Tempmails
Self-hosted. Privacy-first. Fully yours. Tempmails turns your WordPress site into a self-hosted temporary email service. Visitors generate a random disposable email address, receive messages in a real-time inbox, and discard them when done — all without leaving your site. Unlike third-party services, Tempmails runs entirely on your own server and IMAP mailbox. You own the data, the domain, and the brand. 🔒 No third-party email APIs 📬 Real IMAP inbox — not a simulation 🎨 Material Design 3 UI — beautiful out of the box ⚡ AJAX-powered — no page reloads 🚀 Quick Links Everything you need to get started, get help, and stay connected: 🌐 Official Website — tempmails.cv — docs, roadmap, and addon announcements 🎬 Installation Tutorial — Watch the step-by-step video guide below 📺 YouTube Channel — NeoSmartApps on YouTube — tutorials, walkthroughs, and new release demos ☕ Support the Project — Buy us a coffee via PayPal — Tempmails is free forever; your support keeps development alive 🖥️ Need Hosting? — Tempmails works best on a VPS or shared host with catch-all IMAP support. We recommend Hostinger (affiliate link — we earn a small commission at no extra cost to you) 🎬 Watch: Full Installation Tutorial Core Features 📨 Email Engine IMAP Email Fetching — connects to any catch-all IMAP mailbox Auto Email Generation — random disposable addresses on your own domains Real-time Inbox — AJAX-powered message viewer with configurable auto-refresh Attachment Support — download files with 40+ allowed extensions 🎨 Design & UI Material Design 3 UI — modern, responsive inbox with Inter & Poppins fonts White-labeled — fully rebrandable, no third-party branding in the UI Design Panel — live color picker and label customization in admin 🛡️ Privacy & Data Soft Delete — messages are never hard-deleted; safe for compliance Cookie-based sessions — no user accounts or registration required Zero external data transmission — all data stays on your server ⚙️ WordPress Native Uses WP database, cron, options, nonces, and security APIs throughout Settings API compliant admin panel Full i18n/l10n support with .pot file included Shortcode Place the inbox anywhere on your site with one shortcode: [tempmails_inbox] This renders the full inbox UI — email generation, copy button, auto-refresh, message list, and message viewer modal. Addon Ecosystem Tempmails Core is frozen infrastructure. All new functionality is delivered via addons using a documented, stable hook system — your site never breaks on Core updates. Available addon hooks cover: email generation, message routing, inbox access control, multi-domain support, billing integration, and more. See the Hooks section below for the full reference. Privacy Tempmails stores temporary email addresses in browser cookies to maintain inbox sessions between page loads. No personal data is collected, stored against user accounts, or transmitted to any external service. See External Services below for details on the optional GitHub ecosystem feed. Hooks Tempmails exposes a complete hook system for addon developers. All hooks below are stable and frozen — they will not be renamed, removed, or have their signatures changed in any minor version. Action Hooks tempmails_loaded — Core fully initialized; safe for addon bootstrap tempmails_core_ready — fires after DB integrity check; passes Core version string tempmails_activated — fires on plugin activation; safe for addon setup tempmails_deactivated — fires on plugin deactivation tempmails_email_generated — new address generated; params: $email, $ip tempmails_inbox_accessed — user opened inbox; params: $email, $ip tempmails_message_received — new message stored; params: $message_id, $to_address tempmails_message_marked_seen — message read; params: $message_id tempmails_message_deleted — soft delete triggered; params: $message_id, $email tempmails_cleanup_completed — cron cleanup finished; params: $deleted_count tempmails_fetch_completed — fetch cycle finished; params: $results array Filter Hooks tempmails_registered_addons — register your addon for the Addons admin page tempmails_generated_email — modify a generated address before returning it tempmails_available_domains — modify the domain list available for generation tempmails_can_fetch_messages — allow/block a fetch cycle; params: $bool, $engine tempmails_can_process_message — allow/block a single message; params: $bool, $message tempmails_can_store_message — allow/block DB insert; params: $bool, $data tempmails_can_read_inbox — allow/block inbox access; params: $bool, $email tempmails_message_content — filter body before display; params: $content, $message_id tempmails_default_settings — modify default option values on activation tempmails_inbox_attributes — modify shortcode default attributes tempmails_admin_dashboard_stats — extend dashboard stat cards tempmails_settings_tabs — add custom tabs to the Settings page External Services Ecosystem Feed (Optional — Default On) Tempmails fetches a public JSON file from GitHub to display addon and ecosystem information inside the WordPress admin panel. What this connection does: Fires only when viewing Tempmails admin pages Retrieves only public, non-personal JSON content Transmits no user data, site URL, or any identifiable information Results are cached locally for 1 hour to minimize requests Remote endpoint: https://raw.githubusercontent.com/ubermensch-site/tempmails-ecosystem/main/ecosystem.json Service provider: GitHub Privacy policy: https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement To disable this connection entirely, uncheck Ecosystem Feed under Tempmails → Settings → General. Hardcoded fallback content is shown instead — no requests are made. Google Fonts The frontend inbox loads the Inter and Poppins typefaces and the Material Symbols icon font from Google Fonts CDN. What this connection does: Fires only on pages where [tempmails_inbox] is rendered Transmits the visitor’s IP address to Google as part of a standard font request Service provider: Google Fonts Privacy policy: https://developers.google.com/fonts/faq/privacy To avoid this (e.g. for GDPR compliance), dequeue tempmails-google-fonts and load self-hosted font copies instead. Developers This section documents internal implementation details, security practices, and notes for addon developers. Security Hardening Log All security changes are tracked here for auditing purposes. 2026-04-04 — Security Review Pass (v1.0.7 patch) class-core.php — ajax_delete_message(): $_POST['message_id'] was wp_unslash()-ed but not sanitized, with a phpcs:ignore suppression comment masking the warning. Now wrapped with sanitize_text_field( wp_unslash( … ) ). Suppression comment removed. 2026-04-02 — Security Review Pass (v1.0.7 patch) class-design.php — Removed raw echo from render_page(). Static CSS moved to assets/css/admin.css. class-design.php — inject_css_variables() refactored: replaced echo “…” with wp_add_inline_style('tempmails-admin', ...). All $v() return values now pass through esc_attr(). class-design.php — inject_frontend_css_variables() refactored: all CSS values escaped with esc_attr(), wp_strip_all_tags() applied. class-design.php — wp_footer fallback replaced raw echo ' ' with a dummy registered style handle. class-tempmails-shortcodes.php — Inline replaced with wp_add_inline_script(‘tempmails-frontend’, …). class-ecosystem.php — Inline replaced with wp_add_inline_script(‘tempmails-admin’, …). class-core.php — ajax_mark_seen(): sanitized with sanitize_text_field( wp_unslash( … ) ). class-admin.php — save_settings(): Raw $_POST replaced with $clean_post = array_map(‘sanitize_text_field’, wp_unslash($_POST)). class-email-generator.php — get_emails(): Cookie data sanitized with array_values(array_filter(array_map('sanitize_email', $raw))). Addon Development Notes Hook Stability Guarantee All hooks listed in the == Hooks == section are frozen. Signatures will not change in any 1.x release. Breaking changes will only occur in a major version bump with a migration guide. $clean_post in save_settings hooks As of the 2026-04-02 security patch, both tempmails_before_save_settings and tempmails_before_save_imap_settings receive a sanitized copy of $_POST. If your addon previously relied on raw values via these hooks, retrieve those fields directly from $_POST with appropriate sanitization. CSS Variable Injection inject_css_variables() now attaches inline CSS to the `tempmails-admin` style handle. If your addon dequeues tempmails-admin, Design color variables will not be applied on admin pages. inject_frontend_css_variables() uses a priority waterfall: 1. Attaches to tempmails-frontend if registered/enqueued 2. Falls back to tempmails-frontend-css 3. Registers a dummy handle tempmails-design-vars in wp_footer at priority 1 File Structure tempmails/ ├── assets/ │ ├── css/ │ │ ├── admin.css │ │ ├── frontend.css │ │ └── ecosystem.css │ └── js/ │ ├── admin.js │ ├── admin-design.js │ └── frontend.js ├── core/ │ ├── class-core.php │ ├── class-admin.php │ ├── class-design.php │ ├── class-ecosystem.php │ ├── class-email-generator.php │ └── class-addon-handler.php ├── includes/ │ ├── class-tempmails-shortcodes.php │ ├── class-tempmails-database.php │ ├── class-tempmails-settings.php │ ├── class-tempmails-imap.php │ └── class-tempmails-fetcher.php └── tempmails.php