WordPress.org

Codex

Interested in functions, hooks, classes, or methods? Check out the new WordPress Code Reference!

Protection From Harvesters

Email spammers often use programs, known as email harvesters, that scan pages on the Internet for email addresses to collect and send unsolicited email. If your email address is publicly available through your WordPress installation, it may be vulnerable to these kinds of programs. Below are a few simple ways you can protect yourself from spam while still providing an email address to your readers.

Substitute Email Address

A popular solution to email harvesting is to create a "throwaway" email address at free services such as GMail or Yahoo Mail. Set this as your email address in your profile. WordPress makes it easy to display the address on your blog by providing the function the_author_meta('user_email'). Within The Loop portion of your templates, just add the tag:

<?php the_author_meta('user_email'); ?>

You will be able to check email that is specifically sent from your readers. If spam becomes too much of a problem, simply delete this account, create a new one, and change the email address in your profile to the new address. Your site will be immediately updated without having to change any template files.

Disguising Your Email

To "fool" email harvesters, a simple method is to convert the symbols in an email address to words (typically parenthesized). For example, steve@mac.com becomes steve (at) mac (dot) com. Since this is not recognized as a valid email format, harvesters tend to ignore it.

A slightly more complicated approach is to transform or encode characters in an address to their HTML character entity, or numeric character reference, equivalent. This means the letter a in an address becomes &#97;, the @ symbol &#64;, and so on. These should appear as gobbledygook to harvesters, while your browser renders them correctly.

You can use a free online encoder to encode your email address (here's another tool to encode your email using Javascript) or use the antispambot() function built into WordPress:

<?php echo antispambot(get_the_author_meta('user_email')); ?>

The function antispambot() above parses the email address passed by get_the_author_meta('user_email') (this is the same as the_author_meta('user_email'), except it returns rather than displays the author's email address). Use of the echo command displays the output of antispambot(). An interesting feature is that it encodes only portions of an address, and does so randomly so the letters encoded are different each time the page loads, adding a little more firepower to the spam protection arsenal.

NOTE: Unfortunately, WordPress does not allow invalidly formatted email addresses to be used in one's profile, so obfuscating your e-mail address there will not work.

Use Images Instead of Plain Text Email

Another easy trick for disguising your email is to create an image of your email address using some screen capture software, cropping it to size with an image editor, and inserting it where ever you like :-)

Be aware that screen reading software (commonly used by people with vision impairment) will not be able to read your email address either. If you use this method, provide a second form of contact as well.

Use Anti-Spam Plugins

There are some plugins that do this work automatically in posts and pages. For instance Email Address Encoder converts all plain email addresses and mailto links into decimal and hexadecimal entities. Another one is CryptX. There are some drawbacks as if it's not properly configured, they might mess with contact form where users introduce email addresses (if they make some mistake and the form is refilled and re-filtered). A less automated approach is that of Slash Admin, which has an option for including disguised email addresses in posts and pages via shortcodes (using the antispambot() function).

This article is marked as in need of editing. You can help Codex by editing it.