A blog for odd things and odd thoughts.

EmailShroud 2.2.1

EmailShroud is a WordPress plugin.

The latest version is 2.2.1, and can be downloaded here or via WordPress.org.

What does it do?

In order for spammers to send email to millions of people, they need millions of email addresses. One way to get these addresses is to automatically search the web, harvesting email addresses from unsuspecting web-sites. EmailShroud helps to protect email addresses that are published on a WordPress Blog.

Note: EmailShroud is not like most of the anti-spam plugins for WordPress. EmailShroud does not protect the blog against Comment Spam. EmailShroud helps to protect the owner, authors and other people mentioned on a blog from receiving email spam.

How does it work?

EmailShroud does more than just use “escape codes”, which is a poor-man’s solution to this problem.

It uses JavaScript to “obfuscate” the email address. Spammers don’t run JavaScript during their harvesting, as it would take too much effort and is unlikely to help produce many more email addresses. Almost all browsers used to actually read blogs do run JavaScript – the browser transparently decodes the email address without the reader even noticing.

EmailShroud gracefully handles browsers that are not running JavaScript.

How do I install it?

Installation is simple, and you should have the basic system up and running in a couple of minutes.

  1. Install the files.
    1. Get the latest version of EmailShroud.
    2. Create a directory called emailshroud on your WordPress server under the wp-content\plugins\ subdirectory.
    3. Extract the downloaded files into that directory.
  2. Activate the plug-in.
    1. Login to your WordPress Admin site.
    2. Select the Plugins page.
    3. If you were running an earlier version of EmailShroud, find it in the list and click Deactivate.
    4. Find the new EmailShroud entry and click Activate.

The system is now installed and activated. It will handle almost all of the situations and almost all of your readers’ browsers.

You may like to read Limitations of EmailShroud to find out about the tiny minority of situations that EmailShroud won’t automatically handle.

You may like to read Advanced Settings of EmailShroud to find out about how to improve the look-and-feel for the tiny minority of users who aren’t running JavaScript, and how to improve the security beyond the defaults.

How do I upgrade it?

Follow the same instructions above. Upgrading from EmailShroud 1.0.1, 2.0, 2.1 and 2.2 is suggested but not mandatory.


Feel free to report any bugs you notice or any suggestions you have. I plan to spend a limited amount of time on support.

Acknowledgements and Further Reading

Competing WordPress Plugins

There are several WordPress plugins with similar goals.

  • Obfuscate-Email and Email-Immunizer take a simple approach of simply escaping some or all of the characters (using numeric character references). On the down side, this approach is bother more easily cracked than EmailShroud (the regular expression used to search for emails just needs a little bit of buffing up, without any additional computational complexity) and is commonly used (making it worth cracking). On the upside for these plugins, I have no experimental evidence that spam-harvesters are bothering to crack it now. They also do not require Javascript, add less overhead to the size of the page, and don’t interfere with your subject, cc and bcc tags.
  • Transpose Email is a much simpler that EmailShroud. As of V1.2, it doesn’t automatically replace all email addresses – it requires the author to manually enter a special piece of code instead of an email address. This makes it harder to use, but it won’t trip up if you are someone who has to put usernames and passwords in a URL. It requires your reader’s browser to support JavaScript. Nonetheless, this plugin is worth keeping an eye on as a potential alternative to EmailShroud.

Similar Technology

  • Joe Maller describes a similar technology – some of the ideas from that site were helpful in improving my code for Version 1.
  • EmailCloak offer a similar technology for a small price.
  • The Enkoder plugin for Ruby on Rails has a similar goal. It includes some very basic encryption (ROT3?). It isn’t suitable for WordPress, but may work with some of the WordPress competitors.

Inspiration and Sources


  1. Thank you for the plugin!


  2. I found something strange in your code (something that somehow did not interfere with emailShroud’s workings).

    I found this piece of code twice:

    Notice the “/index/php” piece. It works, but that’s because of multiviews and url rewriting, I think.

    *sigh* And that captcha is giving me a headache…

    [Ed: This bug was fixed in EmailShroud 2.1.]

  3. As noted under “future features” there is a (small) price of accepting proprietary attributes like stoDom, stoUser.

  4. Thanks for this terrific plugin.

    I’m trying to use it on a multi-lingual website, and unfortunately it breaks. This is because the plugin calls load_plugin_textdomain too early. It should load on the ‘init’ hook.

    The fix is easy. Just change



    function init_emailShroud () {
    add_action('init', 'init_emailShroud');


    [Ed: This bug was fixed in EmailShroud 2.1.]

  5. Hi there! Since I´ll upgrade to WP 2.1 soo, I´m wondering if EmailShroud 2.0 is compatible?

  6. Eric, yes, it is compatible. Compatibility is detailed here.

  7. hi there, it seems trackbacks does not work! just would like to say thank you for this great plugin, appears on my must-have list 😉


  8. Thanks for the plugin!! Much appreciated.

  9. Thank you for your plugin, I appreciate it very much.

    Two issues, one solved:

    1) Due to my dislike of the fact that the plugin produces unvalid XHTML, I produced a patch which stops this: The encoded address can simple be coded in the valid title field of the span tag. Download the patch from my technical details page above (in German) or here (Yeah, you’re the first one to be mentioned …)

    2) Plain text E-Mail-Addresses are not reproduced properly, but are replaced by an email link. I found no quick solution to this one, maybe some kind of email address enumeration needed to be encoded in addition to the address for proper decoding.

  10. I have a “Contact Us” Text Widget on my WP 2.1 site. As noted in the documentation, this plugin will not encrypt emails that are in sidebars. I did the following workaround. first I posted the email address that I wanted encrypted in a normal post. I then viewed the generated HTMl and grapped the generated email HTML. I pasted this into my sidebar, but changed the id from ’emailshround0′ to something like ‘ContactUsEmail’.

    I then edited sto_emailshroud.php.

    copy line 261 (var nodeToReplace = document.getElementById(idToFind);) through line 303 (Closing bracket of the ifMoretoReplace if statement).

    Paste those lines after the closing bracket of the while(MoreToReplace) loop.

    Add the following line before the code you just pasted:
    moreToReplace = true ;

    finally, in the code you pasted change:
    var nodeToReplace = document.getElementById(idToFind);
    var nodeToReplace = document.getElementById(‘ContactUsEmail’);

    It’s a hack, but it works. You can post emails anywhere on the site using this. Just add as many blocks of code as you like. (Well, obviously you could create an array of id’s that need to be replaced and them loop through that array.)

  11. Karsten,

    Thanks for the patch. I’ve got bad news and good news!

    (First, to everyone else: EmailShroud 2.1 includes some non-standard attributes which are ignored by everyone except the XHTML validators. Karsten’s hack tunnels the data through the existing “title” tags. The upside is that the validators don’t complain any more. The down side is that you may clash with any existing titles (I haven’t tested this) and it doesn’t apply to the 3DES encryption.)

    The bad news is that this hack is about to become obsolete! The good news is that I am working on EmailShroud 2.2, and it includes both honest-to-goodness valid XHTML and a solution to the plain text emails being trimmed down even when JavaScript is turned on.

  12. Bryan,

    Thanks for the suggestion. I agree that that hack should work to let you shroud emails in the sidebar with EmailShroud 2.1.

    I would love for EmailShroud to automatically process the sidebar, but the WordPress architecture doesn’t allow for that. Your hack describes how you can make this change directly to both your theme template and the plugin. I’ve been thinking how I could make this easier for template writers to use the EmailShroud plugin if it was present, but I can’t see how, yet. Sorry.

    The bad news here is that your hack will need to be substantially re-written if you want it to work with EmailShroud 2.2. :-(

  13. Julian,
    The other bad news is that it doesn’t always work. If an email address isn’t listed somewhere in one of the sections that normally gets processed (posts, etc) then the function sto_emailShroud_insertScript() is never called. So then my “hack” never gets inserted as javascript into the finished page.
    Can you think of a way to get this to always be called? (Instead of just relying on an email address to be listed somwhere on every page/blog post?


  14. Strike that, sto_emailShroud_insertScript is being called. It just wasn’t doing anything because of the first if statement:


    I commented that line out and replaced it with:


    And now it works.

    The only downside to this “fix” is that now the JavaScript is loaded and runs on _every_ page. Even pages that don’t have any email addresses anywhere (including my sidebar). Which means that when viewing my photo gallery (gallery2, embedded with wpg2) that the JavaScript function is still called. But it’s a minor overhead I believe.

  15. I don’t understand why the ?subject= isn’t working…it just gets ignored and only the email address comes up with emailto:

    Otherwise, thank you very much…this is a new site and I was worried about making an email address available.

  16. Can i filter not only content function but my custom field too? Iv added after content but its not work :((
    add_filter(‘the_content’, ‘sto_emailShroud_mainFilter’, 55);
    add_filter(‘c2c_get_custom’, ‘sto_emailShroud_mainFilter’, 55);

    POssible do it?

  17. thanks for this great tool!

  18. How goes the development on 2.2? I ask because I just upgraded one of my sites to WP 2.3.1, and for some reason now with emailshroud enabled, the pages don’t display properly. It may have something to do with my customizations (to allow encryption of emails in the sidebars). However, I didn’t want to spend a lot of time debuggings if 2.2 will be released soon.

    Thanks for a great application!!

  19. Same problem as i have. Would be great if 2.2 will be released the next time, because i won’t change to another plugin!!!


  20. In response to recent urging and some holiday time:

    EmailShroud 2.2 is now available for download! See the updated page above for where, how, why and what’s new.

  21. Thanks for 2.2 you do a great job!!!!

  22. this is great application! just wondering if there is any code that I can use to stop the program working on particular pages?


  23. Francisco,

    Look over here.

  24. Thanks so much for 2.2, just found it now!!!

  25. just installed this on my site and it’s changing the emails as if i didn’t have js enabled?! can’t seem to figure out what I’m doing wrong. my site is http://ellided.com/blog

  26. Dear Brad,

    I checked out your blog and (a) it isn’t using EmailShroud, (b) it looks like the kind of site that spammers would refer people to, and (c) your email address has an unregistered domain name.

    I’ve fear you are merely spamming me. If you are a real human, let me apologise.

  27. Tried using it at jetcharterwire (dot) com on hxxp://www.jetcharterwire.com/privacy-policy/ and it isn’t doing anything that I can see. I installed the 2.20 plugin just like I have the other 50ish plugins on the site (I am a plugin whore) and got rid of my old version.

  28. Matt,

    I checked out that page, and EmailShroud is working perfectly.

    I think the reason you can’t see it do anything is that when EmailShroud does its job, the typical user doesn’t even notice it is there.

    Try looking at the HTML and notice that your email address doesn’t appear there.

  29. thanks!

  30. thanks very useful plugin

  31. Hi,

    Thanks for a great plugin. It’s working very well. I was wondering if there is a way to get the “rearrangement” option to display the full email address in the same way the “shuffle/reverse” option is. Shuffle/reverse is plenty fast enough for most pages but I have a few with 10+ email addresses on it and the users get to watch the javascript in real time. :)

    Pardon me if I’m missing the whole point of the settings. Just hoping I could use the lighter/less secure encoding techniques but have it continue to display the full email address on the page.


  32. Sorry, please ignore. I worked out another solution.

    .emailShroud_protectedAddress{visibility: hidden}

    avoids the on/off shuffle. still takes a second for the email address to be rendered to the page but that’s not particularly distracting.

    Thanks again for the plugin.


  33. I have a dot in the first part of my email address. This causes it to display as firstname.lastnamefirstnamelastname@gmail.com, instead of firstname.lastname@gmail.com.

  34. hi Julian,
    Thanks for the plugin! It’s just what I need, but I’m having trouble getting the javascript to work. I have the plugin installed as instructed, but it only provides the fallback solution rather than the javascript link.

    Your own protected emails on your site do work on my browser, btw. Any ideas? I tried disabling all other JS to see if it was conflicting but that doesn’t seem to be the issue.


  35. I’m a beginner website manager. I tried the plug-in, and it seems to work so well that the e-mail link becomes invisible on the website. What did I do wrong?

  36. Gorman,

    Can you either post the link here or email me so I can have a look?


  37. This is probably one of the better email protector plugins out there. very simple and doesn’t default to the ugly formatting of email addresses.


  38. This plugin conflicts with the wordpress shopp shopping cart plugin. It breaks the email in the shopping cart checkout and also the merchant’s paypal address. I had to deactivate it.

  39. MF,

    Sorry to hear about your difficulties.

    I haven’t tried it with the Shopp. It costs money, so I am afraid I won’t be testing it.

    I assume it contains email addresses embedded in the URLs, or some other known limitation. I went to your site, and looked at the source-code in the check-out process (at least until the point of requiring money) and I couldn’t see any bits of the code that might confuse EmailShroud, so this remains a mystery. Feel free to send more information about the problem, so I can investigate further.

  40. MF,

    Also, I didn’t see any email addresses on the check-out pages, so you may like to try this work-around hack to turn it off on those pages.

  41. Heya,

    I’m really excited about this plugin, but think I must be missing something… I’ve read through this site but couldn’t find an answer to my question…


    The plugin is stripping out the @ and the domain after the name in the display of the email address… is that just how it works? It would be nice to have the full email address appear on the page but be protected at the same time… am I missing something obvious?


  42. Good news, Diane. You *are* missing something obvious :-) You appear to be using version 1.0 of EmailShroud, which has been obsolete for 4 years.

    The behaviour you ask for was introduced in version 2.0. The latest version is 2.2.

    If you upgrade to the latest version, you should get what you want.

  43. Thanks for the snappy response!

    Weird, because I downloaded the plugin from the “download here” link at the top of the page, and in my WordPress installation in the plugins area it says I’m using v2.2… could it be that one of the scripts in the plugin folder is accidentally an older version?


  44. Hmmmm… sounds awfully like I am completely wrong. I’ll have to have a closer look.

  45. I had an email conversation with Diane Clayton, and we worked out the cause.

    If you have TWO email addresses in the one anchor tag (I am going to use # instead of @ in the example, to avoid triggering my copy of EmailShroud.):

    <a href=”mailto:email1#example.com”>email2#example.com</a>

    even if those email addresses are the same, EmailShroud will protect the first one normally, but drop the domain-name from the second one.

    The workaround is to either have the email address straight in the text (EmailShroud will add the link automatically), or replace the internal address with some other text, or accept the dropped domain name.

    It is working exactly as designed – I found I had written commented code for exactly this scenario. However, I haven’t yet had time to reconsider my strategy and decide if this is a bug in the design. It isn’t yet clear to me what the right behaviour should be – especially because the two address might be different.

  46. Here’s a study on the effectiveness of different email address obscuring techniques.

  47. Can the email shroud be disabled on a certain post? Well, we are experimenting with a plugin that creates a form for accepting donations; it sends our e-mail address to PayPal. This of course spoils that plugin. But then, our e-mail address will not be hidden.


  48. Swami,

    Here are some instructions for hacking your theme to turn off EmailShroud on particular pages.

    You are right: That email address won’t be hidden if you do this. You might like to create a special address for dealing with PayPal, and have your spam-filter only let through emails from the PayPal domain.

  49. I suppose most people have gone to contact form plugins to avoid this issue but it is interesting to see these creative methods for protecting email. Not saying that this tool is antiquated, but with comments going back to 2006 – it makes me wonder if someone maintains a spam prevention museum :)

  50. Alex, this plugin is still working fine after all those years. Hasn’t needed touching for years.

    Contact forms have their place, but only last week I was at a site for a manufacturer that had a contact form instead of an email address and phone number. As I filled it in, I realised how little I trusted that it would ever be seen by anyone!

  51. That is a good point Julian. You are right about forms. Having the address makes it a bit more accountable. I know for my small organization the contact form goes to the info@ address. Since it doesn’t have any person specifically attached to it, it can get overlooked.

  52. Ironically, this particular page is being targeted by comment spammers (not email spammers!). I’m tired of moderating it, so I have turned the comments off. If you want to contact me, there are plenty of other places on this this site to try.

Sorry, the comment form is closed at this time.

Web Mentions

  1. WordPress Plugins Database » Plugin Details » EmailShroud

  2. Contact Form WordPress Plugins « Lorelle on WordPress

  3. Sinnvolle Plug-Ins für Wordpress | Thomas Troppers Blog

  4. Mailadressen in Wordpress schützen | sokai.name - Potsdam bloggt wieder

  5. How to hide your email address on your blog :: Her Media - Online Advertising, Promotion, and Marketing

  6. La primera entrada… « Erbon {Blog} | Fotografia

  7. Why traditional website publishing is dead (and why you should use Wordpress or similar CMS instead) | Wordpress web design course

  8. WordPress | CourseVector

  9. Thomas Troppers Blog | Sinnvolle Plug-Ins für WordPress

  10. Email Protection for WordPress | WebSiteCleanup.com