Domain Restrictions
Domain Restrictions allows you to control who can register via Google sign-in by limiting allowed email domains. This is essential for B2B sites, corporate portals, and educational platforms.
Domain Restrictions is a PRO feature. Upgrade to PRO to unlock this functionality.
How It Works
You can create:
- Whitelist: Only specified domains can register
- Blacklist: Specified domains are blocked
Whitelist Example:
Only @company.com and @partner.org can register
Blacklist Example:
Block @tempmail.com and @mailinator.com
Configuration
Accessing Settings
- Go to Settings > OneTap Login
- Click Users tab
- Find Domain Restrictions section
Whitelist (Allowed Domains)
Field: Allowed email domains
Enter domains that CAN register:
company.com
partner.org
contractor.net
Behavior:
- Only listed domains allowed
- All other domains rejected
- Case-insensitive matching
Blacklist (Blocked Domains)
Field: Blocked email domains
Enter domains that CANNOT register:
tempmail.com
guerrillamail.com
10minutemail.com
mailinator.com
Behavior:
- Listed domains rejected
- All other domains allowed
- Case-insensitive matching
Priority
If both whitelist and blacklist have entries:
1. Check whitelist first
2. If email domain in whitelist → Allow
3. If not in whitelist → Block (whitelist takes precedence)
Use either whitelist OR blacklist, not both. Using both can be confusing.
Use Cases
Corporate Portal (Employees Only)
Whitelist:
company.com
Result: Only @company.com emails can register.
B2B Platform (Multiple Partners)
Whitelist:
company.com
partner1.org
partner2.net
distributor.com
Result: Only specified business domains allowed.
Educational Platform
Whitelist:
university.edu
students.university.edu
faculty.university.edu
Result: Only university emails allowed.
Consumer Site (Block Disposable Emails)
Blacklist:
tempmail.com
guerrillamail.com
10minutemail.com
mailinator.com
throwaway.email
fakeinbox.com
Result: Block known disposable email services.
Multi-Tenant SaaS
# Tenant A whitelist:
tenant-a.com
# Tenant B whitelist:
tenant-b.com
Result: Each tenant only sees their users.
Error Messages
When a domain is restricted, users see an error message.
Default Message
"Registration is not allowed for this email domain."
Customizing the Message
In Error Messages section:
"Only company employees can register. Please use your @company.com email."
Existing Users
Domain restrictions only apply to NEW registrations:
| Scenario | Result |
|---|---|
| New user, allowed domain | Can register |
| New user, blocked domain | Cannot register |
| Existing user, blocked domain | Can still log in |
| Existing user, allowed domain | Can log in |
Users who registered before restrictions were added can still sign in, even if their domain is now blocked.
Wildcard Matching
Subdomain Matching
By default, entries match the exact domain:
company.com → matches john@company.com
→ does NOT match john@sub.company.com
Including Subdomains
To include subdomains, add them explicitly:
company.com
sales.company.com
support.company.com
Or use the wildcard option (if available):
*.company.com → matches any @*.company.com
Combining with Role Mapping
Domain Restrictions works alongside Role Mapping:
# Domain Restrictions (who can register)
Whitelist:
company.com
partner.org
# Role Mapping (what role they get)
@company.com → Editor
@partner.org → Contributor
See Role Mapping for details.
Validation Logic
Email Parsing
The plugin extracts the domain:
$email = 'john.doe@company.com';
$domain = substr($email, strpos($email, '@') + 1);
// $domain = 'company.com'
Comparison
- Case-insensitive:
Company.com=company.com - Trimmed: spaces removed
- Exact match:
company.com≠company.com.fake.net
Common Disposable Domains
Consider blocking these commonly abused domains:
# Temporary email services
tempmail.com
temp-mail.org
guerrillamail.com
guerrillamail.org
10minutemail.com
10minutemail.net
mailinator.com
throwaway.email
fakeinbox.com
trashmail.com
dispostable.com
maildrop.cc
yopmail.com
mohmal.com
Hooks for Developers
Filter Domain Validation
add_filter('onetap_is_domain_allowed', function($allowed, $domain, $email) {
// Custom logic
if (str_ends_with($domain, '.edu')) {
return true; // Always allow .edu
}
return $allowed;
}, 10, 3);
Custom Error Message
add_filter('onetap_domain_restriction_message', function($message, $domain) {
return "Sorry, @{$domain} is not allowed. Please contact support.";
}, 10, 2);
Log Rejected Domains
add_action('onetap_domain_rejected', function($email, $domain) {
error_log("Domain rejected: {$email} ({$domain})");
// Or send to analytics
}, 10, 2);
Security Considerations
Why Whitelist?
Whitelisting is more secure:
- Explicit allow list
- Unknown domains rejected
- Defense in depth
Why Blacklist?
Blacklisting is more flexible:
- Allow most users
- Block known bad actors
- Lower barrier to entry
Recommendation
| Use Case | Recommended |
|---|---|
| Corporate/B2B | Whitelist |
| Consumer site | Blacklist |
| Membership | Whitelist |
| E-commerce | Blacklist (or none) |
Troubleshooting
"Domain Not Allowed" for Valid Domain
Causes:
- Domain not in whitelist
- Typo in domain entry
- Subdomain not included
Solutions:
- Add domain to whitelist
- Check spelling
- Add subdomain explicitly
Users Bypassing Restrictions
Cause: Existing accounts not subject to restrictions.
Solutions:
- Review existing users
- Delete unauthorized accounts
- Restrictions only prevent new registrations
Whitelist Not Working
Causes:
- Settings not saved
- Cache issues
- Empty whitelist (allows all)
Solutions:
- Click Save Changes
- Clear caches
- Verify domains entered
Settings Summary
| Setting | Type | Default | Description |
|---|---|---|---|
| Allowed domains | Textarea | (empty) | Whitelist - only these can register |
| Blocked domains | Textarea | (empty) | Blacklist - these cannot register |
Format: One domain per line, no @ symbol
Best Practices
Do's
- Use whitelist for internal/B2B
- Use blacklist for consumer sites
- Keep lists updated
- Test with real emails
- Document your policy
Don'ts
- Don't use both whitelist and blacklist
- Don't forget subdomains
- Don't assume existing users are blocked
- Don't use wildcards without testing
Next Steps
- Role Mapping - Assign roles by domain
- Pending Approval - Manual approval workflow
- User Settings - General user config