I wrote a previous post on protecting my sites from bots and disposable emails, and how I had achieved this. I recently began work on an open registration community for a new video series called Build with Me.
This is based on SureDash, and the script in the previous post didn’t work, and the reason for this is that the creation of SureDash Accounts isn’t hooked into the normal registration logic and thus missed the code.
Now Sure products tend to be well coded, so I went looking for how they were doing this, looking for filters and hooks I could use to make it work with my snippet, and found one in social-logins.php suredashboard_block_register_user_args.
This is the perfect vantage point to take the user_email and check if its domain is in my blocked list. This is the filter, as it is in SureDash
$user_args = apply_filters(
'suredashboard_block_register_user_args',
[
'user_login' => $username,
'user_pass' => $password,
'user_email' => $email,
'first_name' => $first_name,
'last_name' => $last_name,
'user_registered' => gmdate( 'Y-m-d H:i:s' ),
'role' => $role,
]
);So now, with some modification, we can begin to get this working as we need to and check if we are on the block list
So we take our user_email from the args, and we strip the @, and this gives us our domain, and this can be checked against our known disposable email list. which provides us with the new 3b check in the script below which is a new combined version that now works with SureDash
// 1) Fetch & cache a remote list of domains.
function get_remote_domains_list( $url, $transient_name, $cache_duration = 7 * DAY_IN_SECONDS ) {
$domains = get_transient( $transient_name );
if ( false === $domains ) {
$response = wp_remote_get( $url );
if ( is_wp_error( $response ) || wp_remote_retrieve_response_code( $response ) !== 200 ) {
return [];
}
$lines = explode( "\n", wp_remote_retrieve_body( $response ) );
$domains = [];
foreach ( $lines as $line ) {
$line = trim( $line );
if ( '' === $line || strpos( $line, '#' ) === 0 ) {
continue;
}
$domains[] = strtolower( $line );
}
set_transient( $transient_name, $domains, $cache_duration );
}
return $domains;
}
// 2) Combine the official blocklist + your custom list.
function get_combined_disposable_email_domains_list() {
$default_url = 'https://raw.githubusercontent.com/disposable-email-domains/disposable-email-domains/refs/heads/main/disposable_email_blocklist.conf';
$custom_url = 'https://pastebin.com/raw/GnA8Gyt5'; // ← change to your actual raw URL
$default = get_remote_domains_list( $default_url, 'disposable_email_domains_list' );
$custom = get_remote_domains_list( $custom_url, 'custom_disposable_email_domains_list' );
return array_unique( array_merge( $default, $custom ) );
}
// 3a) Block on standard WP registrations (wp-login.php / register_new_user()).
add_filter( 'registration_errors', function( $errors, $sanitized_user_login, $user_email ) {
$domain = strtolower( substr( strrchr( $user_email, '@' ), 1 ) );
if ( in_array( $domain, get_combined_disposable_email_domains_list(), true ) ) {
$errors->add(
'disposable_email',
__( 'Registration with disposable email addresses is not allowed. Please use a valid email address.', 'textdomain' )
);
}
return $errors;
}, 10, 3 );
// 3b) Block in the SureDash Register block (just before wp_insert_user()).
add_filter( 'suredashboard_block_register_user_args', function( $user_args ) {
$domain = strtolower( substr( strrchr( $user_args['user_email'], '@' ), 1 ) );
if ( in_array( $domain, get_combined_disposable_email_domains_list(), true ) ) {
wp_send_json_error( [
'email' => __( 'Disposable email addresses are not allowed. Please use a real email.', 'textdomain' )
] );
}
return $user_args;
}, 10, 1 );
// Optional: use these to flush your caches immediately.
// delete_transient( 'disposable_email_domains_list' );
// delete_transient( 'custom_disposable_email_domains_list' );
