Save 15% on our Pro WordPress plugins with discount code: LAUNCH2021
Web Dev + WordPress + Security

Another Mystery Solved..

Recently, after researching comment links for an upcoming article, I realized that my default <input> values were being submitted as the URL for all comments left without associated website information. During the most recent site redesign, I made the mistake of doing this in comments.php:

...

<input class="input" name="url" id="url" value="[website]" onfocus="this.select();" type="text" tabindex="3" size="44" maxlength="133" alt="website" />

...

Notice the value="[website]" attribute? It seemed like a good idea at the time — I even threw in a nice onfocus auto-highlighting snippet for good measure. I ran the form with this in place for around eight weeks before finally noticing multiple comments using this for their site URL:

http://website

Hmmm. Not so good. For one, that’s not very search-engine friendly. For two, it’s sloppy. For three it’s wrong. What was I thinking? Who cares. The point is, if you are using predefined values in your comment form, they are submitted as user-input data whenever a “real” value is not provided. Thus, all of those visitors leaving comments without bothering to include their site URL have been filling your site with “dead” links. Weak, dude (said pointing to myself). Another important point is that auto-clearing JavaScript will not actually “clear” anything before the comment is submitted.

Having learned this important lesson, I immediately restructured the comment form, replacing all predefined value attributes with blank values (value=""). Then, with all future occurrences prevented, it was time to clean up the mess. And for that, there are two possibilities:

  • Scour the comments section via the admin and edit each URL link manually

..or..

  • Crack open the database for a two-second batch-edit via SQL update, aka “find and replace”

Fortunately, there were fewer than twenty links erroneously referencing http://website, so manually editing all of them would not have taken longer than fifteen minutes at the most. Even so, there are far better ways to spend those fifteen minutes, so I chose the direct approach:

UPDATE wp_comments SET comment_author_url = replace( comment_author_url, 'http://website', '' ) ;

And with that, everything was corrected and returned to normal. Mystery solved, lesson learned. Thanks for listening.

Jeff Starr
About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
The Tao of WordPress: Become your own WordPress guru.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Blackhole Pro: Trap bad bots in a virtual black hole.
Thoughts
WP 5.8 Gutenberg/Block Widgets is breaking many sites. Fortunately Disable Gutenberg makes it easy to restore Classic Widgets with a click.
Easily the most common exploit scan for WordPress is /{path}/wp-login.php.
Pushing 110+ ℉ for several days now, expected for at least another week or so.
After 12 intense weeks the Plugin Planet redesign is now live. Much work still happening behind the scenes.
June, July, August historically are slow months on the Web. Perfect time to get some real work done (think projects).
Redesigning Plugin Planet is one the most challenging things I’ve done online. Almost there, about another two weeks ’til launch.
I could listen to Mouse Rat all day.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.