Fake orders by guest customers (or robots) in Magento shops can become quite annoying, some bots are even able to solve or skip the shop’s captcha codes.

Decline disposable email domains

To add another obstacle for bots and to make the checkout process not more complex than needed, I added some additional code in Magento’s root directory.

It declines the customer’s email address if it comes from a disposable email (trash mail) provider. So for the checkout to complete, the customer is forced to enter a valid (non-trash) email address.

This list on Github seems to be pretty much complete and can be queried directly e.g. here.

Then include it in your Magento’s index.php:

Note: After every update, security patch etc., check your index.php file if the include command is still there. Re-add it, if necessary.

Restrict admin access to certain IP ranges

In addition, it definitely makes sense to make the virtual /admin subdirectory more secure. It does not really exist in Magento’s file structure, so you cannot use .htaccess files like it can be done for the /downloader directory. But you can extend the new checks.inc.php file you created before:


  [email protected]