Secure WordPress Against Fake and Disposable Email Spam

Secure WordPress Against Fake and Disposable Email Spam

Secure WordPress Against Fake and Disposable Email Spam

In this howto, we’ll show how to use the Fiddlemail WordPress plugin to secure your WordPress installation against the usage of disposable email addresses (also known as fake or trash mail addresses).

What are disposable email addresses and why block them?

Disposable email addresses are often used to register for various services using fake data. The emails arriving at the corresponding mail box are visible to the public and mostly deleted shortly after, e. g. ten minutes. There is no registration required to read emails arriving at this mailbox.if(typeof __ez_fad_position != ‘undefined’){__ez_fad_position(‘div-gpt-ad-howtoforge_com-medrectangle-3-0’)};

As a service provider or owner of a website, normally you don’t want users to sign up with an address like this as it means you won’t be able to contact them later. Users of a fake email inbox won’t check their mailboxes for any other reason than getting the activation link – the mailbox can be considered dead.


  • Recent WordPress, at least 3.8
  • PHP 5.4+

Install the plugin

Go to Plugins -> Add New

Install Fiddlemail WordPress Plugin

Enter the keyword Fiddlemail into the search box and wait for the results to load. Then click the Install Now button in the plugin box.

Add Plugin

Activate the plugin by clicking the Activate button in the plugin box.

Activate the Plugin

Set up the plugin

At this point, you need an API key from __ez_fad_position != ‘undefined’){__ez_fad_position(‘div-gpt-ad-howtoforge_com-medrectangle-4-0’)};

Register at Fiddlemail

Register at Fiddlemail

Enter your email address and choose a (secure) password. Then click the register button.

Shortly after, you will get an email containing a verification link that you have to click to activate your account.

After that, you can log in with your credentials.


Get a free API key

At the account overview, scroll down to the API plans and click the choose button below the Fiddlemail Free box.

Get free Fiddlemail key

This will immediately create an API key that will show up on your account page.

get API key

You can show the details of your key(s) by clicking on the i button right-hand of the key field.

Copy the key to the clipboard.

Activate key in WordPress

Go to Settings -> Fiddlemail

Activate Key in WordPress

Paste the key into the API key field. Then click save. Once the key was checked you can see the status of your key on the settings page. Information depends on what type of key you got (free or paid plan).

Fiddlemail settings

  • API plan
    This shows which plan (free or premium) you are currently using.
  • Key active
    Shows if the key is currently active and can be used.
  • Valid until
    On paid plans this shows you how long your key is still valid or when your subscription is renewed.
  • Score feature available
    Yes or No. Show if your key is allowed to use the extended query feature or not. This will show “yes” on paid plans, “no” on free plan.
  • IP slots used
    You can use a single API key on multiple ip addresses (servers). This shows you how many of your available ip slots are already used. The information might not be up to date if some of your servers you set the key on did not yet make any API queries.
  • Queries last minute/hour/day/month
    This shows you the usage of your key and the corresponding limits (if any).

The plugin is now ready to use, but we’ll tweak some settings to make it suite our needs.

Extended Settings

Click the Settings tab.

Extended settings

The default settings there are fine, but if you like to change them, e. g. because you don’t want comments to be sent to spam folder instead of being blocked directly, choose the appropriate setting here.

In addition, you can choose to not filter all email-related fields but only block comments or registrations using disposable mail addresses.

Click the Extended Settings tab.

choose to not filter all email-related fields

To get better results from the Fiddlemail API you can choose to send the full email address instead of just the email domain. This allows the API to return a score that indicates a probability for the address being fake. This setting is only available on paid plans, though.

The filter score is at 75 by default. I prefer lowering it to 50 to be more strict in blocking suspect mail addresses.

In addition to the Fiddlemail API you can choose to check domains against the Spamhaus DBL and the URIBL. Those services maintain a list of spamming or phishing domains, so it is generally a good idea to use these services, too.

Please keep in mind that those services are free for non-commercial use only (see the terms pages of Spamhaus/URIBL for details).

Click the Blacklist/Whitelist tab.

Black and Whitelist email addresses

At this place you can enter some domains that you don’t want to be blocked in any case, e. g. your company’s domain or domains like (which is whitelisted at Fiddlemail already). In addition you can enter domains that you want to always be blocked, e. g. domains that you get spam comments of but which are not treated as spamming domains by Fiddlemail, Spamhaus or URIBL. A domain that is often used for spam comments or fake registrations for example is As this is a russian freemail service it is not considered being disposable mail provider by Fiddlemail.

Test your setup

Open a post or page on your WordPress (that has comments enabled) and scroll down to the comment form. Ensure that you are not logged in.

Test the setup

Enter some comment text, a name and a test email address, e. g. [email protected] and submit the comment. You should see a message like this:

Test successful

Check the logs

After some time (or some tests of your own) you can check the Fiddlemail plugin log. Go to the Filter log tab on the Fiddlemail settings page.

Email ban log

Here you see some examples of actions performed by the plugin. Following you find an explanation of the different result status messages:

  • suspect
    The address entered is suspected being fake or spammy and was blocked from registering/commenting on your blog.
  • suspect [cache]
    To save api calls the plugin caches results locally for some hours and does not query the same address multiple times in a row. Same applies for different other status codes.
  • blocked:spamhaus / blocked:uribl
    The domain queried is listed in the corresponding blacklist and such was blocked from posting on your blog.
  • whitelist
    You have whitelisted this domain locally.
  • blacklist
    You have blacklisted this domain locally.
  • ok
    The domain/address was not suspected being fake or spammy.
  • error
    Some error occurred on querying the API.

There are some more columns in the log table, but those should be self-explanatory.

Wish you a spam-free blog!

About the Author

Leave a Reply