WPCoreTools Disposable Email Guard
| 开发者 | wpcoretools |
|---|---|
| 更新时间 | 2026年5月10日 05:37 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
- Disposable and burner addresses (default ON) — Mailinator, YOPmail, Guerrilla Mail, 10minutemail, Temp-Mail, and similar services.
- Anonymous / privacy mail (default OFF) — Proton Mail, Tutanota, Mailbox.org, Posteo, StartMail, SimpleLogin, addy.io, DuckDuckGo Email Protection, Firefox Relay, Apple Hide My Email. Off by default because plenty of legitimate paying customers prefer these services.
- Plus-addressing aliases (default OFF) —
user+tag@example.comstyle sub-addresses. - Dead and no-MX domains (default OFF) — typos like
gnail.com, parked or expired domains. One DNS lookup per new domain, then cached. - Custom block and allow rules with wildcard patterns:
*@spammer.com,*@*.ru,spam*@*.
- Registration form
- Profile email change
- Comment author email (off by default)
- Programmatic user creation (
wp_insert_user, REST API, WP-CLI, other plugins) - Lost-password form
- Multisite signup form
- Customer registration
- Checkout (billing email)
- My Account → Edit Account email change
- Product reviews
- Coupon application — refuse coupons when the billing email is on a blocklist (anti-abuse safety net)
- Contact Form 7 — built-in, no configuration needed
- Gravity Forms — built-in, no configuration needed
- Any other form plugin via the
wpcdeg_checkfilter (one line of PHP from your form's email-validation hook)
- Block — reject the submission with a clear error message.
- Flag — let the submission through, but tag the user / comment / order with
wpcdeg_flaggedmeta so you can review them in a list. Pairs with WooCommerce auto-hold and coupon refusal. - Log only — record matches in the detection log without rejecting or tagging anything. Useful for a dry-run before turning enforcement on.
disposable-email-domains(MIT) — ON by default, ~5,400 domains.7c/fakefilter— ON by default, ~4,500 domains.groundcat/disposable-email-domain-list(MIT) — opt-in, ~27,000 domains.wesbos/burner-email-providers(MIT) — opt-in, ~27,000 domains.disposable/disposable-email-domains(MIT) — opt-in, ~72,000 domains.
data/sources/{id}.txt) and is loaded from disk; no network call is required for any of them to function.
If you want the snapshots refreshed on a schedule from their GitHub raw URLs, an optional auto-update feature is available. It is off by default. See "External services" below for what is contacted and what is sent.
Tools
- Stats dashboard with a 14-day activity chart, per-reason breakdown, and top detected domains.
- WP Dashboard widget with the same at-a-glance summary.
- Detection log with date / reason / context filters and CSV export.
- Optional periodic email digest, daily or weekly.
- CSV / TXT bulk import for the blocklist and the allowlist.
- Settings JSON export and import for moving configuration between sites.
- WP-CLI:
wp wpcdeg refresh / test / stats / log / sources / clear-log. - HPOS and Cart/Checkout Blocks compatibility declarations.
- No email address is ever sent to a third-party service.
- The plugin does not contact any external server in its default configuration.
- If you enable the optional auto-update feature, the plugin issues HTTPS GET requests to
raw.githubusercontent.comfor the source URLs you have selected. The request body is empty, the User-Agent isWPCoreToolsDisposableEmailGuard/<version>, and no email addresses, user data, or your site URL are transmitted. Full disclosure under "External services" below. - The detection log stores the email address, domain, reason, and IP address locally for admin review. Retention is configurable from 7 to 365 days (default 90); a daily WP-Cron job purges older rows.
- On uninstall, all data is deleted only if you turned on the "Delete data on uninstall" setting.
安装:
- Upload the plugin folder to
/wp-content/plugins/, or install it via Plugins → Add New. - Activate the plugin.
- Visit Settings → WPCoreTools Disposable Email Guard. The first-time setup wizard runs automatically.
常见问题:
Does this send my visitors' email addresses to an external service?
No. Every check runs locally against domain lists that ship inside the plugin file. By default the plugin makes no outbound connections at all.
Does the plugin contact GitHub or any other server in its default configuration?
No. The bundled snapshots are loaded from disk. The optional auto-update feature, which would contact GitHub to refresh those snapshots, is off by default and must be enabled in the setup wizard or the Lists tab. See "External services" for the full disclosure.
Will this block legitimate Proton Mail or Tutanota users?
Only if you turn on the "Anonymous / privacy providers" toggle. It is off by default for exactly that reason.
How are the disposable lists kept up to date?
Two ways. Either install a fresh version of the plugin (each release bundles updated snapshots), or opt into the auto-update feature, which lets WP-Cron fetch the source URLs from GitHub on a schedule (hourly, twice-daily, daily, or weekly).
Can I dry-run before I switch on blocking?
Yes. Set Mode to "Log only" — emails are recorded but no submissions are rejected. Or use "Flag" mode to allow signups but tag the user / order / comment for admin review.
What is "Flag" mode?
A non-destructive alternative to outright blocking. Submissions go through, but matching users get a wpcdeg_flagged user meta and a "Flagged" column on the Users list, comments get a meta tag, and WooCommerce orders get an order note plus a "Flagged" column on the Orders list. Useful when you do not want to lock out potential Proton or Tutanota customers but still want to triage them.
Does it work with WooCommerce HPOS?
Yes, both the legacy posts-table orders list and HPOS are supported.
Does it work with Contact Form 7 and Gravity Forms?
Yes, built-in integration on both. For other form plugins (WPForms, Elementor Forms, Forminator, Fluent Forms, etc.), call the wpcdeg_check filter from your form's email-validation hook.
What happens if a remote list URL is unreachable when auto-update runs?
The previous successful copy is kept (no data loss); the failure is recorded in the per-source meta. If no fetch has ever succeeded, the bundled snapshot continues to be used.
Will it slow down my site?
No. Each email check is an O(1) lookup against an in-memory map, loaded once per request and cached for an hour.
Does the MX record check slow down sign-ups?
Only the first lookup per domain — results are cached for 24 hours on success and 1 hour on failure. Most sign-ups hit the cache immediately. The check is opt-in and off by default.
更新日志:
- Five bundled disposable-email source snapshots, two enabled by default; works fully offline.
- Three modes: block, flag, log only.
- Optional anonymous-provider blocking, plus-addressing checks, dead-MX checks (all off by default).
- WordPress integrations: registration, profile, comments, lost-password, multisite signup, programmatic user creation.
- WooCommerce integrations: registration, checkout, My Account email change, product reviews, coupon-abuse blocker, auto-hold for flagged orders. HPOS and Cart/Checkout Blocks compatible.
- Built-in Contact Form 7 and Gravity Forms integration; generic
wpcdeg_checkfilter for other form plugins. - Custom block / allow lists with wildcard support.
- Detection log with filters and CSV export, stats dashboard with 14-day chart, optional periodic email digest.
- WP-CLI:
refresh,test,stats,log,sources,clear-log. - CSV / TXT bulk import; settings JSON export and import.
- Per-reason customizable user-facing messages; quiet-hour cron scheduling in site timezone.