wordpress.com requires its registered user to login to be able to comment

When I try to comment on sites hosted on wordpress.com and I use my main email address I get a notice that says something like “The email being used is already registered with us, please login to your account”.

I guess that the idea is to try and prevent people from impersonating another commenters, but the implementation is an awkward one as it assume that everyone is an impersonator until proven innocent and add yet another step, for anyone not currently logged in to wordpress.com, in sending a comment. I wonder how many people just abort the comment at that stage, I know I have done it at least once.
It is also strange that you have to identify against wordpress.com when there are other identity providers like google, facebook and twitter which can also be used to verify the email address.

And all of this is because the idea behind the gravatar service, which is now fully integrated into wordress.com, is naive – you should not identify people by something which is a very public information like their email address period.

What could they have done better? This should have been an opt-in kind of service.I don’t think the chance of anybody trying to impersonate me is higher then zero and I am willing to take the risk in order to have easier life. In addition the best way to verify an email address is by actually sending an email to it and asking for an action to be made. Maybe something like “we detected that you are commenting on xxxxx, if it isn’t you, you can remove the comment by clicking the link yyyyy”. Sure there is a risk of spamming the email address that way, but it might be effective enough to reduce the impersonating attempts to zero.

John Scalzi on comments on website

It is nice to see that other people agree with my stand on comments, especially a web seleb like Scalzi

In a general sense, though, I think it’s well past time for sites (and personal blogs) to seriously think about whether they need to have comment threads at all. What is the benefit? What is the expense? Blogs have comments because other blogs have comments, and the blog software allows comments to happen, and I suspect everyone just defaults to having comments on.

read the (much much longer) rest

WordPress comments suck at authentication

I am sure I will not shock anyone by saying that an email address by itself is not good enough for authentication. It is to easy to fabricate an email address, to create a one time one, and to use someones else address, so why exactly do we still use it as an authentication token in wordpress comments?

It is not that getting the email of a commenter is a bad idea, it is just that is not enough for authentication. What is needed is a way to proved that said email actually belong to that person. One idea is to send a mail to the email address and ask to confirm the submission of the comment. After verifying the email it will make more sense to get profile data from gravatar with this email address.

And there is a different approach that avoids using emails for authentication – use the commentator’s profile on the web. Most of the commentators have a facebook/google/twitter/tumbler/wordpress.com/flickr account with a profile, just let them authenticate their profiles. You can even get an avatar image and maybe name that you can use to identify them to the readers when displaying the comment.

This does not necessarily work against anonymity but you probably be more inclined to approve an authenticated comment then one which is practically anonymous.

Almost* all wordpress themes suck at comment form design

A naive person might assume that the most important part of a comment is the content of the comment itself. It is pity that wordpress theme designers are not naive and understand that site owners wants to know who is commenting as much as they are interested in the content.

For most themes the flow of submitting a comments is as follows

  1. Enter your name
  2. Enter your e-mail address
  3. Enter your web site
  4. If you still remember what you wanted to write (and still have time to do that), at last you can do it

The ridiculous aspect of this scheme is that steps 1-3 do not ensure that the owner will know who made the comment as it is just easy to provide a valid email address which doesn’t exist or do not belong to the commenter, and anything can go as name and website.

So steps 1-3 are just obstacles that not necessarily provide a value so isn’t it better to let people write comments and then, only if they feel like it, identify themselves? Even without going for radical design change by allowing people to submit comment and only after it was submitted identify themselves with it (blogger kind of works that way), just emphasizing the comment content by putting it on top can improve commenting experience.

Comment form should be in this order:

  1. Enter Comment
  2. Enter e-mail (let site owner contact you)
  3. Enter name (you might want to be identified by name if you are a returning commenter, or so people can easily refer to you in the discussion)
  4. Enter your website (only SEO wannabe care about that)

*Almost – just because there might be one or two that I don’t know about and get it right.

Edit: Looks like I’m not alone in going down this road, and there is even code there