WordPress powers roughly 42% of the internet. That means a large proportion of the websites that disposable email users target for free access, spam signups, and coupon abuse are running WordPress. If your site has user registration, membership content, or WooCommerce, you are a target, and have almost certainly noticed it already.
This guide covers what your options are, how to set up the Temp Mail Detector WordPress plugin, and what to consider for WooCommerce stores specifically.
Why Disposable Emails Are a WordPress Problem
WordPress registration is very easy to exploit in its default setup. Any page that accepts a user email and sends a confirmation link is a ripe for disposable email abuse:
- Membership sites. A user signs up with a throwaway address, accesses the gated content, and disappears. That means no engagement, no revenue, and possibly spammy back links.
- WooCommerce stores. Disposable addresses are used to claim new-customer discounts, create multiple accounts for repeat promotions, generate fraudulent orders and “card check”.
- Comment sections. Without moderation, disposable emails can be used to leave spam or abuse comments that pass the “email required” check.
- Lead magnets. If you offer a free download or email course in exchange for signup, every disposable address is a conversion that will never become a customer.
The standard WordPress solution — requiring email confirmation — does not help here. As discussed in our guide to stopping free trial abuse, disposable email services are specifically designed to receive confirmation emails, without sharing your legitimate email.
Option 1: The Temp Mail Detector WordPress Plugin
The simplest approach is to install the Temp Mail Detector plugin directly from the WordPress plugin directory.
Installation:
- In your WordPress admin, go to Plugins > Add New
- Search for “Temp Mail Detector – Block Temporary Emails”
- Install and activate
- Go to Settings > Temp Mail Detector
- Enter your API key (free at tempmaildetector.com — 200 lookups/month included)
or use our free block list which we update monthly on Github.
What it protects:
Once set up, the plugin applies disposable email blocking to:
- New user account registration
- Comment submissions (marks as spam automatically)
- WooCommerce customer registration
- WooCommerce checkout (both guest and account)
- WooCommerce account email changes
The WooCommerce integration is particularly valuable, as without it, a determined user can bypass registration level blocks by checking out as a guest and using a disposable address there instead. Your store is also then vulnerable to an automated attack, which we have identified as a growing malicious trend throughout 2025 and 2026 in part due to the rise of ai agents.
By using the plugin, you can work towards reducing the amount of card stuffing / checking and promo abuse your store receives.
Additional options:
The plugin also lets you maintain your own custom blocklist of domains to block, independent of the API. This is useful if you have identified specific domains that your website attracts. By combining your custom list with the live API database, you can work towards maximum coverage and a powerful block list.
Two optional checks worth enabling depending on your use case:
- Plus addresses. Blocks emails like
[email protected]. Some users create these specifically to avoid email tracking while still using a real inbox; others use them as lightweight throwaway addresses. Blocking them entirely is appropriate for most membership sites. - Multiple dots. Blocks formats like
[email protected]. Similar reasoning to the above, this pattern is occasionally used to create the appearance of a different address on the same Gmail account. But could affect people with two or more dots in their email, e.g:[email protected].
Privacy note: The plugin only sends the domain portion of an email address to the API and not the full address. This keeps your users’ personal data on your servers only, and offers greater GDPR protections.
Option 2: Manual Implementation via the API
If you are building a custom plugin, a headless WordPress setup, or need fine-grained control over the blocking logic, you can call the API directly from PHP.
function tmd_is_disposable_email( string $email ): bool {
$domain = strtolower( explode( '@', $email )[1] ?? '' );
if ( empty( $domain ) ) {
return false;
}
$api_key = defined( 'TMD_API_KEY' ) ? TMD_API_KEY : '';
$response = wp_remote_post(
'https://api.tempmaildetector.com/check',
[
'headers' => [
'Content-Type' => 'application/json',
'Authorization' => $api_key,
],
'body' => wp_json_encode( [ 'domain' => $domain ] ),
'timeout' => 10,
]
);
if ( is_wp_error( $response ) ) {
// API unavailable — fail open (allow signup)
return false;
}
$body = json_decode( wp_remote_retrieve_body( $response ), true );
return isset( $body['score'] ) && $body['score'] >= 75;
}
Hook this into user registration:
add_filter( 'registration_errors', function( $errors, $sanitized_user_login, $user_email ) {
if ( tmd_is_disposable_email( $user_email ) ) {
$errors->add(
'disposable_email',
__( 'Temporary email addresses are not accepted. Please use a permanent address.', 'your-textdomain' )
);
}
return $errors;
}, 10, 3 );
For WooCommerce checkout, hook into woocommerce_checkout_process:
add_action( 'woocommerce_checkout_process', function() {
$email = isset( $_POST['billing_email'] ) ? sanitize_email( $_POST['billing_email'] ) : '';
if ( ! empty( $email ) && tmd_is_disposable_email( $email ) ) {
wc_add_notice(
__( 'Temporary email addresses are not accepted at checkout.', 'your-textdomain' ),
'error'
);
}
} );
Define your API key in wp-config.php rather than storing it in the database:
define( 'TMD_API_KEY', 'your-api-key-here' );
WooCommerce: Specific Considerations
WooCommerce has more email collection points than standard WordPress registration, so make sure you cover all of them:
Checkout (guest). Guest checkout allows a user to complete a purchase without creating an account. The email entered at checkout is still collected and used for order confirmation and marketing. Block disposable addresses here too.
Account creation at checkout. Most themes offer the option to create an account during checkout. This is a second opportunity to enter a different email. Both the billing email and the registration email should be checked.
Account email changes. Existing customers can change the email on their account. An abuser who creates a legitimate account might later switch it to a disposable address to avoid marketing emails. The plugin covers this case.
Coupon redemption. WordPress does not natively tie coupon usage to email identity, but if you have a plugin that limits coupon use by email, a disposable address effectively bypasses that limit. Blocking disposable addresses at checkout is the fix.
What to Tell Users Who Are Blocked
The error message is worth getting right. A confused user may think their real email address has been flagged incorrectly.
Keep the message direct and actionable:
“We don’t accept temporary email addresses. Please sign up with a permanent address so we can send you important updates about your order.”
Avoid vague messages like “This email is invalid” because it’s not invalid, and a user who knows they are using a disposable address will correctly identify this as inaccurate.
If you have a high value product where you are worried about false positives, add a support link:
“We don’t accept temporary email addresses. If you believe this is an error, please contact us.”
False positive rates are low for a well-maintained detection database, but they are not zero. A small number of legitimate domains may be incorrectly classified, particularly if a company’s domain shares infrastructure patterns with disposable providers. The Temp Mail Detector team can always be contacted to request corrections.
Monitoring and Adjusting Over Time
Once the plugin is running, check your blocked-signup logs periodically. Look for:
- Patterns in blocked domains. If you see many blocks from the same domain, confirm it is actually disposable and not a legitimate provider being incorrectly flagged.
- Change in registration volume. A measurable drop in signups is expected and is typically a good sign: you were previously registering accounts that would never engage or pay.
- WooCommerce conversion rate. If your conversion rate drops significantly, check whether you are blocking a domain your real customers use. Adjust the score threshold if needed.
The free tier (200 lookups/month) is sufficient for lower-traffic WordPress sites. Paid plans scale for higher volume — if your site has more than a few hundred signups per month, you will want to move up.
Rounding it all up
Blocking disposable emails on WordPress is a single-plugin installation for most sites. The Temp Mail Detector plugin covers all the major WordPress and WooCommerce registration surfaces, runs checks against a live database that is continuously updated, and does not store your users’ email addresses.
The integration takes under five minutes and the ongoing cost is close to zero.Unlike other fraud controls, it creates no meaningful friction for legitimate users so real customers who do not use throwaway addresses to buy things or sign up for memberships will never notice.
The Temp Mail Detector WordPress plugin is free. Download it from the WordPress plugin directory or get your API key to start blocking disposable emails today.