Protect WordPress Email Addresses From Spammers

protect emails from spammers

Adding your email address to your site is helpful to your users. But, it also makes it available to spammers. Spammers can use scripts that visit websites and harvest the email addresses that are publicly available. This is called scraping.

This tutorial will show you a great way to mitigate scraping.

Background Information

One way of mitigating scraping is to do JavaScript cloaking of the email address.

The cloaking makes it so that the email address is only available when JavaScript is running. This is helpful, since most scraping scripts don’t have JavaScript running. However, the vast majority of users do.

For users that don’t have JavaScript enabled, they’ll get a notification letting them know it’s needed to view the email address. Or they’ll get a ciphered email address.

Since the notification varies from implementation to implementation, scrapers don’t have a standard way of detecting those occurrences programmatically. Therefore, cloaking does a great job at mitigating scrapers while still being beneficial to users.

1) Install the “Email JavaScript Cloak” plugin

2) Shortcode

  • Now, wherever you’d like an email to appear, you can use the following shortcode:
  • [email]

3) Preview (with JavaScript)

  • Here’s what it looks like in the front-end:
  • The bottom part of the screenshot shows the HMTL that’s generated.
  • It’s just standard HTML with a mailto link.

3) Preview (without JavaScript)

  • But, here’s what it looks like with JavaScript disabled:
  • As you can see, the mailto is now removed and the email address is now ciphered.

This small trick eliminates most scrapers.

Pro Tip

  • If you want a notification to occur to users with no JavaScript enabled, you can use the following shortcode:
  • [emailnojs]
  • Use it wherever you want the notification to occur.


  • Nick Savov

    Nick is the Director of Support at OSTraining and you can find him in almost every area of the site, from answering support requests and account questions to creating tutorials and software.

0 0 votes
Article Rating
Notify of

Newest Most Voted
Inline Feedbacks
View all comments
Dan Knauss
Dan Knauss
8 years ago

I question whether this is worthwhile or actually works. Without using any kind of encryption, this “cloaking” is easy to identify and harvest. If enough people use it, spammers will adapt.
Today the best spam defense is not to put addresses (or phone numbers) online, to use a quality mail service that effectively filters spam, and in the last resort to use actual encryption.
Additionally it is not true that “WordPress core doesn’t include email cloaking.” Since 0.71 there has been antispambot() which may still be a semi-effective cloaking method. It converts addresses into HTML entities.

Would love your thoughts, please comment.x