Only 2 (!) simple lines of code to have avatar support for your WordPress comments with gracefull fail-over from to, all without plugins… just add to your comments.php in the comments loop wherever you would like to see the Avatars/commenter photos placed:

The code for gravatar image URL is taken from Tom Werner’s simple gravatar.php plugin, the failover to Mybloglog was my idea.

Check it out in action here.

Note that the commenter email address must be URL encoded twice, because the script otherwise strips out the @ symbol.

Plus this makes for minimal protection from email phishing bots. Better would be to have Mybloglog adopt Gravatar’s md5 encoding of the Email address.

If MyBlogLog also had the "&default=[url]" failover support, this could be chained to support further avatar service providers. Since it doesn’t, the chain stops with their somewhat ugly and small default (the grey square with the question mark).

And this also represents one fly in the ointment: MyBlogLog could at least make the size of that default the same size as the avatars their "coiserv.php" script serves – 48 x 48 pixels. I am going to talk to someone at Yahoo about this who might be able to pass it on to the right people.

To get the code, right-click and "Select All", then copy and paste to your theme’s comments.php template where you want the Avatar to appear.


15 thoughts on “Two Line Avatar Hack for WordPress Comments

  1. A test comment by ‘admin’, which links back to my main Gravatar account. avatar image is displayed, no fail-over necessary.

    Notice there is another 1 line hack to turn on a different background color for comments by your admin username/nickname. No plugin necessary for that either.

  2. In reply to @Alex:
    This is a test comment by another commenter with account. No fail-over to MyBlogLog yet. So far so good.

    Notice BTW the nice, Twitter-like reply functionality courtesy of the “Reply-To” plugin with a few tweaks added by me.

  3. In reply to @Alex Tester:
    This is a test comment by a commenter with an email address that does not have a account, so it goes to check for a MyBlogLog account, which it then serves the avatar. In this case, it’s MBL’s default avatar for an existing account.

    The account is here: *link*

  4. This last test example is of a commenter with neither nor accounts, which defaults to the MBL “not found” placeholder. Too bad it’s smaller than the regular size, and so… uhmm… unappealing…

    Hope this explains the failover process.

  5. Thanks for the how to. I just started using wordpress and I am happy I switched. I am still getting all set up. I will use this. Keep twittering the good updates.


  6. I’ve always wanted to add this feature to my blog considering that I use MyBlogLog quite a lot. Would be great if it works. I guess we’ll see!

  7. In reply to @Marc David:
    Hey Mark, it really works… only thing you’ll have to tweak is the where the image appears in the template, and any CSS mods you want to have for the avatar. That bit I of course can’t predict.

    Here is the CSS from the avatar image class:

    #content #comments img.avatar { float:left; padding: 2px 15px 10px 0px; }


  8. Another test, having to fix a little something about the comment form. BTW, I’ve been having good luck so far with the YAWASP anti-spambot plugin.

    No such luck with the wp-google-analytics, which I had to back out because it was messing up my custom comment links.

  9. Alex,

    This method works great, but regrettably it also exposes the email addresses of your commenters in plain text. I’ve just released a new plugin that provides the same functionality, though, without that problem. I’d love to hear your thoughts!



  10. In reply to @Shane:
    Shane, agreed that the semi-plain email is a bit of an issue, as I pointed out in my post. I looked at your code and it’s on the right track, only there is no guarantee that the MyBlogLog avatar will actually pull up from the provided commenter site URL plus name, since neither may be exact.

    I wonder how many email phishing bots are actually programmed to detect the twice(!) URL encoded @ symbol. If they don’t see the @ symbol, then they have no reason to parse the text around there as an email address.

    Obviously it would be better if MyBlogLog used at least the md5 hash encoding that uses (plus their fail-over mechanism so that another avatar provider could be chained in), even though it isn’t itself really hack-proof.

    Anyone that knows what they are looking for can reverse the hash (WordPress just had to fix this in 2.5 for the WP password cookies for this reason, I am writing a post on porting this to 2.3.3 as we speak).

    In reality, the fools that write these bots probably go for the lower hanging fruit, so my little hack is probably relatively safe for now.

    Thanks for the props in the plugin BTW, maybe you could change my name to “Alex Schleber” (‘l’ is out of place…).

  11. In reply to @Shane:
    Shane, your comment also just gave me an idea and I tested something: You can actually throw in a few extra @ symbols or ‘%40’ replacements around the email address to throw any bot off even further. Since the script strips out any @ that isn’t TWICE URL-encoded, they just get ignored.

    But a bot would have a hard time parsing this in any meaningful way, and I didn’t even go so far as to place the extra, “false” @ into the middle of the address, right next to the twice encoded “real” @.

    I don’t see how any bot would be smart enough to NOT choose the regular (in appearance) but false @, and thereby parse out a faulty, non-working email address.

    Hope this makes sense.

  12. “I looked at your code and it’s on the right track, only there is no guarantee that the MyBlogLog avatar will actually pull up from the provided commenter site URL plus name, since neither may be exact.”

    Does using the email address guarantee that any better, though? Most of the people I know are more likely to use a different email address than they are a different URL. You may be right, though. It’s something I hadn’t thought about. Anxious to hear your thoughts.

    And on the email address issue, I hadn’t even thought of bots. My concern was people just being able to View Source and see the email addresses for themselves. True, in most cases that would never happen, but it’s a perception issue. There is a not-insignificant number of people who would really have a problem with you “publishing” their email address. (Although I obviously don’t have a significant problem with it since I keep commenting here :) )

    And yes, I’ll fix your name :) Sorry about that!

    Oh, and the other nice thing about the plugin is that it eliminates the odd “question mark head” icons from MyBlogLog :)

  13. In reply to @Shane:
    Shane, the way that passes the email address is still not secure, all you have to do is run the string through an MD5 hash and it’s clear text again. So still just security by obscurity.

    If anyone is serious enough to search around the HTML source for email addresses manually, they likely have ways to find you anyway (after all, you do publish your blog’s URL, which has your email under “Contact”).

    The spammers like to do things in an automated, mass-coverage way, hence the attempt to extract with “bots” (really just programs that run HTTP requests and do some Regex matching on what comes back…

Comments are closed.