WordPress.org

Nederlands

WordPress downloaden
WordPress.org

Plugin Directory

WPCoreTools Disposable Email Guard

WPCoreTools Disposable Email Guard

Door Wp Core Tools
Download

Beschrijving

This plugin refuses sign-ups, comments, checkouts, and form submissions when the email address belongs to a disposable, burner, or temp-mail service. All checks run on your own server against domain lists that ship inside the plugin file — no email address is ever sent to a third-party service, and the plugin does not contact any external server in its default configuration.

Five well-known community-maintained disposable-email lists are bundled as snapshots. Two are active out of the box (around 9,800 unique domains combined); three larger lists are available as opt-in for stricter coverage. An optional auto-update from the upstream GitHub URLs is also available, off by default.

What it detects

  • Disposable and burner addresses (default ON) — Mailinator, YOPmail, Guerrilla Mail, 10minutemail, Temp-Mail, and similar services.
  • Anonymous / privacy mail (default OFF) — Proton Mail, Tutanota, Mailbox.org, Posteo, StartMail, SimpleLogin, addy.io, DuckDuckGo Email Protection, Firefox Relay, Apple Hide My Email. Off by default because plenty of legitimate paying customers prefer these services.
  • Plus-addressing aliases (default OFF) — user+tag@example.com style sub-addresses.
  • Dead and no-MX domains (default OFF) — typos like gnail.com, parked or expired domains. One DNS lookup per new domain, then cached.
  • Custom block and allow rules with wildcard patterns: *@spammer.com, *@*.ru, spam*@*.

Where it checks

WordPress core:

  • Registration form
  • Profile email change
  • Comment author email (off by default)
  • Programmatic user creation (wp_insert_user, REST API, WP-CLI, other plugins)
  • Lost-password form
  • Multisite signup form

WooCommerce:

  • Customer registration
  • Checkout (billing email)
  • My Account Edit Account email change
  • Product reviews
  • Coupon application — refuse coupons when the billing email is on a blocklist (anti-abuse safety net)

Form plugins:

  • Contact Form 7 — built-in, no configuration needed
  • Gravity Forms — built-in, no configuration needed
  • Any other form plugin via the wpcdeg_check filter (one line of PHP from your form’s email-validation hook)

Three modes

  • Block — reject the submission with a clear error message.
  • Flag — let the submission through, but tag the user / comment / order with wpcdeg_flagged meta so you can review them in a list. Pairs with WooCommerce auto-hold and coupon refusal.
  • Log only — record matches in the detection log without rejecting or tagging anything. Useful for a dry-run before turning enforcement on.

Domain lists

Five bundled snapshots are available, each toggled independently:

  • disposable-email-domains (MIT) — ON by default, ~5,400 domains.
  • 7c/fakefilter — ON by default, ~4,500 domains.
  • groundcat/disposable-email-domain-list (MIT) — opt-in, ~27,000 domains.
  • wesbos/burner-email-providers (MIT) — opt-in, ~27,000 domains.
  • disposable/disposable-email-domains (MIT) — opt-in, ~72,000 domains.

Each ships as a snapshot inside the plugin (data/sources/{id}.txt) and is loaded from disk; no network call is required for any of them to function.

If you want the snapshots refreshed on a schedule from their GitHub raw URLs, an optional auto-update feature is available. It is off by default. See “External services” below for what is contacted and what is sent.

Tools

  • Stats dashboard with a 14-day activity chart, per-reason breakdown, and top detected domains.
  • WP Dashboard widget with the same at-a-glance summary.
  • Detection log with date / reason / context filters and CSV export.
  • Optional periodic email digest, daily or weekly.
  • CSV / TXT bulk import for the blocklist and the allowlist.
  • Settings JSON export and import for moving configuration between sites.
  • WP-CLI: wp wpcdeg refresh / test / stats / log / sources / clear-log.
  • HPOS and Cart/Checkout Blocks compatibility declarations.

Privacy

  • No email address is ever sent to a third-party service.
  • The plugin does not contact any external server in its default configuration.
  • If you enable the optional auto-update feature, the plugin issues HTTPS GET requests to raw.githubusercontent.com for the source URLs you have selected. The request body is empty, the User-Agent is WPCoreToolsDisposableEmailGuard/<version>, and no email addresses, user data, or your site URL are transmitted. Full disclosure under “External services” below.
  • The detection log stores the email address, domain, reason, and IP address locally for admin review. Retention is configurable from 7 to 365 days (default 90); a daily WP-Cron job purges older rows.
  • On uninstall, all data is deleted only if you turned on the “Delete data on uninstall” setting.

External services

This plugin can optionally contact one external service. The feature is off by default and must be explicitly enabled via the setup wizard or the Lists tab (Settings WPCoreTools Disposable Email Guard Lists “Auto-update from upstream sources”).

GitHub (raw.githubusercontent.com)

  • What it is: GitHub serves the raw source files of five public, community-maintained lists of disposable-email domains. The plugin downloads only the list files; nothing else.
  • What it is used for: Refreshing the bundled snapshots of the disposable-email lists you have selected, so your active blocklist stays current between plugin releases.
  • When data is sent: Only when the “Auto-update from upstream sources” setting is enabled, and only on the schedule you configure (hourly / twice-daily / daily / weekly), or when you click the “Update now” button on the Lists tab.
  • What is sent: One HTTPS GET request per enabled source URL. The request body is empty. The User-Agent is WPCoreToolsDisposableEmailGuard/<plugin-version>. No email addresses, user data, IP information beyond what GitHub’s CDN normally logs, or your site URL are transmitted.
  • Where the requests go:
    • https://raw.githubusercontent.com/disposable-email-domains/disposable-email-domains/main/disposable_email_blocklist.conf
    • https://raw.githubusercontent.com/7c/fakefilter/main/txt/data.txt
    • https://raw.githubusercontent.com/groundcat/disposable-email-domain-list/master/domains.txt
    • https://raw.githubusercontent.com/wesbos/burner-email-providers/master/emails.txt
    • https://raw.githubusercontent.com/disposable/disposable-email-domains/master/domains.txt
  • Service operator: GitHub, Inc.
  • Terms of service: https://docs.github.com/en/site-policy/github-terms/github-terms-of-service
  • Privacy statement: https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement

If you would rather not contact GitHub at all, leave “Auto-update from upstream sources” off (its default state). The bundled snapshots provide full functionality offline.

You may also add your own custom URLs on the Lists tab (e.g. an internal threat-feed URL or a private gist). Those URLs are contacted on the same schedule and follow the same rules; they are entirely under your control.

Installatie

  1. Upload the plugin folder to /wp-content/plugins/, or install it via Plugins Add New.
  2. Activate the plugin.
  3. Visit Settings WPCoreTools Disposable Email Guard. The first-time setup wizard runs automatically.

The bundled domain lists are active immediately on activation; the plugin works fully offline. Anonymous-provider blocking, plus-addressing checks, dead-domain MX checks, and the optional auto-update of source snapshots are all off by default and must be enabled explicitly.

FAQ

Does this send my visitors’ email addresses to an external service?

No. Every check runs locally against domain lists that ship inside the plugin file. By default the plugin makes no outbound connections at all.

Does the plugin contact GitHub or any other server in its default configuration?

No. The bundled snapshots are loaded from disk. The optional auto-update feature, which would contact GitHub to refresh those snapshots, is off by default and must be enabled in the setup wizard or the Lists tab. See “External services” for the full disclosure.

Will this block legitimate Proton Mail or Tutanota users?

Only if you turn on the “Anonymous / privacy providers” toggle. It is off by default for exactly that reason.

How are the disposable lists kept up to date?

Two ways. Either install a fresh version of the plugin (each release bundles updated snapshots), or opt into the auto-update feature, which lets WP-Cron fetch the source URLs from GitHub on a schedule (hourly, twice-daily, daily, or weekly).

Can I dry-run before I switch on blocking?

Yes. Set Mode to “Log only” — emails are recorded but no submissions are rejected. Or use “Flag” mode to allow signups but tag the user / order / comment for admin review.

What is “Flag” mode?

A non-destructive alternative to outright blocking. Submissions go through, but matching users get a wpcdeg_flagged user meta and a “Flagged” column on the Users list, comments get a meta tag, and WooCommerce orders get an order note plus a “Flagged” column on the Orders list. Useful when you do not want to lock out potential Proton or Tutanota customers but still want to triage them.

Does it work with WooCommerce HPOS?

Yes, both the legacy posts-table orders list and HPOS are supported.

Does it work with Contact Form 7 and Gravity Forms?

Yes, built-in integration on both. For other form plugins (WPForms, Elementor Forms, Forminator, Fluent Forms, etc.), call the wpcdeg_check filter from your form’s email-validation hook.

What happens if a remote list URL is unreachable when auto-update runs?

The previous successful copy is kept (no data loss); the failure is recorded in the per-source meta. If no fetch has ever succeeded, the bundled snapshot continues to be used.

Will it slow down my site?

No. Each email check is an O(1) lookup against an in-memory map, loaded once per request and cached for an hour.

Does the MX record check slow down sign-ups?

Only the first lookup per domain — results are cached for 24 hours on success and 1 hour on failure. Most sign-ups hit the cache immediately. The check is opt-in and off by default.

Beoordelingen

Er zijn geen beoordelingen voor deze plugin.

Bijdragers & ontwikkelaars

“WPCoreTools Disposable Email Guard” is open source software. De volgende personen hebben bijgedragen aan deze plugin.

Bijdragers

Vertaal “WPCoreTools Disposable Email Guard” in je eigen taal.

Interesse in ontwikkeling?

Bekijk de code, haal de SVN repository op, of abonneer je op het ontwikkellog via RSS.

Changelog

1.0.2

Initial public release.

  • Five bundled disposable-email source snapshots, two enabled by default; works fully offline.
  • Three modes: block, flag, log only.
  • Optional anonymous-provider blocking, plus-addressing checks, dead-MX checks (all off by default).
  • WordPress integrations: registration, profile, comments, lost-password, multisite signup, programmatic user creation.
  • WooCommerce integrations: registration, checkout, My Account email change, product reviews, coupon-abuse blocker, auto-hold for flagged orders. HPOS and Cart/Checkout Blocks compatible.
  • Built-in Contact Form 7 and Gravity Forms integration; generic wpcdeg_check filter for other form plugins.
  • Custom block / allow lists with wildcard support.
  • Detection log with filters and CSV export, stats dashboard with 14-day chart, optional periodic email digest.
  • WP-CLI: refresh, test, stats, log, sources, clear-log.
  • CSV / TXT bulk import; settings JSON export and import.
  • Per-reason customizable user-facing messages; quiet-hour cron scheduling in site timezone.

Meta

Waarderingen

Er zijn nog geen beoordelingen ingediend.

Your review

Bekijk alle beoordelingen

Bijdragers

Ondersteuning

Iets te melden? Hulp nodig?

Het supportforum bekijken