|
Apr 27
|
Two Line Avatar Hack for Wordpress CommentsFiled under
|
Only 2 (!) simple lines of code to have avatar support for your Wordpress comments with gracefull fail-over from Gravatar.com to Mybloglog.com, all without plugins… just add to your comments.php in the comments loop wherever you would like to see the Avatars/commenter photos placed:
The code for gravatar image URL is taken from Tom Werner’s simple gravatar.php plugin, the failover to Mybloglog was my idea.
Note that the commenter email address must be URL encoded twice, because the gravatar.com script otherwise strips out the @ symbol.
Plus this makes for minimal protection from email phishing bots. Better would be to have Mybloglog adopt Gravatar’s md5 encoding of the Email address.
If MyBlogLog also had the "&default=[url]" failover support, this could be chained to support further avatar service providers. Since it doesn’t, the chain stops with their somewhat ugly and small default (the grey square with the question mark).
And this also represents one fly in the ointment: MyBlogLog could at least make the size of that default the same size as the avatars their "coiserv.php" script serves - 48 x 48 pixels. I am going to talk to someone at Yahoo about this who might be able to pass it on to the right people.
To get the code, right-click and "Select All", then copy and paste to your theme’s comments.php template where you want the Avatar to appear.
   (3 votes, average: 3.67 out of 5) Loading ... |
|
Tags:
Avatars, coiserv, Gravatar, Mybloglog, Tom Werner, Wordpress, Wordpress comments
|
Life Hacks.
View 15 Comments.
Post a comment.
Trackback URI.
Email this post.
Grab the feed via RSS /
Comments on: "Two Line Avatar Hack for Wordpress Comments"
Notice there is another 1 line hack to turn on a different background color for comments by your admin username/nickname. No plugin necessary for that either.
This is a test comment by another commenter with Gravatar.com account. No fail-over to MyBlogLog yet. So far so good.
Notice BTW the nice, Twitter-like reply functionality courtesy of the "Reply-To" plugin with a few tweaks added by me.
This is a test comment by a commenter with an email address that does not have a Gravatar.com account, so it goes to check for a MyBlogLog account, which it then serves the avatar. In this case, it's MBL's default avatar for an existing account.
The account is here: *link*
Hope this explains the failover process.
Brooke
Hey Mark, it really works... only thing you'll have to tweak is the where the image appears in the template, and any CSS mods you want to have for the avatar. That bit I of course can't predict.
Here is the CSS from the avatar image class:
#content #comments img.avatar { float:left; padding: 2px 15px 10px 0px; }
Cheers!
No such luck with the wp-google-analytics, which I had to back out because it was messing up my custom comment links.
This method works great, but regrettably it also exposes the email addresses of your commenters in plain text. I've just released a new plugin that provides the same functionality, though, without that problem. I'd love to hear your thoughts!
*link*
Thanks,
Shane
Shane, agreed that the semi-plain email is a bit of an issue, as I pointed out in my post. I looked at your code and it's on the right track, only there is no guarantee that the MyBlogLog avatar will actually pull up from the provided commenter site URL plus name, since neither may be exact.
I wonder how many email phishing bots are actually programmed to detect the twice(!) URL encoded @ symbol. If they don't see the @ symbol, then they have no reason to parse the text around there as an email address.
Obviously it would be better if MyBlogLog used at least the md5 hash encoding that Gravatar.com uses (plus their fail-over mechanism so that another avatar provider could be chained in), even though it isn't itself really hack-proof.
Anyone that knows what they are looking for can reverse the hash (Wordpress just had to fix this in 2.5 for the WP password cookies for this reason, I am writing a post on porting this to 2.3.3 as we speak).
In reality, the fools that write these bots probably go for the lower hanging fruit, so my little hack is probably relatively safe for now.
Thanks for the props in the plugin BTW, maybe you could change my name to "Alex Schleber" ('l' is out of place...).
Shane, your comment also just gave me an idea and I tested something: You can actually throw in a few extra @ symbols or '%40' replacements around the email address to throw any bot off even further. Since the Gravatar.com script strips out any @ that isn't TWICE URL-encoded, they just get ignored.
But a bot would have a hard time parsing this in any meaningful way, and I didn't even go so far as to place the extra, "false" @ into the middle of the address, right next to the twice encoded "real" @.
I don't see how any bot would be smart enough to NOT choose the regular (in appearance) but false @, and thereby parse out a faulty, non-working email address.
Hope this makes sense.
Does using the email address guarantee that any better, though? Most of the people I know are more likely to use a different email address than they are a different URL. You may be right, though. It's something I hadn't thought about. Anxious to hear your thoughts.
And on the email address issue, I hadn't even thought of bots. My concern was people just being able to View Source and see the email addresses for themselves. True, in most cases that would never happen, but it's a perception issue. There is a not-insignificant number of people who would really have a problem with you "publishing" their email address. (Although I obviously don't have a significant problem with it since I keep commenting here :) )
And yes, I'll fix your name :) Sorry about that!
Oh, and the other nice thing about the plugin is that it eliminates the odd "question mark head" icons from MyBlogLog :)
Shane, the way that Gravatar.com passes the email address is still not secure, all you have to do is run the string through an MD5 hash and it's clear text again. So still just security by obscurity.
If anyone is serious enough to search around the HTML source for email addresses manually, they likely have ways to find you anyway (after all, you do publish your blog's URL, which has your email under "Contact").
The spammers like to do things in an automated, mass-coverage way, hence the attempt to extract with "bots" (really just programs that run HTTP requests and do some Regex matching on what comes back...
Join the Discussion - Write a comment
NO HTML tags! Raw URLs will be auto-converted to a shortened, clickable NoFollow link (like this: *link*), and Snapshots support on our blog will allow a preview.
Comments are live immediately, but will be moderated according to our Comment Policy.
Next Post: Twitter Updates for 2008-04-28 »
Previous Post: « Twitter Updates for 2008-04-24