Free on WordPress.org

Disposable Email Guard

Stop fake sign-ups, fraudulent checkouts, and welcome-coupon abuse on your WordPress site or WooCommerce store. Blocks throwaway emails like Mailinator, 10MinuteMail, and Guerrilla Mail across registrations, checkouts, comments, and contact forms — with everything running on your own server. No subscription, no third-party API, GDPR-friendly by design.

Download Free on WordPress.org
GDPR-friendly
No third-party API
WooCommerce ready
Free & GPL, no account
Disposable Email Guard
Dashboard Block Log Settings
🛡
2,184
Blocked (30d)
🚨
147
Today
🌐
9,128
Active Domains
Last 14 days
Disposable: 1,847 (85%)
Anonymous: 248 (11%)
Dead-MX: 89 (4%)
mailinator.com 412
10minutemail.com 287
guerrillamail.com 198
yopmail.com 154

GDPR-Friendly by Design

Every check runs on your own server against a list stored locally — visitor emails never leave your site. No third-party processor, no data-processing agreement, nothing extra to add to your privacy policy. Same goes for CCPA, UK GDPR, LGPD, and PIPEDA.

Updates on Your Terms

Five domain lists ship as snapshots inside the plugin, so protection works fully offline from day one. If you want them refreshed automatically, opt into a daily update from the upstream sources — off by default, your call.

You Choose How Strict

Block fake sign-ups outright, let them through but flag them for review, or just quietly log everything to see what would have been blocked — without changing anything yet.

Built for WooCommerce

Protects your checkout, customer accounts, product reviews, and even coupon redemption — stopping the classic "burner email to claim the welcome offer again" trick.

Everything You Need to Stop Fake Sign-Ups

A baker’s dozen of practical features built for real WordPress and WooCommerce sites. Free forever, no upgrades to unlock, nothing held back behind a Pro tier.

Massive Built-In Blocklist

Free

About 9,800 known disposable services from day one (two trusted lists are switched on by default). Adding three more bundled sources takes the count above 100,000. Mailinator, 10MinuteMail, Guerrilla Mail, Yopmail, Temp-Mail and thousands more — all bundled inside the plugin, optional daily auto-update from upstream.

Block, Flag, or Just Watch

Free

Three modes to match your comfort level. Block stops fake sign-ups outright. Flag lets them through but tags them for review. Log silently records what would be blocked — perfect for testing before going live.

Anonymous Mail (Optional)

Free

Optionally block Proton Mail, Tutanota, SimpleLogin, Apple Hide My Email, Firefox Relay, DuckDuckGo Email, and other privacy services. Off by default — you decide whether to allow them.

Typo & Dead-Domain Catcher

Free

Spots fake-looking addresses like gnail.com or hotmial.com, plus expired and parked domains, by checking that the domain actually accepts mail. Optional — falls back gracefully if the lookup fails.

Full WooCommerce Protection

Free

Stops disposable emails at checkout, customer registration, the My Account email change, and product reviews. Works with classic checkout, the new block-based checkout, and HPOS — nothing to configure.

Coupon Abuse Blocker

Free

Refuses a coupon when the billing email is on a blocklist — even if the order itself is allowed through. Stops the common scam of grabbing a fresh disposable email to redeem the same welcome coupon again and again.

Auto-Hold Flagged Orders

Free

Set any order placed with a flagged email to On hold automatically, so it stops at your desk for a manual review before fulfilment. Pairs perfectly with Flag mode for stores that don’t want hard rejections.

Your Own Block & Allow Lists

Free

Add custom rules with simple wildcards: block an entire domain, block a whole country code, or block specific username patterns. The allow list always wins, so you can whitelist trusted addresses with one click.

At-a-Glance Dashboard

Free

See the last 14 days of blocked sign-ups as a simple chart, plus top blocked domains and a breakdown by reason. There’s also a compact widget right on your main WordPress dashboard.

Daily / Weekly Email Digest

Free

A colourful, mobile-friendly summary lands in your inbox — how many sign-ups were blocked, where they came from, and which domains tried hardest. Know your gates are working without ever logging in.

Detailed Block Log

Free

Every match is recorded with the email, the reason, and where it happened. Filter by date, reason, or location, then export to a CSV file for offline review or auditor sign-off.

Works With Your Forms

Free

Built-in support for Contact Form 7 and Gravity Forms — just flip the switch. WPForms, Elementor Forms, Forminator, and Fluent Forms slot in with a single line of code.

Set Once, Forget About It

Free

A 60-second wizard gets you live with sensible defaults. Blocklists refresh in the middle of the night so they never slow down your busy hours, and the digest keeps you in the loop.

How It Compares

Three other ways store owners and bloggers usually deal with disposable emails — paid validation APIs, small free WordPress plugins, and the email-validation feature that ships with some form builders. Here’s how each stacks up.

Paid validation APIs

ZeroBounce, Verifalia, NeverBounce, Kickbox & co.

Cloud services that charge per email check. You get a paid API key, drop it into a WordPress connector, and every sign-up triggers an outbound API call.

  • ~$0.005 to $0.015 per check — 100k sign-ups becomes $500 to $1,500 a year.
  • Sends every visitor email to a third party — needs a DPA and a privacy-policy update.
  • Stops working if your site can’t reach the API (or if your account credit runs out).
  • No WooCommerce coupon-abuse logic, no “flag for review” mode, no admin block log on your own site.
Disposable Email Guard

Self-hosted, GDPR-friendly, free forever

The whole engine ships in the plugin. Five domain lists are bundled as snapshots that load from disk, the lookup runs in your PHP process, and the WooCommerce-specific protections (coupon refusal, auto-hold) come built in. Auto-updating snapshots from the upstream GitHub URLs is optional.

  • $0 per check, $0 per year — same price for 100 sign-ups or 100,000.
  • No third-party processor — nothing to add to your privacy policy, GDPR/CCPA/UK-GDPR/LGPD/PIPEDA-friendly.
  • Works fully offline — ~9,800 services covered out of the box, expandable past 100,000 with three more bundled sources.
  • Block / Flag / Log modes, coupon-abuse blocker, auto-hold flagged orders, dashboard, digest, CSV export.
Free single-purpose plugins

“Block Temporary Email”-style plugins

Tiny free plugins that ship with a hard-coded list of a few hundred domains. Cheap to install, easy to outgrow.

  • Hard-coded list of ~500 domains, often last updated years ago.
  • No automatic refresh — you have to redeploy the plugin to get new entries.
  • Usually only checks the WordPress register form — no WooCommerce checkout, account, reviews, or coupons.
  • No dashboard, no log, no flag/log mode, no email digest, no wildcards.
Form builder built-ins

Forminator, Fluent Forms, Gravity add-ons

Some form builders include a per-form email-validator field, sometimes wired up to a paid API or to a tiny built-in list.

  • Only protects forms inside that one plugin — WP register, profile email, comments, WooCommerce checkout are not covered.
  • You configure each form separately — no central list or block log, no site-wide policy.
  • If the upstream API is paid, the per-check cost stacks up the same as a standalone validator.
  • No coupon abuse blocking, no flagged-order workflow, no detection log.
Feature Disposable Email Guard Paid validation APIs
ZeroBounce, Verifalia, Kickbox		 Free single-purpose plugins
e.g. “Block Temporary Email”		 Form-builder built-ins
Forminator, Fluent Forms
Privacy & cost
Visitor emails leave your site Never Yes, every check Never Sometimes (depends on backend)
GDPR / DPA paperwork required No — nothing to add DPA + policy update No Only if you wire it to a paid API
Cost per email check $0 ~$0.005–$0.015 $0 $0–$0.015 (depends on backend)
Yearly cost at 100k sign-ups $0 $500–$1,500 $0 $0–$1,500
Works on private / staging / firewalled sites Yes — runs locally Needs outbound API access Yes Local only if list is bundled
Detection coverage
Domains blocked out of the box ~9,800 (two on-by-default lists) Provider-managed ~500, hard-coded A few hundred to none
Daily auto-update of lists Optional — opt-in Provider handles it Plugin update only Plugin update only
Anonymous / privacy mail (Proton, Tuta, SimpleLogin, etc.) Optional, on/off toggle Rarely — varies by provider No No
Plus-aliases (you+anything@gmail.com) Optional toggle No No No
Typo / dead-MX / parked domain check Optional, cached 24h Usually included No No
Custom wildcard rules (*@*.ru, spam*@*) Full wildcard syntax Whole domains only Whole domains only Whole domains only
WordPress & WooCommerce coverage
Protects WP register / profile / comments / lost-pw All five, individually toggleable Only via custom code Register only, usually Form-only
WooCommerce checkout (classic + blocks + HPOS) Yes, all three Via custom hook No No
WooCommerce coupon-abuse blocker Yes — refuses coupons on flagged emails No No No
Auto-set flagged orders to On hold Yes No No No
“Flagged” column + filter on WC orders screen Classic and HPOS No No No
Workflow & visibility
Flag for review (allow but tag) instead of blocking Yes No No No
Silent “Log only” mode for safe roll-out Yes No No No
Detection log with filters & CSV export Yes — date / reason / location In their dashboard No No
WP dashboard widget + 14-day chart Yes No No No
Daily / weekly email digest Yes In their dashboard No No
WP-CLI commands Yes No No No

Pricing & positioning of named third parties is based on publicly stated information at the time of writing and is shown for comparison only — trademarks belong to their respective owners.

Free. Always.

Cloud validators charge per email check, hardcoded-list plugins ship a dusty list and call it done. Disposable Email Guard bundles every feature in a single GPL plugin — no Pro tier, no API key, no account.

Everything Included

Free Forever

$0
no account, no key, no upgrade
  • ~9,800 disposable services blocked from day one
  • Daily list refresh, fully automatic (expandable to 100k+)
  • GDPR-friendly — visitor emails never leave your site
  • Block, Flag, or silent Log modes
  • Optional anonymous-mail blocking (Proton, Tuta, etc.)
  • Optional typo & dead-domain check
  • Protects WP register, profile, comments, lost-password
  • Full WooCommerce checkout, account & review protection
  • Coupon-abuse blocker for welcome-coupon farming
  • Auto-hold flagged orders for manual review
  • “Flagged” column & filter on WC orders (HPOS-ready)
  • Custom block / allow lists with wildcard support
  • 14-day stats dashboard + WP dashboard widget
  • Detailed block log with date / reason filters & CSV export
  • Colourful daily or weekly email digest
  • Contact Form 7 & Gravity Forms support built in
  • Bulk-import from CSV / TXT, settings backup & restore
  • WP-CLI commands for ops teams
Download Free on WordPress.org

Frequently Asked Questions

Everything you need to know about blocking fake email sign-ups on your WordPress site.

Privacy, GDPR & performance

Is the plugin GDPR-friendly?

Yes. Every check runs on your own server against a list stored locally, so no visitor email ever leaves your site, no third-party processor is involved, and there is nothing extra to add to your privacy policy or your DPAs. The same applies to CCPA / CPRA, UK GDPR, LGPD, and PIPEDA. The only outbound traffic is one daily request to download the public domain blocklist files — those requests contain no visitor data, just a regular file download.

Are my visitors’ emails sent to a third party?

Never. Validation is purely a local lookup against a file your site already downloaded. Compare that with paid services like ZeroBounce or Verifalia, which send every checked address to their cloud and bill you per check.

Will it slow down my site?

No noticeable impact. Each email check takes a fraction of a millisecond because the plugin keeps the blocklist in memory rather than hitting a database or an external API. Even a list of 100,000 domains is checked instantly.

Does the dead-domain check slow down sign-ups?

Only the very first time anyone signs up from a particular domain. After that the result is cached for 24 hours so repeat sign-ups from the same domain are checked instantly. The check is also optional and off by default, and if it ever fails it allows the email through rather than blocking it.

What if my server can’t reach the update lists?

Nothing breaks. All five lists ship as bundled snapshots inside the plugin and load from disk — protection is active from day one with no internet required. The optional auto-update feature simply skips a failed fetch and keeps the previous successful copy until the next attempt succeeds.

How many services does it actually block out of the box?

About 9,800 distinct disposable services are covered the moment you finish the wizard, because two trusted lists are switched on by default and load from snapshots inside the plugin. If you want them refreshed automatically from the upstream GitHub URLs, opt into the daily auto-update on the Lists tab (off by default). Want broader coverage right now? Enable three more bundled sources from the same screen, taking the total above 100,000 domains.

Choosing How Strict to Be

What's the difference between Block, Flag, and Log?

Block stops the sign-up immediately and shows the visitor an error message. Flag lets the sign-up through but tags it in your admin so you can review or remove it later. Log silently records every match without changing anything — ideal for testing the plugin before turning it on for real.

Can I try it without affecting real sign-ups?

Yes — set the mode to "Log only". The plugin will record every match in the dashboard and log without rejecting anyone. After a few days you'll have a clear picture of what would have been blocked, and you can switch to Block or Flag with confidence.

Will it block legitimate Proton Mail or Tutanota users?

Only if you choose to. Anonymous email services like Proton and Tutanota are off by default, so legitimate users on those services aren't affected unless you turn the option on. Even then, you can add specific email addresses to your allow list to let them through.

How do the custom block and allow lists work?

You can add specific addresses (spammer@example.com) or use simple wildcards: *@example.com blocks every address from that domain, *@*.ru blocks every .ru domain, and spam*@* blocks any address whose username starts with "spam". The allow list always wins, so you can whitelist exceptions to your own rules.

WooCommerce

How does it integrate with WooCommerce?

It checks the email at every place WooCommerce uses one: customer registration, checkout (billing email), the My Account page when a customer changes their email, and product reviews. It works with both the classic checkout and the newer block-based checkout.

What does the coupon abuse blocker do?

It refuses to apply a coupon if the billing email at checkout is a known disposable address — even if your overall mode is set to Flag or Log. This stops the very common pattern where someone keeps grabbing a fresh throwaway email to redeem the same “first-time customer” coupon. You can turn it off in one click if you don’t need it.

What does “auto-hold flagged orders” do?

If you run in Flag mode (or a flagged email slips through because it was added to a list later), the plugin can automatically set the order’s status to On hold the moment it’s created. That stops auto-fulfilment and gives you a chance to review the order before it ships. It pairs especially well with stores that don’t want to hard-block customers at checkout but still want a safety net.

Where do flagged orders show up in the admin?

Right in your normal WooCommerce orders list. A new “Flagged” column shows a coloured badge next to any order placed with a suspicious email, and a filter dropdown lets you see only flagged orders. Works with both classic and HPOS orders.

Does it work with HPOS (the new orders system)?

Yes. The plugin works with both the classic WooCommerce orders storage and the newer High-Performance Order Storage (HPOS), as well as the older classic checkout and the new block-based checkout. No configuration needed — it just works with whichever you're using.

Forms & Other Plugins

Does it work with Contact Form 7 and Gravity Forms?

Yes — both are supported out of the box. Just turn the relevant toggle on in the settings and emails submitted through your forms will be checked the same way as registrations and checkouts. Whichever mode you've chosen (Block, Flag, or Log) applies to forms too.

What about WPForms, Elementor, Forminator, or Fluent Forms?

These work too, with one line of code from a developer. Each form plugin has its own way of validating fields, so we provide a simple hook your developer (or your developer-friend) can drop in to bring the same protection to any form.

I'm a developer — can I customize the behavior?

Yes. The plugin exposes WordPress filters so you can override decisions per request, allow specific user roles, or plug it into any custom validation flow. Full developer documentation is in the readme on WordPress.org.

Is there an extra-strict mode for catching everything?

Yes — an optional "aggressive" mode hooks into WordPress's main email-validation function so disposable addresses are caught everywhere, including places other plugins might add later. It's off by default because it can be too strict for some setups, and the settings page explains the trade-off.

Cost & Licensing

Is it really completely free?

Yes. No pro version, no paid upgrade, no feature locked behind a paywall, no account required. Every feature on this page is included in the free download. The plugin is open source under the GPL license, the same as WordPress itself.

How is this different from a paid email validation service?

Paid services like ZeroBounce, Verifalia, NeverBounce, or Kickbox charge per email checked — typically $0.005 to $0.015 each. A site with 100,000 sign-up attempts a year ends up paying $500 to $1,500, and on top of that every visitor email is sent to a third party (which usually means a Data Processing Agreement and a privacy-policy update). Disposable Email Guard does the disposable-email part of the same job locally, for free, with no DPA paperwork.

How is this different from a small free “Block Temporary Email” plugin?

Most small free plugins ship a hard-coded list of a few hundred domains that’s only refreshed when the plugin itself is updated. Disposable Email Guard ships five bundled lists (two on by default, ~9,800 services), supports wildcards and custom rules, has a flag/log mode, a coupon-abuse blocker, an auto-hold for flagged WooCommerce orders, a dashboard, a digest, and a CSV-exportable block log. Optional opt-in daily auto-update from upstream keeps everything current. All free.

Stop Fake Sign-Ups Today

Free WordPress plugin. Five minutes to install, no account required. Keeps throwaway emails out of your registrations, comments, checkouts, and forms — forever.

Download Free on WordPress.org