UserCheck

by UserCheck

Description

UserCheck blocks disposable and throwaway email addresses from your sign-up forms. The result: less spam, fewer fake accounts, and a cleaner user base.

Supported plugins

If you’re using any of these, UserCheck protects them automatically — nothing to configure:

WordPress core (registration, comments, multisite signup, profile email change)
WooCommerce (classic checkout, Cart/Checkout Block, account registration, Edit-account email change)
Profile Builder (free + Pro)
Contact Form 7
WPForms
Elementor Pro Forms
Gravity Forms
Fluent Forms
Ninja Forms
Formidable Forms
MailPoet

Fallback for unsupported plugins

For plugins without a built-in integration, a fallback check catches sign-ups from any other form on your site. It only runs when someone submits a form, so it won’t slow down your dashboard or background tasks. You can turn it off under Settings UserCheck Coverage.

Choose what to block

Pick which kinds of email addresses get blocked: domains that can’t receive email, disposable addresses, public providers (Gmail, Yahoo, etc.), forwarding services that hide the real address, and known spammers. Domains on your UserCheck account blocklist are always blocked.

Lightweight by design

Emails are checked only when users submit a form (registration, comment, checkout) — never re-checked for existing users or orders. No background scans, no surprises.

Resilient by design

If our service is ever down or slow, your site keeps working: sign-ups go through and the error is logged for review. Each request times out after 2 seconds, so an unresponsive API can’t hold up your forms.

Full email or domain only

Send the full email (more accurate) or just the domain.

Extensible

Developers can plug UserCheck into any plugin’s validation hook by calling UserCheck::instance()->evaluate_email( $email ) and acting on the returned action, reason, and message.

Translation ready

All text in the plugin can be translated into any language.

Works out of the box

No configuration required. A free API key unlocks higher request limits.

Powered by UserCheck, which tracks new disposable email providers as they appear so your site’s protection stays current.

Privacy Policy

The plugin sends the email address (or just its domain, depending on your settings) to the UserCheck API for validation. The request User-Agent identifies the plugin version, WordPress version, site URL, and which integration triggered the check (e.g. wp_registration, wc_checkout, or fallback_is_email/<plugin-slug> when the fallback fires for an unsupported plugin). No other end-user data is sent. For more information on how UserCheck handles data, please visit https://www.usercheck.com/privacy.

Installation

Upload the usercheck folder to the /wp-content/plugins/ directory
Activate the plugin through the ‘Plugins’ menu in WordPress
(Optional) Go to Settings > UserCheck to enter your API key for increased limits

Faq

Do I need an API key to use this plugin?

No, an API key is not required to use this plugin. It works out of the box with a limit of 30 requests per hour. However, if you need higher limits, you can obtain a free API key by signing up at https://app.usercheck.com/.

What happens if the UserCheck API is unavailable?

Sign-ups continue to go through and the error is logged for your reference. Your forms keep working even when our service has issues.

How can I increase the request limit?

To increase the request limit beyond 30 per hour, you can obtain an API key from UserCheck. Once you have the key, go to the UserCheck settings in your WordPress admin panel and enter the key there.

How can I customize the message users see when their email is blocked?

Add a filter in a mu-plugin or your theme’s functions.php:

add_filter( 'usercheck_block_message', function ( $message, $signal, $email ) {
    if ( $signal === 'disposable' ) {
        return 'Please use a permanent email address.';
    }
    return $message;
}, 10, 3 );

$signal is one of `blocklisted`, `mx`, `disposable`, `public_domain`, `relay_domain`, `spam`. `$email` is the address being evaluated. Return the (possibly modified) message.

Reviews

Valuable plugin to block disposable email domains

By Greg James (gregdevwp) on November 28, 2024

Was getting a lot of temp email signups that were reducing my email deliverability because they were toxic domains. Easy integration. Saves me some email credits with my ESP.

Changelog

0.3.0

Added
– Cache successful UserCheck API responses for 1 hour. Repeat lookups for the same email (or domain, in domain mode) skip the network call. Drops API traffic by orders of magnitude on busy sites.
– “Clear cache” button under Settings UserCheck Cache for manual invalidation between TTLs.

Changed
– UserCheck::evaluate_email() no longer keeps a per-request verdict memo; the new response cache replaces it.

0.2.1

Added
– The HTTP User-Agent on UserCheck API requests now includes an integration=<slug> token identifying which signup surface triggered the check (e.g. wp_registration, wc_checkout, pb_registration, fallback_is_email). Lets the UserCheck team see traffic-mix per integration. No end-user data is added to the UA. See Privacy Policy.
– When the is_email() fallback fires, the UA reports the unsupported plugin that called is_email() as integration=fallback_is_email/<plugin-slug> — helps prioritize which plugins need native integrations next. Plain fallback_is_email is reported when no plugin caller can be identified (themes, mu-plugins, WP core, custom code). Disable the fallback under Settings UserCheck Coverage to opt out.
– evaluate_email() gained an optional second argument $source for third-party callers that want their integration attributed in the UA. Calls using the prior single-argument shape are unchanged.

0.2.0

Changed
– Replaced the global is_email filter with surface-specific hooks. The plugin now only checks emails when users submit them (registration, comments, WooCommerce checkout/account creation) and no longer re-validates existing users or orders. Fixes 502 errors on order pages caused by repeated synchronous API calls.
– Reduced API request timeout from the WordPress default (5s) to 2s.

Added
– Settings to choose which signals block sign-ups (invalid MX, disposable, public email providers, relay/forwarding, spam).
– Domains on your custom UserCheck blocklist are always blocked when present — no opt-in needed.
– Settings to choose whether to send the full email (more accurate) or just the domain (cheaper). New installs default to full-email; upgrades from 0.1.x keep domain-only.
– WooCommerce integrations (auto-enabled when WooCommerce is active): classic checkout (woocommerce_after_checkout_validation), Cart/Checkout Block (woocommerce_store_api_checkout_order_processed), account registration, and Edit-account email change (woocommerce_save_account_details_errors).
– Profile Builder (free + Pro) registration integration (auto-enabled when Profile Builder is active).
– Multisite signup integration.
– Contact Form 7 integration (auto-enabled when CF7 is active). Hooks wpcf7_validate_email and wpcf7_validate_email*.
– WPForms integration (auto-enabled when WPForms is active). Hooks wpforms_process_validate_email.
– Elementor Pro Forms integration (auto-enabled when Elementor Pro is active). Hooks elementor_pro/forms/validation/email.
– Gravity Forms integration (auto-enabled when GF is active). Hooks gform_field_validation for email-type fields.
– Fluent Forms integration (auto-enabled when Fluent is active). Hooks fluentform/validate_input_item_input_email.
– Ninja Forms integration (auto-enabled when NF is active). Hooks ninja_forms_submit_data and walks email-type fields.
– Formidable Forms integration (auto-enabled when Formidable is active). Hooks frm_validate_field_entry (covers fields inside repeater rows).
– MailPoet integration (auto-enabled when MailPoet is active). Hooks mailpoet_subscription_before_subscribe.
– Registry-driven integration loader: built-in integrations live in UserCheck::integrations_registry() and are wired automatically when their host plugin is detected.
– Public extension API: developers can call UserCheck::instance()->evaluate_email( $email ) from any hook to integrate UserCheck with plugins that don’t have a built-in or aren’t covered by the is_email() fallback. Returns array{action, reason, message} with action being allow or block.
– usercheck_block_message filter so developers can override the user-facing block message per signal. See the FAQ for a usage example.
– is_email() fallback for plugins without a native integration (Settings UserCheck Coverage). On by default — preserves the unconditional is_email coverage that existed pre-0.2.0; opt out from the Coverage section. Covers front-end submissions including AJAX (wpDiscuz, AJAX-submitted CF7/Elementor) and REST; admin page-loads, cron, and WP-CLI are excluded so the v0.1 502 regression on WC order pages stays fixed.
– WP profile email-change coverage (user_profile_update_errors) and REST comment submission coverage (rest_pre_insert_comment).
– Per-request deduplication: the same email evaluated multiple times in one request now triggers a single API call.
– Existing API keys are migrated automatically to the new settings format.

0.1.1

Fixed
– Skip validation for WordPress system emails

0.1.0

Added
– Error logging system with retention and pagination
– API key validation on settings update
– Rate limit error handling (429 response)

Changed
– Reduced unauthenticated API request limit from 60 to 30 requests per hour
– Improved error handling and validation for API responses

Fixed
– Added proper error handling for API failures

0.0.1

Initial release