WPCoreTools Disposable Email Guard

This plugin refuses sign-ups, comments, checkouts, and form submissions when the email address belongs to a disposable, burner, or temp-mail service. All checks run on your own server against domain lists that ship inside the plugin file — no email address is ever sent to a third-party service, and the plugin does not contact any external server in its default configuration.

Five well-known community-maintained disposable-email lists are bundled as snapshots. Two are active out of the box (around 9,800 unique domains combined); three larger lists are available as opt-in for stricter coverage. An optional auto-update from the upstream GitHub URLs is also available, off by default.

What it detects

• Disposable and burner addresses (default ON) — Mailinator, YOPmail, Guerrilla Mail, 10minutemail, Temp-Mail, and similar services.
• Anonymous / privacy mail (default OFF) — Proton Mail, Tutanota, Mailbox.org, Posteo, StartMail, SimpleLogin, addy.io, DuckDuckGo Email Protection, Firefox Relay, Apple Hide My Email. Off by default because plenty of legitimate paying customers prefer these services.
• Plus-addressing aliases (default OFF) — user+tag@example.com style sub-addresses.
• Dead and no-MX domains (default OFF) — typos like gnail.com, parked or expired domains. One DNS lookup per new domain, then cached.
• Custom block and allow rules with wildcard patterns: *@spammer.com, *@*.ru, spam*@*.

Where it checks

WordPress core:

• Registration form
• Profile email change
• Comment author email (off by default)
• Programmatic user creation (wp_insert_user, REST API, WP-CLI, other plugins)
• Lost-password form
• Multisite signup form

WooCommerce:

• Customer registration
• Checkout (billing email)
• My Account → Edit Account email change
• Product reviews
• Coupon application — refuse coupons when the billing email is on a blocklist (anti-abuse safety net)

Form plugins:

• Contact Form 7 — built-in, no configuration needed
• Gravity Forms — built-in, no configuration needed
• Any other form plugin via the wpcdeg_check filter (one line of PHP from your form’s email-validation hook)

Three modes

• Block — reject the submission with a clear error message.
• Flag — let the submission through, but tag the user / comment / order with wpcdeg_flagged meta so you can review them in a list. Pairs with WooCommerce auto-hold and coupon refusal.
• Log only — record matches in the detection log without rejecting or tagging anything. Useful for a dry-run before turning enforcement on.

Domain lists

Five bundled snapshots are available, each toggled independently:

• disposable-email-domains (MIT) — ON by default, ~5,400 domains.
• 7c/fakefilter — ON by default, ~4,500 domains.
• groundcat/disposable-email-domain-list (MIT) — opt-in, ~27,000 domains.
• wesbos/burner-email-providers (MIT) — opt-in, ~27,000 domains.
• disposable/disposable-email-domains (MIT) — opt-in, ~72,000 domains.

Each ships as a snapshot inside the plugin (data/sources/{id}.txt) and is loaded from disk; no network call is required for any of them to function.

If you want the snapshots refreshed on a schedule from their GitHub raw URLs, an optional auto-update feature is available. It is off by default. See “External services” below for what is contacted and what is sent.

Tools

• Stats dashboard with a 14-day activity chart, per-reason breakdown, and top detected domains.
• WP Dashboard widget with the same at-a-glance summary.
• Detection log with date / reason / context filters and CSV export.
• Optional periodic email digest, daily or weekly.
• CSV / TXT bulk import for the blocklist and the allowlist.
• Settings JSON export and import for moving configuration between sites.
• WP-CLI: wp wpcdeg refresh / test / stats / log / sources / clear-log.
• HPOS and Cart/Checkout Blocks compatibility declarations.

Privacy

• No email address is ever sent to a third-party service.
• The plugin does not contact any external server in its default configuration.
• If you enable the optional auto-update feature, the plugin issues HTTPS GET requests to raw.githubusercontent.com for the source URLs you have selected. The request body is empty, the User-Agent is WPCoreToolsDisposableEmailGuard/<version>, and no email addresses, user data, or your site URL are transmitted. Full disclosure under “External services” below.
• The detection log stores the email address, domain, reason, and IP address locally for admin review. Retention is configurable from 7 to 365 days (default 90); a daily WP-Cron job purges older rows.
• On uninstall, all data is deleted only if you turned on the “Delete data on uninstall” setting.

External services

This plugin can optionally contact one external service. The feature is off by default and must be explicitly enabled via the setup wizard or the Lists tab (Settings → WPCoreTools Disposable Email Guard → Lists → “Auto-update from upstream sources”).

GitHub (raw.githubusercontent.com)

• What it is: GitHub serves the raw source files of five public, community-maintained lists of disposable-email domains. The plugin downloads only the list files; nothing else.
• What it is used for: Refreshing the bundled snapshots of the disposable-email lists you have selected, so your active blocklist stays current between plugin releases.
• When data is sent: Only when the “Auto-update from upstream sources” setting is enabled, and only on the schedule you configure (hourly / twice-daily / daily / weekly), or when you click the “Update now” button on the Lists tab.
• What is sent: One HTTPS GET request per enabled source URL. The request body is empty. The User-Agent is WPCoreToolsDisposableEmailGuard/<plugin-version>. No email addresses, user data, IP information beyond what GitHub’s CDN normally logs, or your site URL are transmitted.
• Where the requests go:
  • https://raw.githubusercontent.com/disposable-email-domains/disposable-email-domains/main/disposable_email_blocklist.conf
  • https://raw.githubusercontent.com/7c/fakefilter/main/txt/data.txt
  • https://raw.githubusercontent.com/groundcat/disposable-email-domain-list/master/domains.txt
  • https://raw.githubusercontent.com/wesbos/burner-email-providers/master/emails.txt
  • https://raw.githubusercontent.com/disposable/disposable-email-domains/master/domains.txt
• Service operator: GitHub, Inc.
• Terms of service: https://docs.github.com/en/site-policy/github-terms/github-terms-of-service
• Privacy statement: https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement

If you would rather not contact GitHub at all, leave “Auto-update from upstream sources” off (its default state). The bundled snapshots provide full functionality offline.

You may also add your own custom URLs on the Lists tab (e.g. an internal threat-feed URL or a private gist). Those URLs are contacted on the same schedule and follow the same rules; they are entirely under your control.