This plugin refuses sign-ups, comments, checkouts, and form submissions when the email address belongs to a disposable, burner, or temp-mail service. All checks run on your own server against domain lists that ship inside the plugin file \u2014 no email address is ever sent to a third-party service, and the plugin does not contact any external server in its default configuration.<\/p>\n\n
Five well-known community-maintained disposable-email lists are bundled as snapshots. Two are active out of the box (around 9,800 unique domains combined); three larger lists are available as opt-in for stricter coverage. An optional auto-update from the upstream GitHub URLs is also available, off by default.<\/p>\n\n
user+tag@example.com<\/code> style sub-addresses.<\/li>\n- Dead and no-MX domains (default OFF) \u2014 typos like
gnail.com<\/code>, parked or expired domains. One DNS lookup per new domain, then cached.<\/li>\n- Custom block and allow rules with wildcard patterns:
*@spammer.com<\/code>, *@*.ru<\/code>, spam*@*<\/code>.<\/li>\n<\/ul>\n\nWhere it checks<\/h4>\n\n
WordPress core:<\/p>\n\n
\n- Registration form<\/li>\n
- Profile email change<\/li>\n
- Comment author email (off by default)<\/li>\n
- Programmatic user creation (
wp_insert_user<\/code>, REST API, WP-CLI, other plugins)<\/li>\n- Lost-password form<\/li>\n
- Multisite signup form<\/li>\n<\/ul>\n\n
WooCommerce:<\/p>\n\n
\n- Customer registration<\/li>\n
- Checkout (billing email)<\/li>\n
- My Account \u2192 Edit Account email change<\/li>\n
- Product reviews<\/li>\n
- Coupon application \u2014 refuse coupons when the billing email is on a blocklist (anti-abuse safety net)<\/li>\n<\/ul>\n\n
Form plugins:<\/p>\n\n
\n- Contact Form 7 \u2014 built-in, no configuration needed<\/li>\n
- Gravity Forms \u2014 built-in, no configuration needed<\/li>\n
- Any other form plugin via the
wpcdeg_check<\/code> filter (one line of PHP from your form's email-validation hook)<\/li>\n<\/ul>\n\nThree modes<\/h4>\n\n\n- Block<\/strong> \u2014 reject the submission with a clear error message.<\/li>\n
- Flag<\/strong> \u2014 let the submission through, but tag the user \/ comment \/ order with
wpcdeg_flagged<\/code> meta so you can review them in a list. Pairs with WooCommerce auto-hold and coupon refusal.<\/li>\n- Log only<\/strong> \u2014 record matches in the detection log without rejecting or tagging anything. Useful for a dry-run before turning enforcement on.<\/li>\n<\/ul>\n\n
Domain lists<\/h4>\n\n
Five bundled snapshots are available, each toggled independently:<\/p>\n\n
\ndisposable-email-domains<\/code> (MIT) \u2014 ON by default, ~5,400 domains.<\/li>\n7c\/fakefilter<\/code> \u2014 ON by default, ~4,500 domains.<\/li>\ngroundcat\/disposable-email-domain-list<\/code> (MIT) \u2014 opt-in, ~27,000 domains.<\/li>\nwesbos\/burner-email-providers<\/code> (MIT) \u2014 opt-in, ~27,000 domains.<\/li>\ndisposable\/disposable-email-domains<\/code> (MIT) \u2014 opt-in, ~72,000 domains.<\/li>\n<\/ul>\n\nEach ships as a snapshot inside the plugin (data\/sources\/{id}.txt<\/code>) and is loaded from disk; no network call is required for any of them to function.<\/p>\n\nIf you want the snapshots refreshed on a schedule from their GitHub raw URLs, an optional auto-update feature is available. It is off by default. See \"External services\" below for what is contacted and what is sent.<\/p>\n\n
Tools<\/h4>\n\n\n- Stats dashboard with a 14-day activity chart, per-reason breakdown, and top detected domains.<\/li>\n
- WP Dashboard widget with the same at-a-glance summary.<\/li>\n
- Detection log with date \/ reason \/ context filters and CSV export.<\/li>\n
- Optional periodic email digest, daily or weekly.<\/li>\n
- CSV \/ TXT bulk import for the blocklist and the allowlist.<\/li>\n
- Settings JSON export and import for moving configuration between sites.<\/li>\n
- WP-CLI:
wp wpcdeg refresh \/ test \/ stats \/ log \/ sources \/ clear-log<\/code>.<\/li>\n- HPOS and Cart\/Checkout Blocks compatibility declarations.<\/li>\n<\/ul>\n\n
Privacy<\/h4>\n\n\n- No email address is ever sent to a third-party service.<\/li>\n
- The plugin does not contact any external server in its default configuration.<\/li>\n
- If you enable the optional auto-update feature, the plugin issues HTTPS GET requests to
raw.githubusercontent.com<\/code> for the source URLs you have selected. The request body is empty, the User-Agent is WPCoreToolsDisposableEmailGuard\/<version><\/code>, and no email addresses, user data, or your site URL are transmitted. Full disclosure under \"External services\" below.<\/li>\n- The detection log stores the email address, domain, reason, and IP address locally for admin review. Retention is configurable from 7 to 365 days (default 90); a daily WP-Cron job purges older rows.<\/li>\n
- On uninstall, all data is deleted only if you turned on the \"Delete data on uninstall\" setting.<\/li>\n<\/ul>\n\n
External services<\/h3>\n\n
This plugin can optionally contact one external service. The feature is off by default<\/strong> and must be explicitly enabled via the setup wizard or the Lists tab (Settings \u2192 WPCoreTools Disposable Email Guard \u2192 Lists \u2192 \"Auto-update from upstream sources\").<\/p>\n\nGitHub (raw.githubusercontent.com)<\/h4>\n\n\n- What it is:<\/strong> GitHub serves the raw source files of five public, community-maintained lists of disposable-email domains. The plugin downloads only the list files; nothing else.<\/li>\n
- What it is used for:<\/strong> Refreshing the bundled snapshots of the disposable-email lists you have selected, so your active blocklist stays current between plugin releases.<\/li>\n
- When data is sent:<\/strong> Only when the \"Auto-update from upstream sources\" setting is enabled, and only on the schedule you configure (hourly \/ twice-daily \/ daily \/ weekly), or when you click the \"Update now\" button on the Lists tab.<\/li>\n
- What is sent:<\/strong> One HTTPS GET request per enabled source URL. The request body is empty. The User-Agent is
WPCoreToolsDisposableEmailGuard\/<plugin-version><\/code>. No email addresses, user data, IP information beyond what GitHub's CDN normally logs, or your site URL are transmitted.<\/li>\n- Where the requests go:<\/strong>\n\n
\nhttps:\/\/raw.githubusercontent.com\/disposable-email-domains\/disposable-email-domains\/main\/disposable_email_blocklist.conf<\/code><\/li>\nhttps:\/\/raw.githubusercontent.com\/7c\/fakefilter\/main\/txt\/data.txt<\/code><\/li>\nhttps:\/\/raw.githubusercontent.com\/groundcat\/disposable-email-domain-list\/master\/domains.txt<\/code><\/li>\nhttps:\/\/raw.githubusercontent.com\/wesbos\/burner-email-providers\/master\/emails.txt<\/code><\/li>\nhttps:\/\/raw.githubusercontent.com\/disposable\/disposable-email-domains\/master\/domains.txt<\/code><\/li>\n<\/ul><\/li>\n- Service operator:<\/strong> GitHub, Inc.<\/li>\n
- Terms of service:<\/strong> https:\/\/docs.github.com\/en\/site-policy\/github-terms\/github-terms-of-service<\/li>\n
- Privacy statement:<\/strong> https:\/\/docs.github.com\/en\/site-policy\/privacy-policies\/github-general-privacy-statement<\/li>\n<\/ul>\n\n
If you would rather not contact GitHub at all, leave \"Auto-update from upstream sources\" off (its default state). The bundled snapshots provide full functionality offline.<\/p>\n\n
You may also add your own custom URLs on the Lists tab (e.g. an internal threat-feed URL or a private gist). Those URLs are contacted on the same schedule and follow the same rules; they are entirely under your control.<\/p>\n\n\n
\n- Upload the plugin folder to
\/wp-content\/plugins\/<\/code>, or install it via Plugins \u2192 Add New.<\/li>\n- Activate the plugin.<\/li>\n
- Visit Settings \u2192 WPCoreTools Disposable Email Guard. The first-time setup wizard runs automatically.<\/li>\n<\/ol>\n\n
The bundled domain lists are active immediately on activation; the plugin works fully offline. Anonymous-provider blocking, plus-addressing checks, dead-domain MX checks, and the optional auto-update of source snapshots are all off by default and must be enabled explicitly.<\/p>\n\n\n
\nDoes this send my visitors' email addresses to an external service?<\/h3><\/dt>\nNo. Every check runs locally against domain lists that ship inside the plugin file. By default the plugin makes no outbound connections at all.<\/p><\/dd>\n
Does the plugin contact GitHub or any other server in its default configuration?<\/h3><\/dt>\nNo. The bundled snapshots are loaded from disk. The optional auto-update feature, which would contact GitHub to refresh those snapshots, is off by default and must be enabled in the setup wizard or the Lists tab. See \"External services\" for the full disclosure.<\/p><\/dd>\n
Will this block legitimate Proton Mail or Tutanota users?<\/h3><\/dt>\nOnly if you turn on the \"Anonymous \/ privacy providers\" toggle. It is off by default for exactly that reason.<\/p><\/dd>\n
How are the disposable lists kept up to date?<\/h3><\/dt>\nTwo ways. Either install a fresh version of the plugin (each release bundles updated snapshots), or opt into the auto-update feature, which lets WP-Cron fetch the source URLs from GitHub on a schedule (hourly, twice-daily, daily, or weekly).<\/p><\/dd>\n
Can I dry-run before I switch on blocking?<\/h3><\/dt>\nYes. Set Mode to \"Log only\" \u2014 emails are recorded but no submissions are rejected. Or use \"Flag\" mode to allow signups but tag the user \/ order \/ comment for admin review.<\/p><\/dd>\n
What is \"Flag\" mode?<\/h3><\/dt>\nA non-destructive alternative to outright blocking. Submissions go through, but matching users get a wpcdeg_flagged<\/code> user meta and a \"Flagged\" column on the Users list, comments get a meta tag, and WooCommerce orders get an order note plus a \"Flagged\" column on the Orders list. Useful when you do not want to lock out potential Proton or Tutanota customers but still want to triage them.<\/p><\/dd>\nDoes it work with WooCommerce HPOS?<\/h3><\/dt>\nYes, both the legacy posts-table orders list and HPOS are supported.<\/p><\/dd>\n
Does it work with Contact Form 7 and Gravity Forms?<\/h3><\/dt>\nYes, built-in integration on both. For other form plugins (WPForms, Elementor Forms, Forminator, Fluent Forms, etc.), call the wpcdeg_check<\/code> filter from your form's email-validation hook.<\/p><\/dd>\nWhat happens if a remote list URL is unreachable when auto-update runs?<\/h3><\/dt>\nThe previous successful copy is kept (no data loss); the failure is recorded in the per-source meta. If no fetch has ever succeeded, the bundled snapshot continues to be used.<\/p><\/dd>\n
Will it slow down my site?<\/h3><\/dt>\nNo. Each email check is an O(1) lookup against an in-memory map, loaded once per request and cached for an hour.<\/p><\/dd>\n
Does the MX record check slow down sign-ups?<\/h3><\/dt>\nOnly the first lookup per domain \u2014 results are cached for 24 hours on success and 1 hour on failure. Most sign-ups hit the cache immediately. The check is opt-in and off by default.<\/p><\/dd>\n\n<\/dl>\n\n\n
1.0.2<\/h4>\n\n
Initial public release.<\/p>\n\n
\n- Five bundled disposable-email source snapshots, two enabled by default; works fully offline.<\/li>\n
- Three modes: block, flag, log only.<\/li>\n
- Optional anonymous-provider blocking, plus-addressing checks, dead-MX checks (all off by default).<\/li>\n
- WordPress integrations: registration, profile, comments, lost-password, multisite signup, programmatic user creation.<\/li>\n
- WooCommerce integrations: registration, checkout, My Account email change, product reviews, coupon-abuse blocker, auto-hold for flagged orders. HPOS and Cart\/Checkout Blocks compatible.<\/li>\n
- Built-in Contact Form 7 and Gravity Forms integration; generic
wpcdeg_check<\/code> filter for other form plugins.<\/li>\n- Custom block \/ allow lists with wildcard support.<\/li>\n
- Detection log with filters and CSV export, stats dashboard with 14-day chart, optional periodic email digest.<\/li>\n
- WP-CLI:
refresh<\/code>, test<\/code>, stats<\/code>, log<\/code>, sources<\/code>, clear-log<\/code>.<\/li>\n- CSV \/ TXT bulk import; settings JSON export and import.<\/li>\n
- Per-reason customizable user-facing messages; quiet-hour cron scheduling in site timezone.<\/li>\n<\/ul>","raw_excerpt":"Block disposable, burner, and temp-mail addresses on WordPress and WooCommerce sign-ups, comments, checkout, and any custom form. Works fully offline.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/nl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/308381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/nl.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/nl.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=308381"}],"author":[{"embeddable":true,"href":"https:\/\/nl.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/wpcoretools"}],"wp:attachment":[{"href":"https:\/\/nl.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=308381"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/nl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=308381"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/nl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=308381"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/nl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=308381"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/nl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=308381"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/nl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=308381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}