How to remove the security hole in WordPress comment HTML

Published 05 Aug 2015 in Blogging, HTML & CSS, Security, WordPress by ZigPress

Before reading further, you should read my earlier post, Your WordPress site comments are giving information to hackers, since this post provides a neater solution to the problem described in that post.

Summary of Problem

When a comment is made on a WordPress post, and the comment is by a logged-in user, WordPress adds two CSS classes to the HTML list item containing the comment:

  • byuser
  • comment-author-yournicename (where ‘yournicename’ is the ‘user_nicename’ stored in the users table for the user who added the comment)

This immediately tells would-be hackers that ‘yournicename’ may be a valid username with which they can try to log in, due to the particular way WordPress stores usernames, nicenames, nicknames and dispay names by default.

Furthermore, if the comment is made by the same user that originally published the post, WordPress adds another CSS class to the HTML list item containing the comment:

  • bypostauthor

So this time the would-be hacker knows that if ‘yournicename’ is a valid login, it’s also one with enough rights to publish posts.

The New Solution

Fortunately when WordPress assembles the classes to use when building the HTML for a comment, there is a filter that you can hook into, which can amend the list of classes before they are rendered. The filter is called comment_class.

So by hooking a simple function into that filter in the functions.php file of your theme, you can decide which CSS classes should be rendered for comments and which should not.

The Code

Here’s my resulting function that goes into the functions.php file in my theme and hooks into the filter:

function filter_comment_class($classes) {
	if (is_array($classes)) {
		if (count($classes) >= 1) {
			foreach ($classes as $key => $class) {
				if ($class == 'bypostauthor') {
				if ($class == 'byuser') {
				if (substr($class, 0, 15) == 'comment-author-') {
	return $classes;
add_filter('comment_class', 'filter_comment_class');

You can see from this that I’m removing the ‘byuser’ class, the ‘bypostauthor’ class and any class that starts with ‘comment-author-‘. When the comments for a post are shown, the underlying HTML will not contain any of these classes.

This code now goes into all my projects where comments may be enabled. Job done.


  1. On 24 Aug 2015 at 09:50, Emily said:

    GREAT article! Really well-written and entertaining!

  2. On 28 Aug 2015 at 11:02, Neeraj Ojha said:

    This is really informative. I wasn’t aware that my site comments are leaking details. I have applied the code above to be on the safe side and thank you for this knowledge and solutions.

  3. On 03 Sep 2015 at 08:58, Briana said:

    Fantastic post . Thanks for a great step by step guide.

  4. On 11 Sep 2015 at 17:59, IAK Media said:

    Ah, I have always wondered how hackers could obtain obscure login names such as this. Thanks so much for tips and the code! Will be implementing this in the future.

  5. On 10 Jan 2016 at 08:54, Ekramul Haque said:

    Sometimes I need to inject some raw HTML code into a WordPress post, and sometimes I need to comment out a chunk of that code.!

Add a Comment

If you have used this form and would like a copy of the information held about you on this website, or would like the information deleted, please email [email protected].