Keep Your Website E-Mail Safe: WordPress Mail Security Functions

wordpress php mail function

In a previous post I wrote about how to send email with PHP using WordPress’ wp_mail() function.

Before you send that email though, there are a variety of ways you can ensure the security of your content.

Let’s take a look at some ways in which you can use WordPress functions to sanitize and protect your data.

Function #1: sanitize_email()

This function takes a string as input, and returns either a valid email address or nothing. Here are some examples:

$sanitized_email = sanitize_email('! ');
// will output: ''
echo $sanitized_email;
$sanitized_email = sanitize_email('adminexamplecom');
// will output nothing
echo $sanitized_email;

Ideally you’d run this before sending your email, and test the contents. If it’s empty, you don’t send the email, like this:

$sanitized_to = sanitize_email( ‘notarealemail' );
if ( $sanitized_to != ‘' ) {
wp_mail( etc etc );

In the above code, wp_mail() would never even get called, because $sanitized_to would be empty because the string it tried to clean is NOT an email address.

Use sanitize_email() any time you’re working with an email address so that you’re sure you actually have one.

You can read more about this function in the WordPress Codex.

Function #2: is_email_address_unsafe()

This is a fairly simple function. It also takes an email, similar to sanitize_email(), but it then compares against a list of domains that YOU create. This is really only available in a Multisite setup.

Once you have Multisite set up, then in your Network dashboard there’s a Settings page. In there is a field for you to simply list domain names which should not be allowed to do things on your site. By default they’re not allowed to create new sites, but using is_email_address_unsafe() you can compare against that field for anything. Here’s a screenshot of that field:

wp email security

Simply put some domain names in there and then you can do some code like this:

if ( ! is_email_address_unsafe( ‘' ) ) {
some cool code;

Two things about that code. Note the ! at the beginning of the function. That makes the function say “is this email address NOT unsafe?”, which in better English is “Is this email address safe?”

The other thing is that if were in my banned field then “some cool code” would not run.

This is a pretty manual setup. It doesn’t look out on the Internet for notoriously bad domains or anything, you have to make your own list. On the other hand, you have complete control over that list, and can add and remove domains any time you wish.

You can read more about this function in the WordPress codex.

Function #3: antispambot()

One of the ways that spammers fill their lists is by reading web sites and looking for email addresses. Of course the simplest way to stop that is to not put your address on the site, but sometimes it’s needed. You could use an image, but then people can’t copy and paste.

That’s where antispambot() comes in. It converts any string to htmlentities, with a few options. Here’s an example:

echo antispambot( '' );

In the HTML it’ll render like this:


But browsers will render it like this:

So robots crawling the site will see a bunch of gibberish, but the end user will still see a perfectly formatted email address.


There are a variety of things you can do with email and email addresses to tighten up how data is managed on your site. You can help prevent spam, keep bad data out of your system, and keep bad data from leaving your system to show on web sites.

I strongly recommend you give some thought to how you’re handling email on your site. Even if you’re already Doing It Right, it’s a good thing to review once in a while.


  • Topher DeRosia

    Topher is an accomplished programmer, having written his own content management systems and managed some very large websites. He loves to help people and believes playing with WordPress is fun. Topher lives in Michigan, USA.

0 0 votes
Article Rating
Notify of

1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
9 years ago

i tested this..echo antispambot( ‘’ ) but when i inspect element, doesn’t convert htmlentities… anything i’ve missed?

Would love your thoughts, please comment.x