Title: WPCoreTools Disposable Email Guard
Author: Wp Core Tools
Published: May 9, 2026
Last modified: May 9, 2026
---
Search plugins
# WPCoreTools Disposable Email Guard
By [Wp Core Tools](https://profiles.wordpress.org/wpcoretools/)
[Download](https://downloads.wordpress.org/plugin/wpcoretools-disposable-email-guard.1.0.2.zip)
* [Details](https://wordpress.org/plugins/wpcoretools-disposable-email-guard/#description)
* [Reviews](https://wordpress.org/plugins/wpcoretools-disposable-email-guard/#reviews)
* [Installation](https://wordpress.org/plugins/wpcoretools-disposable-email-guard/#installation)
* [Development](https://wordpress.org/plugins/wpcoretools-disposable-email-guard/#developers)
[Support](https://wordpress.org/support/plugin/wpcoretools-disposable-email-guard/)
## Description
This plugin refuses sign-ups, comments, checkouts, and form submissions when the
email address belongs to a disposable, burner, or temp-mail service. All checks
run on your own server against domain lists that ship inside the plugin file — no
email address is ever sent to a third-party service, and the plugin does not contact
any external server in its default configuration.
Five well-known community-maintained disposable-email lists are bundled as snapshots.
Two are active out of the box (around 9,800 unique domains combined); three larger
lists are available as opt-in for stricter coverage. An optional auto-update from
the upstream GitHub URLs is also available, off by default.
#### What it detects
* Disposable and burner addresses (default ON) — Mailinator, YOPmail, Guerrilla
Mail, 10minutemail, Temp-Mail, and similar services.
* Anonymous / privacy mail (default OFF) — Proton Mail, Tutanota, Mailbox.org,
Posteo, StartMail, SimpleLogin, addy.io, DuckDuckGo Email Protection, Firefox
Relay, Apple Hide My Email. Off by default because plenty of legitimate paying
customers prefer these services.
* Plus-addressing aliases (default OFF) — `user+tag@example.com` style sub-addresses.
* Dead and no-MX domains (default OFF) — typos like `gnail.com`, parked or expired
domains. One DNS lookup per new domain, then cached.
* Custom block and allow rules with wildcard patterns: `*@spammer.com`, `*@*.ru`,`
spam*@*`.
#### Where it checks
WordPress core:
* Registration form
* Profile email change
* Comment author email (off by default)
* Programmatic user creation (`wp_insert_user`, REST API, WP-CLI, other plugins)
* Lost-password form
* Multisite signup form
WooCommerce:
* Customer registration
* Checkout (billing email)
* My Account Edit Account email change
* Product reviews
* Coupon application — refuse coupons when the billing email is on a blocklist (
anti-abuse safety net)
Form plugins:
* Contact Form 7 — built-in, no configuration needed
* Gravity Forms — built-in, no configuration needed
* Any other form plugin via the `wpcdeg_check` filter (one line of PHP from your
form’s email-validation hook)
#### Three modes
* **Block** — reject the submission with a clear error message.
* **Flag** — let the submission through, but tag the user / comment / order with`
wpcdeg_flagged` meta so you can review them in a list. Pairs with WooCommerce
auto-hold and coupon refusal.
* **Log only** — record matches in the detection log without rejecting or tagging
anything. Useful for a dry-run before turning enforcement on.
#### Domain lists
Five bundled snapshots are available, each toggled independently:
* `disposable-email-domains` (MIT) — ON by default, ~5,400 domains.
* `7c/fakefilter` — ON by default, ~4,500 domains.
* `groundcat/disposable-email-domain-list` (MIT) — opt-in, ~27,000 domains.
* `wesbos/burner-email-providers` (MIT) — opt-in, ~27,000 domains.
* `disposable/disposable-email-domains` (MIT) — opt-in, ~72,000 domains.
Each ships as a snapshot inside the plugin (`data/sources/{id}.txt`) and is loaded
from disk; no network call is required for any of them to function.
If you want the snapshots refreshed on a schedule from their GitHub raw URLs, an
optional auto-update feature is available. It is off by default. See “External services”
below for what is contacted and what is sent.
#### Tools
* Stats dashboard with a 14-day activity chart, per-reason breakdown, and top detected
domains.
* WP Dashboard widget with the same at-a-glance summary.
* Detection log with date / reason / context filters and CSV export.
* Optional periodic email digest, daily or weekly.
* CSV / TXT bulk import for the blocklist and the allowlist.
* Settings JSON export and import for moving configuration between sites.
* WP-CLI: `wp wpcdeg refresh / test / stats / log / sources / clear-log`.
* HPOS and Cart/Checkout Blocks compatibility declarations.
#### Privacy
* No email address is ever sent to a third-party service.
* The plugin does not contact any external server in its default configuration.
* If you enable the optional auto-update feature, the plugin issues HTTPS GET requests
to `raw.githubusercontent.com` for the source URLs you have selected. The request
body is empty, the User-Agent is `WPCoreToolsDisposableEmailGuard/`,
and no email addresses, user data, or your site URL are transmitted. Full disclosure
under “External services” below.
* The detection log stores the email address, domain, reason, and IP address locally
for admin review. Retention is configurable from 7 to 365 days (default 90);
a daily WP-Cron job purges older rows.
* On uninstall, all data is deleted only if you turned on the “Delete data on uninstall”
setting.
### External services
This plugin can optionally contact one external service. The feature is **off by
default** and must be explicitly enabled via the setup wizard or the Lists tab (
Settings WPCoreTools Disposable Email Guard Lists “Auto-update from upstream
sources”).
#### GitHub (raw.githubusercontent.com)
* **What it is:** GitHub serves the raw source files of five public, community-
maintained lists of disposable-email domains. The plugin downloads only the list
files; nothing else.
* **What it is used for:** Refreshing the bundled snapshots of the disposable-email
lists you have selected, so your active blocklist stays current between plugin
releases.
* **When data is sent:** Only when the “Auto-update from upstream sources” setting
is enabled, and only on the schedule you configure (hourly / twice-daily / daily/
weekly), or when you click the “Update now” button on the Lists tab.
* **What is sent:** One HTTPS GET request per enabled source URL. The request body
is empty. The User-Agent is `WPCoreToolsDisposableEmailGuard/`.
No email addresses, user data, IP information beyond what GitHub’s CDN normally
logs, or your site URL are transmitted.
* **Where the requests go:**
- `https://raw.githubusercontent.com/disposable-email-domains/disposable-email-
domains/main/disposable_email_blocklist.conf`
- `https://raw.githubusercontent.com/7c/fakefilter/main/txt/data.txt`
- `https://raw.githubusercontent.com/groundcat/disposable-email-domain-list/
master/domains.txt`
- `https://raw.githubusercontent.com/wesbos/burner-email-providers/master/emails.
txt`
- `https://raw.githubusercontent.com/disposable/disposable-email-domains/master/
domains.txt`
* **Service operator:** GitHub, Inc.
* **Terms of service:** https://docs.github.com/en/site-policy/github-terms/github-
terms-of-service
* **Privacy statement:** https://docs.github.com/en/site-policy/privacy-policies/
github-general-privacy-statement
If you would rather not contact GitHub at all, leave “Auto-update from upstream
sources” off (its default state). The bundled snapshots provide full functionality
offline.
You may also add your own custom URLs on the Lists tab (e.g. an internal threat-
feed URL or a private gist). Those URLs are contacted on the same schedule and follow
the same rules; they are entirely under your control.
## Installation
1. Upload the plugin folder to `/wp-content/plugins/`, or install it via Plugins
Add New.
2. Activate the plugin.
3. Visit Settings WPCoreTools Disposable Email Guard. The first-time setup wizard
runs automatically.
The bundled domain lists are active immediately on activation; the plugin works
fully offline. Anonymous-provider blocking, plus-addressing checks, dead-domain
MX checks, and the optional auto-update of source snapshots are all off by default
and must be enabled explicitly.
## FAQ
### Does this send my visitors’ email addresses to an external service?
No. Every check runs locally against domain lists that ship inside the plugin file.
By default the plugin makes no outbound connections at all.
### Does the plugin contact GitHub or any other server in its default configuration?
No. The bundled snapshots are loaded from disk. The optional auto-update feature,
which would contact GitHub to refresh those snapshots, is off by default and must
be enabled in the setup wizard or the Lists tab. See “External services” for the
full disclosure.
### Will this block legitimate Proton Mail or Tutanota users?
Only if you turn on the “Anonymous / privacy providers” toggle. It is off by default
for exactly that reason.
### How are the disposable lists kept up to date?
Two ways. Either install a fresh version of the plugin (each release bundles updated
snapshots), or opt into the auto-update feature, which lets WP-Cron fetch the source
URLs from GitHub on a schedule (hourly, twice-daily, daily, or weekly).
### Can I dry-run before I switch on blocking?
Yes. Set Mode to “Log only” — emails are recorded but no submissions are rejected.
Or use “Flag” mode to allow signups but tag the user / order / comment for admin
review.
### What is “Flag” mode?
A non-destructive alternative to outright blocking. Submissions go through, but
matching users get a `wpcdeg_flagged` user meta and a “Flagged” column on the Users
list, comments get a meta tag, and WooCommerce orders get an order note plus a “
Flagged” column on the Orders list. Useful when you do not want to lock out potential
Proton or Tutanota customers but still want to triage them.
### Does it work with WooCommerce HPOS?
Yes, both the legacy posts-table orders list and HPOS are supported.
### Does it work with Contact Form 7 and Gravity Forms?
Yes, built-in integration on both. For other form plugins (WPForms, Elementor Forms,
Forminator, Fluent Forms, etc.), call the `wpcdeg_check` filter from your form’s
email-validation hook.
### What happens if a remote list URL is unreachable when auto-update runs?
The previous successful copy is kept (no data loss); the failure is recorded in
the per-source meta. If no fetch has ever succeeded, the bundled snapshot continues
to be used.
### Will it slow down my site?
No. Each email check is an O(1) lookup against an in-memory map, loaded once per
request and cached for an hour.
### Does the MX record check slow down sign-ups?
Only the first lookup per domain — results are cached for 24 hours on success and
1 hour on failure. Most sign-ups hit the cache immediately. The check is opt-in
and off by default.
## Reviews
There are no reviews for this plugin.
## Contributors & Developers
“WPCoreTools Disposable Email Guard” is open source software. The following people
have contributed to this plugin.
Contributors
* [ Wp Core Tools ](https://profiles.wordpress.org/wpcoretools/)
[Translate “WPCoreTools Disposable Email Guard” into your language.](https://translate.wordpress.org/projects/wp-plugins/wpcoretools-disposable-email-guard)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/wpcoretools-disposable-email-guard/),
check out the [SVN repository](https://plugins.svn.wordpress.org/wpcoretools-disposable-email-guard/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/wpcoretools-disposable-email-guard/)
by [RSS](https://plugins.trac.wordpress.org/log/wpcoretools-disposable-email-guard/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
#### 1.0.2
Initial public release.
* Five bundled disposable-email source snapshots, two enabled by default; works
fully offline.
* Three modes: block, flag, log only.
* Optional anonymous-provider blocking, plus-addressing checks, dead-MX checks (
all off by default).
* WordPress integrations: registration, profile, comments, lost-password, multisite
signup, programmatic user creation.
* WooCommerce integrations: registration, checkout, My Account email change, product
reviews, coupon-abuse blocker, auto-hold for flagged orders. HPOS and Cart/Checkout
Blocks compatible.
* Built-in Contact Form 7 and Gravity Forms integration; generic `wpcdeg_check`
filter for other form plugins.
* Custom block / allow lists with wildcard support.
* Detection log with filters and CSV export, stats dashboard with 14-day chart,
optional periodic email digest.
* WP-CLI: `refresh`, `test`, `stats`, `log`, `sources`, `clear-log`.
* CSV / TXT bulk import; settings JSON export and import.
* Per-reason customizable user-facing messages; quiet-hour cron scheduling in site
timezone.
## Meta
* Version **1.0.2**
* Last updated **16 hours ago**
* Active installations **Fewer than 10**
* WordPress version ** 6.2 or higher **
* Tested up to **7.0**
* PHP version ** 7.4 or higher **
* Tags
* [anti-spam](https://wordpress.org/plugins/tags/anti-spam/)[disposable email](https://wordpress.org/plugins/tags/disposable-email/)
[email validation](https://wordpress.org/plugins/tags/email-validation/)[temporary email](https://wordpress.org/plugins/tags/temporary-email/)
* [Advanced View](https://wordpress.org/plugins/wpcoretools-disposable-email-guard/advanced/)
## Ratings
No reviews have been submitted yet.
[Your review](https://wordpress.org/support/plugin/wpcoretools-disposable-email-guard/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/wpcoretools-disposable-email-guard/reviews/)
## Contributors
* [ Wp Core Tools ](https://profiles.wordpress.org/wpcoretools/)
## Support
Got something to say? Need help?
[View support forum](https://wordpress.org/support/plugin/wpcoretools-disposable-email-guard/)