envato free trialCreative Assets & Unlimited Downloads on Envato Elements Get 7 Days Free

Unraveling the Secrets of WordPress’ comments.php

on WordPress

One of the most important templates in any WordPress installation is the “comments.php” template file that is paired with virtually every single theme distributed for use with the world’s most popular content management solution. More than 60 million people rely on this basic template file every single day in order to encourage user interaction and communication.

But, surprisingly enough, a large number of WordPress website administrators never actually dig into this file and learn how to modify or customize it to meet their needs. That’s relatively surprising, especially since there are so many different ways to employ and encourage user comments on a WordPress blog. While it’s true that there’s a certain formula for comments that has been used over the course of the past decade, it’s also true that the template can be intricately styled, comments can be supplemented with meta content, and the site’s engagement can actually be improved from the default approach to commenting.

In order to commit to these changes, however, WordPress website administrators will need to get acquainted with the comments template file and learn what they can do with a little bit of PHP code, some WordPress variables, and some XHTML modifications that can really spice up the comments section and make it one of the most active parts of any website. Those WordPress users looking to encourage more engagement and convert more visitors to regular readers should forge ahead with this tutorial, using PHP, XHTML, and WordPress variables to change how they do business when it comes to commenting on a typical post or page.

Securing the Comments Template File and Safeguarding the Website Against Attack

The comments form for every entry is stored within the “comments.php” file, but this file is not designed to be accessed when it is not paired with an entry’s standalone page within the website. A smart reader who has experience with WordPress, or any malicious user who knows how to exploit WordPress templates, could use this file on its own to post hateful comments, perform malicious actions, or otherwise compromise a website’s security or integrity. Luckily, that’s only possible if the file is left unprotected and accessible by virtually every visitor to the website. There are a few ways to ensure that this is not the case, simply by giving the file instructions based on its location and the presence of an administrator password when being accessed outside of a standalone post’s page.

The first way to secure this file involves checking whether or not the page is being accessed as part of a template or accessed on its own via the URL to the “comments.php” file. If the latter case is true, the script will “die,” a PHP term that means it will not run or present any information within it to the outside world. When the script effectively “dies,” it will then display a message to the end user indicating that it cannot be accessed without being paired to a post. This message is customizable, and it can be seen in action here:

<?php if(!empty($_SERVER['SCRIPT_FILENAME']) && 'comments.php' == basename($_SERVER['SCRIPT_FILENAME'])) : ?>
<?php die('The comments template cannot be accessed outside of an entry. Nice try!'); ?>
<?php endif; ?>

Some WordPress entries are password protected by the site’s administrator upon being published, and they can only be accessed by those who possess the designated password. Even so, the comments on these entries can often be accessed and modified by other users if they’re clever enough to bypass the password and view the comments template as a standalone file. That’s not a good solution, and it can lead to major privacy issues. To ensure that comments are only displayed when a relevant entry password has been provided elsewhere on the site, place the following line of code at the top of the file. It should be right beneath the lines of code shown above:

<?php if(!empty($post->post_password)) : ?>
<?php if($_COOKIE['wp-postpass_' . COOKIEHASH] != $post->post_password) : ?>
<?php endif; ?>
<?php endif; ?>

With these two lines of code pasted into the “comments.php” template file, malicious users will not be able to access comments without the proper permissions. Whether that means not accessing the comments file as a standalone page, or being required to enter the password or a post, the file will be on lockdown with these two snippets placed directly at the top of the template. Now it’s time to focus on actual comment-related variables that can change the way the template appears and functions to some degree.

Working with Comment Moderation Settings in the WordPress Dashboard

In an era when “spam comments” are second nature, and filters like the WordPress Akismet plugin have to be employed on a daily basis, it’s a good idea to require at least some kind of moderation for comments. Perhaps the most recommended option is to require the approval of comments posted by someone whose email address is not associated with a prior comment on any of the website’s posts. This is the best solution, as it allows “known” readers to interact, but will require new ones to prove themselves as non-spam. When this setting is enabled, comments will appear to be posted by default, but they will not display to anyone but the website’s administrator until the comment has been approved.

This default behavior is pretty confusing for those readers who are posting their first comment and aren’t’ aware of the moderation process. They’ll believe that their comment was added into the mix, because it appears that it has been. However, because no one is responding to their comment, they’ll feel left out or like something is wrong. To change this behavior, a simple conditional variable can be used to show a special message to those users whose comment is held for moderation. It looks like this:

<?php if ($comment->comment_approved == '0') : ?>

In this variable, a simple “1” or “0” is used to control what is displayed. In this case, the zero means that the comment has not been approved. That’s the ideal implementation for this variable, as the website only needs to display a message to those users who are not instantly added to the discussion. If a comment is approved, it will simply appear in the mix of other comments and no visual notification will be necessary. The above variable is used with a traditional PHP “endif” statement and it can be used to display a brief message to moderation-required commenters. Here’s how that would be done:

<div class="comment-box">
<?php if ($comment->comment_approved == '0') : ?>
<p>Your comment is currently awaiting approval by the website's administrator and it will not appear here until that approval has been granted. You will receive an email when the comment has been approved. Feel free to read comments in the meantime!</p>
<?php endif; ?>

This message is clear, simple, and to the point, and those users who have a comment held for moderation will no longer need to wonder why it seems like their opinion is valued less than others. In fact, the message could even be modified to explain why and when a comment is moderated. Users might want to know that they’re simply being held for moderation because they’re new, and that it’s nothing personal. Feel free to customize the message as desired.

Bringing Advanced WordPress Features to the Comment Form Automatically

From virtually the very first version of WordPress, the comment form included in the “comments.php” template was always generated manually using a traditional XHTML form construction with WordPress-specific form IDs. This method is still valid, of course, and it’s currently employed on the vast majority of WordPress blogs around the world.

That being said, however, the Automattic team of developers behind WordPress has recently made a pretty sizable change to how the WordPress comment form is produced on newer templates. This involves actually assigning the entire form to its own WordPress PHP variable and then allowing the Dashboard to render that form on the fly, potentially even outsourcing parts of its composition to the WordPress servers or the Jetpack plugin‘s own servers for social media integration.

For the past few versions of the WordPress software, this far more dynamic and future-minded comment form has been contained in the following variable:

<?php comment_form() ?>

This comment form is initially produced by the site-wide “functions.php” file located within the WordPress “wp-includes” directory. This is a static comment form, produced with the same XHTML as the one that is included manually into the comment’s template file with most themes. However, the beauty of assigning the entire form to a PHP variable is that plugins can easily modify this form and turn it into something completely different.

The best example of how this is done is the official WordPress Jetpack plugin from the Automattic development team. That plugin brings a number of WordPress.com blog features to self-hosted installations, including the ability to sign in with a WordPress.com account, Facebook account, or Twitter profile, when making a comment. Doing so will allow WordPress to display the offsite profile’s picture, name, and other information, inside a comment without asking for it from the user explicitly. This functionality is only compatible with the comment form variable.

When this Jetpack feature is enabled, the comment is instantly assigned to an outside website, and it’s placed inside an iFrame construction that allows for the social media integration with its default name, URL, and email address fields. There is no programming work that is required to be done by the developer. Furthermore, the form is styled by an offsite stylesheet in either light, dark, or invisible colors, and that means that it will always integrate perfectly into a WordPress installation without an extensive self-hosted stylesheet or more intricate customization of the form code itself.

Edit a Comment Without Paging Through the WordPress Dashboard

Sometimes, a comment might be out of line or it might simply require a typo or grammatical error to be fixed. In most cases, this will send an administrator into the WordPress Dashboard where they’ll click through several administration pages in order to find the relevant comment and commit a quick edit to its content or other information. While this is not necessarily the worst-case scenario for “time-wasting administration routines,” it’s still a time-waster for most WordPress website administrators. To solve this, WordPress allows a variable to be placed within the comment that links directly to its editing page within the Dashboard:

<?php edit_comment_link('Edit Comment'); ?>

Easy, right? This is certainly far easier than navigating through the Dashboard to find the comment, and it will only display to administrator users or other users in a group with the proper permissions for editing a comment. When a typical website reader is perusing the comments, it will simply be invisible and hidden behind the scenes.

Styling Comments with Alternate Colors

One of the best ways to increase the readability of a long list of comments is to alternate the backgrounds colors for each comment’s block of text. This can be done by inserting a typical WordPress PHP function into the top of the comments template file, and then calling that function using a PHP variable when it’s needed. Those administrators looking to do this should place the following block of text at the top of the template:

function row_colors($i){
if($i % 2) {
echo ' class="alt"';
} else {
echo '';

Then, they’ll need to call this new function into the template file so that it can determine the background color of each comment on the fly. That is done by placing the following code into the comment’s surrounding ⊙li> tag:

<?php $i++; ?>
<li<?php row_colors($i); ?> id="comment-<?php comment_ID(); ?>">

With that code replacing the standard opening ⊙li> tag, the comments will now be subject to the “counting” of the function created and placed earlier. Ever even-numbered comment will be given a background color, while those with odd numbers will be left blank, or white. Of course, both colors can be changed to the website administrator’s liking with a simple edit of the current theme’s stylesheet.

Lots of Great Ways to Enhance Website Comments

It’s easy to see how the comments template file is actually one of the most advanced and customizable templates in any given theme. With its new comment form variable, intense security measures, and the ability to customize output based on PHP variables and whether or not an administrator is logged in, the comments template file can be used to create a dynamic and exciting environment for user engagement.