A blog for odd things and odd thoughts.

EmailShroud 2.2.1

EmailShroud is a WordPress plugin.

The latest version is 2.2.1, and can be downloaded here or via WordPress.org.

What does it do?

In order for spammers to send email to millions of people, they need millions of email addresses. One way to get these addresses is to automatically search the web, harvesting email addresses from unsuspecting web-sites. EmailShroud helps to protect email addresses that are published on a WordPress Blog.

Note: EmailShroud is not like most of the anti-spam plugins for WordPress. EmailShroud does not protect the blog against Comment Spam. EmailShroud helps to protect the owner, authors and other people mentioned on a blog from receiving email spam.

How does it work?

EmailShroud does more than just use “escape codes”, which is a poor-man’s solution to this problem.

It uses JavaScript to “obfuscate” the email address. Spammers don’t run JavaScript during their harvesting, as it would take too much effort and is unlikely to help produce many more email addresses. Almost all browsers used to actually read blogs do run JavaScript – the browser transparently decodes the email address without the reader even noticing.

EmailShroud gracefully handles browsers that are not running JavaScript.

How do I install it?

Installation is simple, and you should have the basic system up and running in a couple of minutes.

  1. Install the files.
    1. Get the latest version of EmailShroud.
    2. Create a directory called emailshroud on your WordPress server under the wp-content\plugins\ subdirectory.
    3. Extract the downloaded files into that directory.
  2. Activate the plug-in.
    1. Login to your WordPress Admin site.
    2. Select the Plugins page.
    3. If you were running an earlier version of EmailShroud, find it in the list and click Deactivate.
    4. Find the new EmailShroud entry and click Activate.

The system is now installed and activated. It will handle almost all of the situations and almost all of your readers’ browsers.

You may like to read Limitations of EmailShroud to find out about the tiny minority of situations that EmailShroud won’t automatically handle.

You may like to read Advanced Settings of EmailShroud to find out about how to improve the look-and-feel for the tiny minority of users who aren’t running JavaScript, and how to improve the security beyond the defaults.

How do I upgrade it?

Follow the same instructions above. Upgrading from EmailShroud 1.0.1, 2.0, 2.1 and 2.2 is suggested but not mandatory.


Feel free to report any bugs you notice or any suggestions you have. I plan to spend a limited amount of time on support.

Acknowledgements and Further Reading

Competing WordPress Plugins

There are several WordPress plugins with similar goals.

  • Obfuscate-Email and Email-Immunizer take a simple approach of simply escaping some or all of the characters (using numeric character references). On the down side, this approach is bother more easily cracked than EmailShroud (the regular expression used to search for emails just needs a little bit of buffing up, without any additional computational complexity) and is commonly used (making it worth cracking). On the upside for these plugins, I have no experimental evidence that spam-harvesters are bothering to crack it now. They also do not require Javascript, add less overhead to the size of the page, and don’t interfere with your subject, cc and bcc tags.
  • Transpose Email is a much simpler that EmailShroud. As of V1.2, it doesn’t automatically replace all email addresses – it requires the author to manually enter a special piece of code instead of an email address. This makes it harder to use, but it won’t trip up if you are someone who has to put usernames and passwords in a URL. It requires your reader’s browser to support JavaScript. Nonetheless, this plugin is worth keeping an eye on as a potential alternative to EmailShroud.

Similar Technology

  • Joe Maller describes a similar technology – some of the ideas from that site were helpful in improving my code for Version 1.
  • EmailCloak offer a similar technology for a small price.
  • The Enkoder plugin for Ruby on Rails has a similar goal. It includes some very basic encryption (ROT3?). It isn’t suitable for WordPress, but may work with some of the WordPress competitors.

Inspiration and Sources


  1. Hmmmm… sounds awfully like I am completely wrong. I’ll have to have a closer look.

  2. I had an email conversation with Diane Clayton, and we worked out the cause.

    If you have TWO email addresses in the one anchor tag (I am going to use # instead of @ in the example, to avoid triggering my copy of EmailShroud.):

    <a href=”mailto:email1#example.com”>email2#example.com</a>

    even if those email addresses are the same, EmailShroud will protect the first one normally, but drop the domain-name from the second one.

    The workaround is to either have the email address straight in the text (EmailShroud will add the link automatically), or replace the internal address with some other text, or accept the dropped domain name.

    It is working exactly as designed – I found I had written commented code for exactly this scenario. However, I haven’t yet had time to reconsider my strategy and decide if this is a bug in the design. It isn’t yet clear to me what the right behaviour should be – especially because the two address might be different.

  3. Here’s a study on the effectiveness of different email address obscuring techniques.

  4. Can the email shroud be disabled on a certain post? Well, we are experimenting with a plugin that creates a form for accepting donations; it sends our e-mail address to PayPal. This of course spoils that plugin. But then, our e-mail address will not be hidden.


  5. Swami,

    Here are some instructions for hacking your theme to turn off EmailShroud on particular pages.

    You are right: That email address won’t be hidden if you do this. You might like to create a special address for dealing with PayPal, and have your spam-filter only let through emails from the PayPal domain.

  6. I suppose most people have gone to contact form plugins to avoid this issue but it is interesting to see these creative methods for protecting email. Not saying that this tool is antiquated, but with comments going back to 2006 – it makes me wonder if someone maintains a spam prevention museum 🙂

  7. Alex, this plugin is still working fine after all those years. Hasn’t needed touching for years.

    Contact forms have their place, but only last week I was at a site for a manufacturer that had a contact form instead of an email address and phone number. As I filled it in, I realised how little I trusted that it would ever be seen by anyone!

  8. That is a good point Julian. You are right about forms. Having the address makes it a bit more accountable. I know for my small organization the contact form goes to the info@ address. Since it doesn’t have any person specifically attached to it, it can get overlooked.

  9. Ironically, this particular page is being targeted by comment spammers (not email spammers!). I’m tired of moderating it, so I have turned the comments off. If you want to contact me, there are plenty of other places on this this site to try.

Sorry, the comment form is closed at this time.

Web Mentions

  1. WordPress | CourseVector

  2. Thomas Troppers Blog | Sinnvolle Plug-Ins für WordPress

  3. Email Protection for WordPress | WebSiteCleanup.com