Skip to main content

Whitelist or Blacklist WordPress User Registrations By Domain Function

By October 27, 2020March 5th, 2021Web Development

Interesting WordPress security concepts here. You can either whitelist specific domains essentially guaranteeing only registered users have the same email as the domain of the website, or you can play wack-a-mole by constantly manually adding bad actors to a black list. Both ways have pros and cons.


Blacklist a list of domains in an array

I find real world uses for this all the time. Especially for collecting user data for digital marketing downloads. Like B-to-B users filling out a form to access a pricing, pdfs or marketing materials. They shouldn’t be spoofing the registration with a disposable yahoo or hotmail email address just to get to a downloadable file.

// blacklist specific domains in an array
function wd_blacklist_domains( $field_id, $field_submit, $form_data ) {
    $domain          = substr( strrchr( $field_submit, "@" ), 1 ); // blocked domains
    $blacklist       = array( '', '' );
    if( in_array( $domain, $blacklist ) ) {
        wpforms()->process->errors[ $form_data['id'] ][ $field_id ] = esc_html__( 'We apologize for any inconvenience, we are unable to accept emails from this domain.', 'wpforms' );
add_action('wpforms_process_validate_email', 'wd_blacklist_domains', 10, 3 );


Whitelist a list of domains in an array

Limiting user registration to only registrants with an email address from the site domain seems like a more sustainable endeavor and the better security option to lock down a client website from unauthorized registrations. Also, if you just add the site domain and your development domain, you can weed out other competitors that talk your client into snooping around.

// whitelist specific domains in an array

function wd_is_valid_email_domain($login, $email, $errors ){
$valid_email_domains = array("","");// allowed domains
$valid = false; // sets default validation to false
foreach( $valid_email_domains as $d ){
  $d_length = strlen( $d );
  $current_email_domain = strtolower( substr( $email, -($d_length), $d_length));
if( $current_email_domain == strtolower($d) ){
  $valid = true;
// Return error message for invalid domains
if( $valid === false ){

$errors->add('domain_whitelist_error',__( '<strong>ERROR</strong>: Registration is only allowed from selected approved domains. If you think you are seeing this in error, please contact the system administrator.' ));
add_action('register_post', 'wd_is_valid_email_domain',10,3 );


Blacklist a list a single domain with error message/no array

Here’s an extra credit function. You can specifically target a single specific domain and block anyone from registering from that domain. The example below uses Real world use for this would be, say you’ve changed your company name and url and you wanted to prevent people from registering with their old email address. You could prompt them that their email address is no longer valid and to use their new email with the correct domain.

// prevent user registration in wordpress from specific domain

function wd_disable_email_domain ( $errors, $sanitized_user_login, $user_email ) {
    list( $email_user, $email_domain ) = explode( '@', $user_email );
    if ( $email_domain == '' ) {
        $errors->add( 'email_error', __( '<strong>ERROR</strong>: Gmail addresses are not allowed.', 'my_domain' ) );
    return $errors;
add_filter( 'registration_errors', 'wd_disable_email_domain', 10, 3 );