you can customise the confirmation pages that are displayed when you post a comment or verify your email address. The generic ones are… very generic! ;) To do this, edit moderation.php again.
    • Find the section from: <head> to </head> and replace all of it with your header code (e.g. <?php get_header(); ?>).
    • Next, find all the echo statements in the block containing <h2>Thank you for your comment!</h2>. This section contains what’s shown when a user submits a comment that needs to be moderated. I suggest you explain to your readers what’s happening, why and what they need to do about it.
    • To change the message shown when an email address is successfully verified, replace the section between // mom always taught me to say thank you and } elseif (($md5 == $x) && ($reject)) {.
    • The section following that shows when the person responding to the email chooses to delete the comment, up to } else {.
    • The remaining section shows when some sort of error has been encountered. You can remind your readers that genuine comments can be manually approved by moderators. Edit up to } ?>
  5. Lastly, you can also edit the emails that are sent out to people posting comments. The template is stored in commentauth.php in the plugin directory. Edit the variable $message to customise the emails that get sent out.

That should be all there is to it! Please let me know if you have any problems or if I’ve got something wrong. You can always check to see if any issues you’re having have been discussed over at

Windsor Rd/Old Windsor Rd Roadworks New 6" × 11" Widescreen Wacom Intuos3


November 2005
« Oct   Dec »

Recent Posts

Recent Comments