Page Authority – Allowed Domains

Restrict WordPress user accounts to administrator-approved email domains.

Page Authority – Allowed Domains gives administrators a simple way to control which email domains are permitted when WordPress user accounts are created. When the allowlist is set, any attempt to create a user with an email outside the approved domains is blocked across the standard registration form, the REST API, and WooCommerce registration.

It is designed for sites where only users from specific organizations, companies, clients, or teams should be added as WordPress users. Typical use cases include internal company portals where only staff email addresses should ever become accounts, agency-managed client sites that should reject public signups, membership or B2B sites that vet users by their email domain, and multisite networks that need consistent domain rules across sites.

Existing users are never modified automatically. Instead, the Existing User Audit highlights accounts whose email domains are not on the allowlist so an administrator can review and act on them individually, including removing an account and reassigning its content.

Features include:

• Admin-managed allowed domain list
• Standard WordPress registration enforcement
• REST API user creation/update enforcement
• WooCommerce registration enforcement
• Existing User Audit tools
• Optional login enforcement
• Per-user unauthorized account removal with content reassignment
• Multisite-aware protections
• Lightweight architecture with no custom database tables

Security Notes

The plugin includes:

• Capability checks
• Nonce verification (verified before any state-changing logic runs)
• Sanitization and escaping
• Live revalidation before destructive actions
• Current-admin protection
• Multisite Super Admin protection
• Explicit content reassignment or delete confirmation before user removal

Recommended operational practices:

• Review the Existing User Audit before enabling login blocking
• Test custom registration and SSO flows before production rollout
• Maintain regular database backups before deleting users
• Restrict plugin management access to trusted administrators only

Uninstall

Deleting the plugin removes its current options:

• pageauth_allowed_domains
• pageauth_audit_log
• pageauth_block_unauthorized_logins

It also cleans up internal flags, transients, user meta, and any leftover keys from prior plugin versions that used the paad_ or aed_ prefixes. On multisite, the matching network options are removed as well.