Today I ran into a situation where I was getting a new user registration every half hour for the entire afternoon. I came across this solution that will block registrations by email domain.
First, it blocks registrations by email domain. This simple denial of registration does not require WordFence, as it’s just a really useful filter you can just drop into your functions.php.
add_filter( 'registration_errors', 'disable_user_registration_for_email_domain', 10, 3 );
function disable_user_registration_for_email_domain ( $errors, $sanitized_user_login, $user_email ) {
// only if it's an email address at all
if ( ! is_email( $user_email ) ) {
return $errors;
}
// get domain from email address
$email_domain = substr( $user_email, strrpos( $user_email, '@' ) + 1 );
$block_domains = [ // partial domain names allowed (doesn't need to include TLD for example)
'spammersgalore.com',
];
foreach ( $block_domains as $domain_partial ) {
if ( stripos( $email_domain, $domain_partial ) !== false ) {
// throw registration error
$errors->add( 'email_error', '<strong>ERROR</strong>: Registration not allowed.' );
}
}
return $errors;
}Take it one step farther by adding the IP address to WordFence’s blocked IPs list. This isn’t permanent, the default block duration is 4 hours. However, if the problem persists, you can make the block permanent within the WordFence GUI. If you get WordFence emails from your website, it will include the IP of the blocked user, so you can go back and permanently block IPs whose lockout duration may have already expired.
add_filter( 'registration_errors', 'disable_user_registration_for_email_domain', 10, 3 );
function disable_user_registration_for_email_domain ( $errors, $sanitized_user_login, $user_email ) {
// only execute when the relevant WordFence functions can be called
if ( ! is_callable( 'wfUtils', 'getIP' ) || ! is_callable( 'wfBlock', 'isWhitelisted' ) || ! is_callable( 'wordfence', 'lockOutIP' )) {
return $errors;
}
// only if it's an email address at all
if ( ! is_email( $user_email ) ) {
return $errors;
}
// get domain from email address
$email_domain = substr( $user_email, strrpos( $user_email, '@' ) + 1 );
$block_domains = [ // partial domain names allowed (doesn't need to include TLD for example)
'baikcm.ru',
];
foreach ( $block_domains as $domain_partial ) {
if ( stripos( $email_domain, $domain_partial ) !== false ) {
$IP = \wfUtils::getIP();
if ( \wfBlock::isWhitelisted( $IP ) ) {
return $errors; // don't block whitelisted IPs
}
// lockout IP
\wordfence::lockOutIP( $IP, "Registration attempt from blocked email domain {$domain_partial}" );
// throw registration error
$errors->add( 'email_error', '<strong>ERROR</strong>: Registration not allowed.' );
}
}
return $errors;
}If, by the time you find this, you’ve got tons of bot registrations that you need to get rid of, check out this article on how to search and replace using PHPmyadmin.
Thanks for reading and hopefully this will help someone to block registrations by email domain in the future!