=== UserCheck ===
Contributors: usercheck
Tags: email validation, disposable email, anti-spam
Requires at least: 6.0
Tested up to: 6.9
Stable tag: 0.2.0
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Block disposable and throwaway email addresses on your WordPress site.

== Description ==

UserCheck blocks disposable and throwaway email addresses from your sign-up forms. The result: less spam, fewer fake accounts, and a cleaner user base.

= Supported plugins =

If you're using any of these, UserCheck protects them automatically — nothing to configure:

* WordPress core (registration, comments, multisite signup, profile email change)
* WooCommerce (classic checkout, Cart/Checkout Block, account registration, Edit-account email change)
* Profile Builder (free + Pro)
* Contact Form 7
* WPForms
* Elementor Pro Forms
* Gravity Forms
* Fluent Forms
* Ninja Forms
* Formidable Forms
* MailPoet

= Fallback for unsupported plugins =

For plugins without a built-in integration, a fallback check catches sign-ups from any other form on your site. It only runs when someone submits a form, so it won't slow down your dashboard or background tasks. You can turn it off under Settings → UserCheck → Coverage.

= Choose what to block =

Pick which kinds of email addresses get blocked: domains that can't receive email, disposable addresses, public providers (Gmail, Yahoo, etc.), forwarding services that hide the real address, and known spammers. Domains on your UserCheck account blocklist are always blocked.

= Lightweight by design =

Emails are checked only when users submit a form (registration, comment, checkout) — never re-checked for existing users or orders. No background scans, no surprises.

= Resilient by design =

If our service is ever down or slow, your site keeps working: sign-ups go through and the error is logged for review. Each request times out after 2 seconds, so an unresponsive API can't hold up your forms.

= Full email or domain only =

Send the full email (more accurate) or just the domain.

= Extensible =

Developers can plug UserCheck into any plugin's validation hook by calling `UserCheck::instance()->evaluate_email( $email )` and acting on the returned `action`, `reason`, and `message`.

= Translation ready =

All text in the plugin can be translated into any language.

= Works out of the box =

No configuration required. A free API key unlocks higher request limits.

Powered by [UserCheck](https://www.usercheck.com), which tracks new disposable email providers as they appear so your site's protection stays current.

== Installation ==

1. Upload the `usercheck` folder to the `/wp-content/plugins/` directory
2. Activate the plugin through the 'Plugins' menu in WordPress
3. (Optional) Go to Settings > UserCheck to enter your API key for increased limits

== Frequently Asked Questions ==

= Do I need an API key to use this plugin? =

No, an API key is not required to use this plugin. It works out of the box with a limit of 30 requests per hour. However, if you need higher limits, you can obtain a free API key by signing up at [https://app.usercheck.com/](https://app.usercheck.com/).

= What happens if the UserCheck API is unavailable? =

Sign-ups continue to go through and the error is logged for your reference. Your forms keep working even when our service has issues.

= How can I increase the request limit? =

To increase the request limit beyond 30 per hour, you can obtain an API key from UserCheck. Once you have the key, go to the UserCheck settings in your WordPress admin panel and enter the key there.

= How can I customize the message users see when their email is blocked? =

Add a filter in a mu-plugin or your theme's `functions.php`:

`add_filter( 'usercheck_block_message', function ( $message, $signal, $email ) {
    if ( $signal === 'disposable' ) {
        return 'Please use a permanent email address.';
    }
    return $message;
}, 10, 3 );`

`$signal` is one of `blocklisted`, `mx`, `disposable`, `public_domain`, `relay_domain`, `spam`. `$email` is the address being evaluated. Return the (possibly modified) message.

== Upgrade Notice ==

= 0.2.0 =
Existing API keys migrate automatically. UserCheck now covers more plugins out of the box, including WooCommerce, Profile Builder, and 8 form builders (Contact Form 7, WPForms, Elementor Pro, Gravity Forms, Fluent Forms, Ninja Forms, Formidable Forms, MailPoet). The fallback check for unsupported plugins stays on by default — you can turn it off under Settings → UserCheck → Coverage.

== Changelog ==

= 0.2.0 =
**Changed**
- Replaced the global `is_email` filter with surface-specific hooks. The plugin now only checks emails when users submit them (registration, comments, WooCommerce checkout/account creation) and no longer re-validates existing users or orders. Fixes 502 errors on order pages caused by repeated synchronous API calls.
- Reduced API request timeout from the WordPress default (5s) to 2s.

**Added**
- Settings to choose which signals block sign-ups (invalid MX, disposable, public email providers, relay/forwarding, spam).
- Domains on your custom UserCheck blocklist are always blocked when present — no opt-in needed.
- Settings to choose whether to send the full email (more accurate) or just the domain (cheaper). New installs default to full-email; upgrades from 0.1.x keep domain-only.
- WooCommerce integrations (auto-enabled when WooCommerce is active): classic checkout (`woocommerce_after_checkout_validation`), Cart/Checkout Block (`woocommerce_store_api_checkout_order_processed`), account registration, and Edit-account email change (`woocommerce_save_account_details_errors`).
- Profile Builder (free + Pro) registration integration (auto-enabled when Profile Builder is active).
- Multisite signup integration.
- Contact Form 7 integration (auto-enabled when CF7 is active). Hooks `wpcf7_validate_email` and `wpcf7_validate_email*`.
- WPForms integration (auto-enabled when WPForms is active). Hooks `wpforms_process_validate_email`.
- Elementor Pro Forms integration (auto-enabled when Elementor Pro is active). Hooks `elementor_pro/forms/validation/email`.
- Gravity Forms integration (auto-enabled when GF is active). Hooks `gform_field_validation` for email-type fields.
- Fluent Forms integration (auto-enabled when Fluent is active). Hooks `fluentform/validate_input_item_input_email`.
- Ninja Forms integration (auto-enabled when NF is active). Hooks `ninja_forms_submit_data` and walks email-type fields.
- Formidable Forms integration (auto-enabled when Formidable is active). Hooks `frm_validate_field_entry` (covers fields inside repeater rows).
- MailPoet integration (auto-enabled when MailPoet is active). Hooks `mailpoet_subscription_before_subscribe`.
- Registry-driven integration loader: built-in integrations live in `UserCheck::integrations_registry()` and are wired automatically when their host plugin is detected.
- Public extension API: developers can call `UserCheck::instance()->evaluate_email( $email )` from any hook to integrate UserCheck with plugins that don't have a built-in or aren't covered by the `is_email()` fallback. Returns `array{action, reason, message}` with `action` being `allow` or `block`.
- `usercheck_block_message` filter so developers can override the user-facing block message per signal. See the FAQ for a usage example.
- `is_email()` fallback for plugins without a native integration (Settings → UserCheck → Coverage). On by default — preserves the unconditional `is_email` coverage that existed pre-0.2.0; opt out from the Coverage section. Covers front-end submissions including AJAX (wpDiscuz, AJAX-submitted CF7/Elementor) and REST; admin page-loads, cron, and WP-CLI are excluded so the v0.1 502 regression on WC order pages stays fixed.
- WP profile email-change coverage (`user_profile_update_errors`) and REST comment submission coverage (`rest_pre_insert_comment`).
- Per-request deduplication: the same email evaluated multiple times in one request now triggers a single API call.
- Existing API keys are migrated automatically to the new settings format.

= 0.1.1 =
**Fixed**
- Skip validation for WordPress system emails

= 0.1.0 =
**Added**
- Error logging system with retention and pagination
- API key validation on settings update
- Rate limit error handling (429 response)

**Changed**
- Reduced unauthenticated API request limit from 60 to 30 requests per hour
- Improved error handling and validation for API responses

**Fixed**
- Added proper error handling for API failures

= 0.0.1 =
* Initial release

== Privacy Policy ==

The plugin sends data to the UserCheck API to validate email addresses. Depending on your settings, this is either the email domain only or the full email address. For more information on how UserCheck handles data, please visit [https://www.usercheck.com/privacy](https://www.usercheck.com/privacy).
