Protecting your WordPress sign-up forms from fake emails
WordPress sites are a common target for bot sign-ups and throwaway addresses. This guide covers adding real-time validation to WooCommerce, WPForms, and Gravity Forms using the OhBounce.ai REST API.
WordPress powers over 40% of the web, which makes it the largest single target for automated bot sign-ups. Bots register accounts using disposable emails to claim discount codes, abuse free trials, or simply inflate registration numbers. Real-time email validation at the form level stops them before they get in.
The validation approach
The cleanest integration is a server-side validation hook that fires when the registration form is submitted. Rather than calling the OhBounce.ai API from client-side JavaScript (which would expose your API key), add a PHP validation function to your theme's functions.php or a custom plugin that calls the API server-to-server.
WooCommerce integration
WooCommerce fires the woocommerce_register_post action before creating a new customer. Hook into this action, call the OhBounce.ai API with the submitted email, and use wc_add_notice() to return an error if the address is INVALID or DISPOSABLE. WooCommerce handles the form display and prevents registration if any errors are present.
WPForms and Gravity Forms
Both plugins offer custom validation hooks. In WPForms, use the wpforms_process_validate_{field_id} filter to add validation logic. In Gravity Forms, use gform_field_validation. In both cases, call the OhBounce.ai API, check the status, and return a validation error message if the address fails your criteria.
Store your API key in wp-config.php as a defined constant, not in the database. This keeps it out of the WordPress options table and reduces exposure if your database is compromised.
Handling latency in PHP
PHP's HTTP requests are synchronous by default, which means your form submission will wait for the OhBounce.ai API response before proceeding. Average response time is under 200ms — well within acceptable UX bounds. Set a 5-second timeout on your HTTP request and implement a graceful fallback: if the API is unreachable, allow the submission and flag the address for later review.