Page Authority - Allowed Domains
| 开发者 | twestford |
|---|---|
| 更新时间 | 2026年5月28日 02:10 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
Allowed Email Domains gives administrators a simple way to restrict WordPress user accounts to approved email domains.
The plugin is designed for sites where only users from specific organizations, companies, clients, or teams should be added as WordPress users.
Features include:
- Admin-managed allowed domain list
- Standard WordPress registration enforcement
- REST API user creation/update enforcement
- WooCommerce registration enforcement
- Existing User Audit tools
- Optional login enforcement
- Per-user unauthorized account removal with content reassignment
- Multisite-aware protections
- Lightweight architecture with no custom database tables
安装:
- Upload the zip file to
wp-content/plugins/ - Activate Allowed Email Domains in WordPress Admin
- Go to Users > Allowed Domains
- Add approved domains, one per line
屏幕截图:
常见问题:
What format should allowed domains use?
Enter one domain per line. Domains are normalized to begin with @.
Example:
@example.com
@company.org
@agency.net
What happens if the allowlist is empty?
If the allowlist is empty, all email domains are allowed.
Does this affect existing users?
Existing users are not automatically disabled, deleted, modified, or logged out. The Existing User Audit identifies existing users whose email domains are not currently allowed. Administrators can review those users individually.
Can unauthorized users be deleted?
Yes. The audit table includes per-user delete actions for unauthorized users. When a user owns posts or pages, a confirmation modal appears with a dropdown of compliant users (those whose email is on the allowlist) for content reassignment. Administrators can also choose to delete the user and all their content. Deletion actions are protected by nonce verification, capability checks, confirmation prompts, current-admin protection, multisite Super Admin protection, and a server-side failsafe that refuses to silently delete a user's content.
Can users with unauthorized domains be blocked from logging in?
Yes. Optional login enforcement can be enabled after reviewing the Existing User Audit. Login enforcement is disabled by default to avoid accidental lockouts.
Does this plugin create custom database tables?
No. The plugin stores settings using WordPress options and does not create custom database tables.
更新日志:
2.0.1
- Compatibility: confirmed compatibility with WordPress 7.0, updated "Tested up to" accordingly
- Feature: added a "Support" link next to the existing "GitHub" link on the Plugins screen, pointing to the plugin's WordPress.org support forum
- UX: the domain input on the settings page no longer implies the @ prefix is required. Placeholder and description now indicate that domains can be entered with or without the leading @. Validation behavior is unchanged
- Hardening: AJAX-driven user creation requests with an unauthorized email domain now receive a structured JSON error response (HTTP 403 with pageauth_invalid_domain code) instead of a full-page wp_die(), so third-party plugins that create users via admin-ajax can surface the error inline
- Compliance: renamed internal prefix from
paad_(4 characters) topageauth_(8 characters) across functions, constants, options, transients, user meta, nonces, AJAX actions, hooks, page slug, CSS classes, HTML IDs, and JavaScript data attributes. The new prefix is unique, brand-aligned, and far less likely to collide with any other plugin - Migration: existing allowlist, audit log, and login-blocking preference are migrated transparently on upgrade from either prior prefix (
paad_from 1.9.1 oraed_from 1.9.0 and earlier) - Compatibility: both legacy settings URLs (
users.php?page=aed-settingsandusers.php?page=paad-settings) now redirect to the currentpageauth-settingsslug - Cleanup:
uninstall.phpremoves both the current and all legacy option, transient, and user-meta keys, so removal is clean regardless of which version was last installed
- Compliance: renamed internal prefix from
aed_(3 characters) topaad_(4 characters) across functions, constants, options, transients, nonces, AJAX actions, page slug, CSS classes, and HTML IDs to meet WordPress.org Plugin Directory naming requirements. - Migration: existing allowlist, audit log, and login-blocking preference are migrated transparently on upgrade.
- Compatibility: legacy
users.php?page=aed-settingsURL now redirects to the newpaad-settingsslug. - Cleanup: rewrote
uninstall.phpto actually remove the options the plugin stores (the previous file targeted a key prefix that was never written), and added cleanup for legacyaed_*keys.
- Security: nonce verification now runs before capability checks and before any input processing in the audit-domain-add and user-delete handlers
- Security: programmatic user creation in admin context (admin-ajax, importers, REST in admin) is no longer silently allowed; only the user-edit/user-new screens defer to the inline error path
- Performance: existing-user audit query is paginated to avoid loading every user into memory on large sites
- Feature: deleting an unauthorized user who owns posts or pages now opens a confirmation modal with a dropdown of compliant users for content reassignment, or an explicit "delete content" option
- Feature: success notice when a domain is added directly from the audit
- Feature: clearer error notices for delete failures (missing user, current user, super admin, allowed-now, content-without-confirmation, invalid reassignment target)
- Hardening: server-side failsafe refuses to delete a user with owned content unless reassignment or explicit content-delete is specified
- Hardening: reassignment target is revalidated as a real, compliant user before deletion proceeds
- Cleanup: removed dead query-parameter handling, consistent input handling throughout
- Removed redundant GitHub plugin site link from the Plugins screen.
- Added GitHub plugin metadata link on the WordPress Plugins screen.
- Added Page Authority author URL metadata.
- Cleaned and consolidated changelog entries
- Updated WordPress.org plugin slug and text domain compatibility
- Fixed automated scan compatibility issues
- Renamed plugin to "Page Authority - Allowed Domains"
- Added unauthorized user audit tools
- Added quick actions for adding domains and deleting users
- Added login enforcement protections for unauthorized domains
- Added WooCommerce, REST API, and multisite enforcement support
- Added GitHub update compatibility support
- Improved admin navigation and documentation
- Improved validation, admin UX, and security handling
- Added uninstall cleanup and compatibility metadata
- Initial plugin release