Protect WordPress Email Addresses From Spammers
Adding your email address to your site is helpful to your users. But, it also makes it available to spammers. Spammers can use scripts that visit websites and harvest the email addresses that are publicly available. This is called scraping.
This tutorial will show you a great way to mitigate scraping.
Background Information
One way of mitigating scraping is to do JavaScript cloaking of the email address.
The cloaking makes it so that the email address is only available when JavaScript is running. This is helpful, since most scraping scripts don’t have JavaScript running. However, the vast majority of users do.
For users that don’t have JavaScript enabled, they’ll get a notification letting them know it’s needed to view the email address. Or they’ll get a ciphered email address.
Since the notification varies from implementation to implementation, scrapers don’t have a standard way of detecting those occurrences programmatically. Therefore, cloaking does a great job at mitigating scrapers while still being beneficial to users.
1) Install the “Email JavaScript Cloak” plugin
- WordPress core doesn’t cloak emails by default, so we’ll need a plugin.
- Use our install tutorial to install and enable the Email JavaScript Cloak plugin.
2) Shortcode
- Now, wherever you’d like an email to appear, you can use the following shortcode:
- [email example@example.org]
3) Preview (with JavaScript)
- Here’s what it looks like in the front-end:
- The bottom part of the screenshot shows the HMTL that’s generated.
- It’s just standard HTML with a mailto link.
3) Preview (without JavaScript)
- But, here’s what it looks like with JavaScript disabled:
- As you can see, the mailto is now removed and the email address is now ciphered.
This small trick eliminates most scrapers.
Pro Tip
- If you want a notification to occur to users with no JavaScript enabled, you can use the following shortcode:
- [emailnojs]
- Use it wherever you want the notification to occur.
I question whether this is worthwhile or actually works. Without using any kind of encryption, this “cloaking” is easy to identify and harvest. If enough people use it, spammers will adapt.
Today the best spam defense is not to put addresses (or phone numbers) online, to use a quality mail service that effectively filters spam, and in the last resort to use actual encryption.
Additionally it is not true that “WordPress core doesn’t include email cloaking.” Since 0.71 there has been antispambot() which may still be a semi-effective cloaking method. It converts addresses into HTML entities.
Hi Dan,
Good observations!
“Without using any kind of encryption, this ‘cloaking’ is easy to identify and harvest.” … it’s only easy to identify manually, but not automatically across sites with different implementations.
“If enough people use it, spammers will adapt.” … that’s true, but the condition has to occur and it’s unlikely to occur. Few people (percentage-wise) use cloaking techniques. Even fewer use WordPress sites with cloaking techniques, and even fewer use the Email JavaScript Cloak plugin.
There’s a saying that “You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you.”
Full acknowledgement on “Today the best spam defense is not to put addresses (or phone numbers)
online, to use a quality mail service that effectively filters spam, and
in the last resort to use actual encryption.”
“Additionally it is not true that ‘WordPress core doesn’t include email cloaking.'” … what I mean is that WordPress doesn’t cloak emails by default and there’s not a user option to enable it. antispambot() is a PHP function and so it’s not easy to use within content (e.g. a plugin would be required that executed PHP, which would complicate things and could introduce an attack vector).
I’ve switched:
“WordPress core doesn’t include email cloaking, so we’ll need a plugin.”
to:
“WordPress core doesn’t cloak emails by default, so we’ll need a plugin.”
Hopefully that reads better.