A blog for odd things and odd thoughts.

Advanced Settings

Advanced Settings for EmailShroud

Dealing without JavaScript.

For users with JavaScript, EmailShroud appears transparent – they won’t even notice it is there.

However, a small minority of people use browsers which do not support JavaScript – often this is for reasons of extra security. For these users, EmailShroud is noticeable. There are two ways that EmailShroud can handle these cases known as “Action Plans”

Divert to default decoder page on EmailShroud site.

The default behaviour is to replace the email address with a link to a decoder web-page on SomethinkOdd.com. This web-page decodes the obfuscated email address and displays it, but the user must type it in manually to their email program.

Note: This default behaviour diverts the user to a 3rd party web-site – i.e. this one. In the unlikely case that the amount of CPU and bandwidth used by this service becomes non-trivial, I reserve the right to add (tasteful) adverts to the page that they see. I understand that may be unacceptable to some people, and I offer them an alternative action plan – see below.

Transform Address

An alternative action plan is to include the email address in the text, after being transformed in some way so it is no longer recognizable as an email address (e.g. including some garbage in the email address, with instructions to the reader to remove it.)

You can use the default transformation, or change the parameters to produce your own. I encourage you to produce your own to (a) localize the text to your blog’s language or style, and (b) to prevent spammers from writing code to overcome this technique.

The transformation occurs in three parts:

  • a prefix, placed before the address.
  • a replacement for the @ symbol.
  • a suffix, placed after the address.

This allows popular transformations like:

  • replace the “@” with “@NOSPAM.” Or “@REMOVEME”
  • replace the “@” with “ AT “.
  • Optionally, add some text to explain to people how to modify the address.

Security Settings

EmailShroud works by obfuscating the email address. In theory, this won’t stop a motivated hacker from extracting the email address – all the information is available to decrypt the email address. In practice, it doesn’t take much to obscure the email address to a level that a spammer won’t bother, and will move on to another web-site to harvest someone else’s address.

EmailShroud offers three levels of obfuscation so you can tradeoff between the level of security and the cost of decoding.


Rearrangement is a very simple system and takes negligible computation to encode and decode. It was the only solution available in EmailShroud 1.0. While I maintain that rearrangement is currently sufficient obfuscation, critics of EmailShroud 1.0 considered it insufficient, which is why EmailShroud now offers three levels.


Reverse/Shuffle is a still a simple system, and takes very little computation to encode and decode. Its advantage over Rearrangement is that it cannot be decoded with a trivial “regular expression” engine.

Triple DES (3DES)

3DES uses standard industry-standard encryption techniques. It is computationally it is fairly expensive, to encode and decode. It should discourage the efforts of even the stubbornest spammer!

On a page with many email addresses, you may notice a delay in loading while the computation is performed.

The 3DES security level has been provided to silence any remaining critics of the obfuscation levels available. In my opinion it is overkill, and is not recommended.

Note: 3DES cannot be turned on while redirecting non-Javascript users to the EmailShroud site. This is for three reasons:

  • The EmailShroud site remains the weakest link in the obfuscation. The spammers could merely follow the link to the EmailShroud site, and let it do the decrypting, then harvest the lightly obfuscated address from the page. If you want this level of obfuscation, you should use your own, novel, transformation strings.
  • It is computationally too expensive; if EmailShroud became too popular, my server would spend its entire day decrypting email addresses.
  • I had a stab at implementing it anyway, but it was very buggy and I got bored. 🙂

How to Set and Debug the Options

  1. Open the Options Panel
    1. Login to your WordPress Admin site.
    2. Select the Options page.
    3. Click on the EmailShroud tab.
  2. Select the Desired Action Plan.
    • If you chose Transform, you can select the desired transformation parameters.
    • Tip: Take care with leading and trailing spaces.
  3. Select the desired Security Level.
  4. Select Update Options, and check for warnings.
  5. Test your settings by turning off JavaScript in your browser, and clicking on an email address.


  1. I have installed the plugin, but looks like it won’t encode the emails that are contained in the users’ comments to the WP posts. I would like to protect the emails that users publish from email harvesters too.

    Can this feature be added?

    [Ed: This feature was added to EmailShroud 2.1.]

  2. Triple DES (3DES)
    Whoa. I’m not typically a gadgets geek, but this I gotta have.

  3. I do have a question, though. Everything works beautifully, but if I have my security settings higher than the lowest settings, the link isn’t displayed at all, but rather my alternative text setting. Any ideas?

  4. Meo,

    That doesn’t sound too hard. I will add that to the wishlist. I don’t have any concrete plans for starting the next version yet.

  5. Jonathan,

    If a user sets their security settings in their browser at a high level, they are effectively saying “I don’t trust the Javascript on the web page I am looking at, and the Javascript engine provided by my browser to block any nasty behaviour attempted by this web page.” All Javascript is turned off.

    The plugin works by displaying the alternative text, and then using Javascript to make it look normal again. If you turn off Javascript, the alternative text will remain.

    So, this sounds like it is working exactly as intended: If you are willing to run Javascript, it will look better. If you don’t, it gracefully degrades to the alternative text.

  6. Thanks for the plugin, Julian. I have one question: What would I have to change to display the entire email address on my site? Currently, it just displays the username part of the email address and doesn’t include the domain.


    [Ed: Feature added to EmailShroud 2.2]

  7. Scott,

    Sorry for the delay in responding. I started to write a simple response saying it wasn’t possible, but that provoked me to think about it more, and made me change my mind.

    With Version 2.0, you currently have two choices:

    1. Type in an email address straight into the text, in which case EmailShroud will drop the domain name, because it knows that if it leaves it there the spammers will find it.
    2. Type the email address as mailto address in an anchor tag, in which case you specify whatever pretty text you like. I recommend this, because I don’t consider displaying raw email addresses to be very pretty. Be careful not to set the pretty text to the full email address, or EmailShroud will miss it, and the spammers will get it!

    I have some more thinking to do about whether the Javascript could me made to substitute the full email address back in, if Javascript is enabled, making it prettier for the majority of your readers. Another feature to look forward to in the next version, I guess.

    Thanks for the suggestion!

  8. heya — good job.. now if only i could get it working. i’ve tried it on both IE and FF, and it’s stuck on redirect mode.

    yes – javascript is on. i have never disabled it on either browser. any ideas?

    thanks in advance, murray

  9. Murray,

    I am sorry to hear that you are having troubles.

    Is it working here on this site? e.g. Does the following example_address appear as an email address or a (redirected) URL? Do you have a URL to your site that you can send me so I can see it in action?

  10. Hi Julian!

    Really good work, I find your plugin very useful!

    So far, I did not have any troubles, but I just installed SimpleForum on a project website and EmailShroud stops people from registering/changing their email address.
    Here is a screenshot how it looks like:

    Your plugin works great, but I would like to know if I can workaround this or just disable EmailShroud for a specific page?

  11. Thank you so much for this great plugin and your 2.2 update.
    Just as the previous poster I would like the plugin to exclude a specific page (due to a form error). Is it possible?

    I would also like to inform you that your plugin is no longer available at WordPress official plugin repository (even though it is the best plugin for this purpose 🙂 )

    Any help is much appreciated.

  12. In response to the last two requests, I offer a dirty hack, below. If more people find this useful, let me know and I will find a cleaner way to include it directly into the official plugin.

    The purpose of this hack is to manually override the use of EmailShroud on an individual post or page.

    You need to insert the following code into your WordPress theme.

    <?php if (get_post_meta($post->ID,"sto_emailShroud",true)=="off"):
        remove_filter('the_content', 'sto_emailShroud_mainFilter', 55);
        remove_filter('get_the_excerpt', 'sto_emailShroud_mainFilter',9);
        remove_filter('the_excerpt_rss', 'sto_emailShroud_mainFilter',55);
    endif; ?>

    Where does the code go? Well, it has to be in “the loop”, which normally means after a line that looks like this:

    <?php if (have_posts()) : while (have_posts()) : the_post(); ?>

    It has to go before call to the_content or the_excerpt. Why not put it immediately after the loop starts, to be sure?

    Then you need to mark the particular page or post that you want to protect. Edit the post, and look for the Custom Fields near the bottom of the page. Add a new custom field with the key sto_emailShroud and the value off. Both of these are case-sensitive.

    This has been hastily tested, on one machine. Please test it yourself before you go live. I’d appreciate feedback on whether it worked for you.

    Don’t forget – any email addresses on this unprotected page are exposed to spammers.

  13. Daniel,

    your plugin is no longer available at WordPress official plugin repository

    Thanks for the warning. I have applied for it to be registered.

  14. The hack to manually override the use of EmailShroud mentioned above works well for me. I was having a problem with a feedback form getting messed up whenever a required field was left out. The page would regenerate and any email address already entered on the form would break the structure of the form. Being able to switch off EmailShroud on this individual page cured it. Many thanks.

  15. I have installed this plugin on two different wordpress sites. There is a simple site that it works flawlessly in. Then there is a more complicated site. On the second site it seems to think that js is disabled and will not encode the emails. Do you know of anything done in a them that may directly interfere with this plugin? Or any plugins that may interfere with it?

  16. William, nothing springs to mind. Can you post/email me a link to your broken site so I can take a look?

  17. I am also finding that this plugin thinks that js is disabled, at http://www.dpfr.org.uk/blog

    The blog is embedded in a page to make it fit the look of the site, perhaps something there making it think js is disabled? Any chance you could have a look please?

  18. John,

    The first thing to check would be if you have a file in your theme called footer.php, then it should have this line in it <?php do_action('wp_footer'); ?>

    If that isn’t the problem, here is some more information:

    I’m not sure what changes you needed to make to your WordPress code/themes to make it “embed in a page”, but I suspect that is related to the problem. (I suspect you only needed to make theme changes, and not code changes.)

    WordPress has the concept of a footer (“wp_footer”) at the bottom of each page. EmailShroud registers itself with the wp_footer action, so when the footer is generated, EmailShroud can include some JavaScript code there.

    This code does not appear on your web-site, effectively making it look like JavaScript is disabled.

    Please make sure your theme/code changes doesn’t interfere with the normal wp_footer process.

  19. Julian,

    Many thanks. I had edited footer.php in the theme and removed the call to wp_footer. Re-instating that has fixed it.

  20. Silvan Mühlemann of tillate.com has performed an experiment to evaluate different email obfuscation techniques.

  21. How can I style the A link? I’d like to place a background image next to the email link. I tried using the “sto_emailShroud0” tag, but that didn’t work.


  22. richard,

    Interesting question. That hasn’t come up before.

    EmailShroud will catch mailto: HREFs and plain email addresses.

    I believe (but haven’t double-checked by testing) that if it finds an HREF, its classes, styles and ids will be copied across. If it finds a plain email address in the text, there are no such styles to copy across, so that won’t happen.

    So, first choice is to use mailto: URLs in your content, and style them normally.

    For the other sort, it looks far messier.

    To start with, you would need to style both the JavaScript and Non-JavaScript versions.

    With JavaScript, no other tags are added (apart from what was mentioned above). You could use a technique like this to identify the mailto: hrefs.

    For browsers without JavaScript, I think your idea of styling sto_emailshroud0 (and sto_emailshroud1, 2, 3.. etc. depending on the number of email addresses per page) should work.

    Alternatively, you could change the code in the sto_emailShroud_matchedEmailAddress function to add tags to each type of output.

Leave a comment

You must be logged in to post a comment.