A blog for odd things and odd thoughts.



This is a historical record of the EmailShroud 1.0.1 release. Please see EmailShroud 2.0 for latest version of EmailShroud.

EmailShroud is a WordPress plugin.

What does it do?

In order for spammers to send email to millions of people, they need millions of email addresses. One way to get these addresses is to automatically search the web, harvesting email addresses from unsuspecting web-sites. EmailShroud helps to protect email addresses that are published on a WordPress Blog.

Note: EmailShroud is not like most of the anti-spam plugins for WordPress. EmailShroud does not protect the blog against Comment Spam. EmailShroud helps to protect the owner, authors and other people mentioned on a blog from receiving email spam.

How does it work?

EmailShroud does more than just use “escape codes”, which is a poor-man’s solution to this problem.

It uses JavaScript to “obfuscate” the email address. Spammers don’t run JavaScript during their harvesting, as it would take too much effort and is unlikely to help produce many more email addresses. Almost all browsers used to actually read blogs do run JavaScript – the browser transparently decodes the email address without the reader even noticing.

EmailShroud gracefully handles browsers that are not running JavaScript.

How do I install it?

Installation is simple, and you should have the basic system up and running in a couple of minutes.

  1. Install the file.
    1. Get the latest version of EmailShroud.
    2. Extract the file sto_emailshroud.php and copy it to your Word Press directory, under the wp-content\plugins subdirectory, on your server.
  2. Activate the plug-in.
    1. Login to your WordPress Admin site.
    2. Select the Plugins page.
    3. Under the Plugins tab, find EmailShroud and click Activate.

The system is now installed and activated. It will handle almost all of the situations and almost all of your readers’ browsers.

You may like to read Limitations of EmailShroud to find out about the tiny minority of situations that EmailShroud won’t automatically handle.

You may like to read Advanced Settings of EmailShroud to find out about how to improve the look-and-feel for the tiny minority of users who aren’t running JavaScript.


What EmailShroud will detect and protect

EmailShroud will search for email addresses in the following places:

  • The contents of WordPress pages.
  • The contents of posts.
  • The contents of post excerpts.
  • The contents of RSS feeds.

It will search for:

  • Links to email addresses (i.e. anchor tags with mailto addresses.)
  • Email addresses written in the content of a post with the text mailto: in front of it.
  • Email addresses simply written in the content of a post.

Limitations of EmailShroud

In the following rare circumstances, EmailShroud may pass through the email addresses, unprotected:

  • Multiple email addresses within a single anchor tag, including ‘cc’ and ‘bcc’ addresses.
  • Domain names with multiple consecutive dashes.
  • Email addresses in WordPress page titles and post titles.
  • Where the anchor tag is malformed, so it is not recognized as an anchor tag.
  • Where the email tag appears outside of the pages, posts, excerpts and RSS feeds. In particular, in a list of links in a side-bar or in templates.

In the following rare circumstances, EmailShroud may damage existing links:

  • Where a user-name and password is included in a URL.
    • i.e. using the userinfo subcomponent of a URL.
    • This is rarely used outside of phishing attempts.
  • Where the anchor tag is malformed, so it is not recognized as an anchor tag.
  • Automatically generated excerpts may have their email addresses stripped.
    • See below for more information.
  • Email addresses in Category Descriptions.
    • This bug-fix is pending the repair of another bug-fix in WordPress

In the following unusual circumstances, EmailShroud may make links disappear:

  • Where the page is served as XHTML 1.0 Strict in the DOCTYPE tag, and the user is not using Internet Explorer and JavaScript is turned on.

Special Behaviour for Excerpts

In some circumstances (for example, category views or for RSS feeds) an excerpt of a post may appear. WordPress allows the author to produce their own excerpt – if they don’t, an automatically generated excerpt is used.
If the user manually enters an excerpt, it is treated by EmailShroud much like regular content. If WordPress automatically generates an excerpt, it strips all tags, and the email address will not appear.



EmailShroud requires WordPress 1.5, or above. It has been tested on WordPress 1.5.2, 2.0, 2.0.1 and 2.0.2.


EmailShroud has been tested on:

  • Mozilla Firefox 1.0.4, (Windows)
  • Microsoft Internet Explorer 6.0 & 7.0 Beta 2 (Windows)
  • Opera 8.0.2 (Windows)

XHTML Compliance

EmailShroud breaks Strict XHTML in two ways. However, it works correctly with Transitional XHTML.

EmailShroud uses Document.Write(), which is not supported in Strict XHTML. It is hoped that this will be remedied in a future release.

EmailShroud also may put a “noscript” tag inside other tags, like a paragraph tag. This is a perfectly safe action – if the browser does not expect the tag it should be ignored, which is the correct behaviour. However, you may receive warnings if the web-site is passed through an XHTML validator; they can be ignored. Correcting this issue is likely to make the plug-in far more complicated, and increase the size of the download, but this will be considered for inclusion in a later version.

Advanced Settings for EmailShroud

Dealing without JavaScript.

For users with JavaScript, EmailShroud appears transparent – they won’t even notice it is there.

However, a small minority of people use browsers which do not support JavaScript – often this is for reasons of extra security. For these users, EmailShroud is noticeable. There are three ways that EmailShroud can handle these cases, known as “Action Plans”

Divert to default decoder page on EmailShroud site.

The default behaviour is to replace the email address with a link to a decoder web-page on SomethinkOdd.com. This web-page decodes the obfuscated email address and displays it, but the user must type it in manually to their email program.

Note: This default behaviour diverts the user to a 3rd party web-site – i.e. this one. In the unlikely case that the amount of bandwidth used by this service becomes non-trivial, I reserve the right to add (tasteful) adverts to the page that they see. I understand that may be unacceptable to some people, and I offer them two alternative actions plans – see below.

Transform Address

One alternative action plan is to include the email address in the text, after being transformed in some way so it is no longer recognizable as an email address (e.g. including some garbage in the email address, with instructions to the reader to remove it.

You can use the default transformation, or change the parameters to produce your own. I encourage you to produce your own to (a) localize the text to your blog’s language or style, and (b) to prevent spammers from writing code to overcome this technique.

The transformation occurs in three parts:

  • a prefix, placed before the address.
  • a replacement for the @ symbol.
  • a suffix, placed after the address.

This allows popular transformations like:

  • replace the “@” with “@NOSPAM.” Or “@REMOVEME”
  • replace the “@” with “ AT “.
  • Optionally, add some text to explain to people how to modify the address.
Divert to custom decoder page in the template file

A third action plan is still is to redirect the user to a script running on your own site. In theory, this means they will continue to see the colours and style of your own site. In practice, this requires non-trivial modifications to your WordPress template.

How to Set and Debug the Options

  1. Open the Options Panel
    1. Login to your WordPress Admin site.
    2. Select the Options page.
    3. Click on the EmailShroud tab.
  2. Select the Desired Action Plan.
  3. If you chose to divert to the EmailShroud Site there is nothing more to do.
  4. If you chose Transform, you can select the desired transformation parameters.
    • Tip: Take care with leading and trailing spaces.
  5. If you chose to divert to your own custom decoder, you need to ensure there is a PHP file in your template directory to handle it.
    • Here is an example code fragment that does the computation – the required change is to make it fit with your web-sites side-bars, headers, styles, etc.
    • This is likely to be non-trivial. I would like to hear from you if you were successful, especially with any of the more popular themes.
    • I’d appreciate it if you would include a pointer to the http://www.somethinkodd.com/emailShroud home page in the HTML source.
  6. Test your settings by turning off JavaScript in your browser, and clicking on an email address.


Feel free to report any bugs you notice or any suggestions you have. I plan to spend a limited amount of time on support.

Acknowledgements and Further Reading

  • Joe Maller describes a similar technology – some of the ideas from that site were helpful in improving my code.
  • Transpose Email is a much simpler WordPress plugin with a very similar goal. As of V1.2, it doesn’t automatically replace all email addresses – it requires the author to manually enter a special piece of code instead of an email address. This makes it harder to use, but it won’t trip up if you are someone who has to put usernames and passwords in a URL. It requires your reader’s browser to support JavaScript. Nonetheless, this plugin is worth keeping an eye on as a potential alternative to EmailShroud.
  • EmailCloak offer a similar technology for a small price.
  • The Enkoder plugin for Ruby on Rails has a similar goal. It includes some very basic encryption (ROT3?). It isn’t suitable for WordPress, but may work with some of the WordPress competitors.
  • The “regular expressions” that form the basis of the code were influenced by some of the items at the RegExLib.com Regular Expression Library.
  • I have tried hard to comply to the official advice on writing a plugin.

Version History

  • 1.0.1 Lowered filter priorities to avoid clash with PHP Markdown 1.0.1b, and later
  • 1.0.0 First version to go live.
  • 0.91 Beta Test version


  1. Provided a link to your plugin from my page.

  2. Julian,

    Thanks for stopping by and letting me know about the email addy outside the norm… I really appreciate it. I have no complains about the functioning of emailshroud plugin for the site. I have had no problem with it playing nice with the other plugins on the site.


  3. Nice, seems works without a hitch, but since the complete email address is still in the source (although separated from the mailto:) are you sure they can’t still be harvested?

  4. Thanks John!

    The aim of EmailShroud is to make it hard enough to harvest the email address that spammers don’t bother, and instead look elsewhere – or even better, get a real job.

    You raise an important point, that I have considered carefully.

    If EmailShroud became insanely popular, it might start to become worthwhile for a spammer to automate the detection of EmailShroud and decode the addresses.

    I did start out with some ambitious plans to encrypt the email address with a randomised secret key to make this even more secure, but I realised I was kidding myself. I will deal with the encumbent problems of overwhelming popularity when (and if) they occur. Until then, the simple obfuscation should be more than sufficient. It’ll also load faster than a full solution.

    When the proportion of WordPress blogs that use EmailShroud rises above, say, 0.5%, come right back here for a slower, more secure solution!

  5. There is another action plan you could include, or which could even replace the “transform address” option. Generate a random textlogo of the email and use inline CSS to shrink it down to resemble normal text.
    A proof-of-concept is in my link.
    Even with javascript and images turned off in a browser it will display. If styling is turned off it’s just shown unshrunken.

  6. EmailShroud 1.0.1 has now been tested against WordPress 2.0; it works without modification.

  7. Mardeg’s solution is a cunning one. The Javascript draws your email address as ASCII art, and shrinks down the characters to one-pixel high to make it bit-mapped ASCII art! Nice trick!

    The downside, to quote Mardeg, is that it is the “most bloated human-readable email hider in the world!” A quick test took 9KB to include a 14-character email address!

    I don’t plan to add this option to EmailShroud but will reconsider if there is demand.

  8. Note to self:

    Features I would like to add, one day, include:

    * Appropriate license agreement to explain you can freely change the code, but I would appreciate you letting me know, and leaving my name on there somewhere.

    * While it works fine under the old-style (numeric) user levels, it would be prettier to explicitly use the new WP 2.0 roles.

    * Adding a “no follow” tag to the generated HTML would mean that Google would pointlessly hit my site, less often.

    * It would be cool to have an action plan to generate a gif, but I still don’t know how to cleanly do that from within a plugin. (Hacking .htaccess files doesn’t attract me.)

  9. EmailShroud 1.0.1 has now been tested against WordPress 2.0.1; it works without modification.

  10. Updated page with reference to Enkoder. Thanks to Alastair.

  11. I’ve had hard time downloading it today. Not sure if it’s my web connection…


  12. Jason,

    The download is working fine for me. Please try again.

  13. Business Blog Consulting points out that EmailShroud can’t be used for email addresses hard-coded within your theme files.

    I’ll give that some thought in the next version (which remains an unplanned future hope at this stage.)

  14. Under the section on limitations of EmailShroud, I wrote that it doesn’t handle:

    Multiple email addresses within a single anchor tag, including ‘cc’ and ‘bcc’ addresses.

    Here are two specific examples that aren’t handled:

    • Having an anchor tag with a title field that contains an email address: <a href=”email address” title=”email address“>Contact Me</a>
    • Putting the email address as both the text of the anchor tag and the href field: <a href=”email address” >email address</a>
  15. I’ve been trying EmailShroud out and have a question: I’d like to link to my email address, with the linked text also being my email address (for example a. Whilst EmailShroud breaks up and ‘enshrouds’ the hyperlink reference, it doesn’t seem to do anything to do the linked text, which seems to appears normally in the source of the webpage. Given that, can this be safe?

  16. Alan,

    Thanks for trying EmailShroud out.

    You are absolutely right; putting the email address in the same tag twice will fool EmailShroud, and leave your email address in plain text.

    While I knew that this was a theoretical limit of EmailShroud from the beginning, I only saw this limit actually affect someone for the first time about a week ago.

    I documented as a limitation in the original description, but last week I added a comment above clarifying this warning.

    Originally, I didn’t think this was a serious limitation, but you are the second person to encounter this – so it is clearly a real issue. I will need to give some thought to how the plugin can be modified to handle this.

    In the meantime, I recommend you avoid creating such links in your HTML. Leave the email address in the href tag, but remove it from the link text and title field.

    Thanks for your feedback.

  17. I’m going to use EmailShroud for a club blog, but I’d be interested in having it just strip out email addresses, and not display them even if spammers did have JavaScript enabled. This would respect people’s email address privacy, and the blog has a contact form that interested persons can use anyway.

    Any tips for modifying the script to disable the part where it writes in the JavaScript, and just displays a mangled email address (something like the way Yahoo! does it would work, where the domain is replaced with “…”).

  18. I’m not sure I understand. I have installed the plugin. I still see the mailto: in links of all email addresses and the @ sign. When I mouseover an email link the same above shows.

  19. Jeffrey,

    I have checked out your site, and I agree – there is no sign that EmailShroud is working.

    Have you remembered to activate the EmailShroud plugin? That would appear to be the most likely cause.

    If that is not it, then could you please provide a list of the other WordPress plugins that you are using? Perhaps there is a previously unknown incompatibiity there.

    I notice that (a) you are required to register to leave comments on your site and (b) one of your plugins displays the email addresses of your registered users. Even if EmailShroud was working, I suspect you will find that this is an unpopular combination. I was a bit shocked to see my email address displayed to your readers; I changed my profile to put a dud email address in its place.

    One final clarification: If EmailShroud is working (and your browser supports JavaScript) then mousing-over (mouse-overing?) a shrouded email link will display the email address as normal. It works transparently to the reader, but not to the spammer.

  20. Mortaine,

    It shouldn’t be too hard to modify EmailShroud to do that.

    Once you get past the regular expression line-noise and the infrastructure required to make a WordPress plugin work, there is less than 50 lines of code there.

    In the function sto_emailShroud_matchedEmailAddress there is a variable called result which is progressively filled with the HTML that is substituted for the email address. You will want to remove the Javascript that is added here. You will also want to replace the pieces of code that insert the domain name, which is found in $matchingText[2].$matchingText[5]. (That’s actually two places, but at all times exactly one of the two will be empty; which one depends on the matched pattern.)

    Please let me know if you are successful.

    If other people need this too, please comment here and I will consider it for a future release.

  21. Hi Julian,
    Thanks for your response. I have modified the members page to not show email addresses. And I thought I had it set for anyone to comment,, I fixed that as well.
    As for EmailShroud, it is activated. I am playing with a few plugins as well as some widgets. I believe as you that there seems to be some incompatability because the Admin page in WP no longer shows the default info that usually comes up on the dashboard.

    I’ll look a little further into it.

  22. Hello,

    Thank you for your effort in making this plugin. However, though it sounds like a good idea, looking at the internals of the implementation appears to be rather disappointingly vulnerable to spam harvesting.

    Unlike some other email obfuscators, like the Hiveware Enkoder or Paul Gregg’s URL/Link/Mailto: encoder, Email Shroud leaves the email in plain text in the HTML source.

    All a spammer has to do is look in the HTML source for “sto_user” and “sto_dom”, and they’ve got your email address in plain text. Here’s how “test @ example.com” looks in the HTML source:


    So that’s all a spammer has to search for and harvest.

    In contrast, here’s how "test @ example.com" looks using Paul Gregg’s URL/Link/Mailto: encoder (minux the javascript tags, for readability):


    And in the Hiveware Enkoder it looks like this:

    [CDATA[ */
    function hivelogic_enkoder(){var kode=
    "='\\\\\\\\fxr'i;0oi(k=d;. */

    Sorry to be so critical, but I think it would be great if this plugin could be improved to more seriously obfuscate email addresses, and the first step towards that is to point out its weaknesses. Maybe the Hiveware or Paul Gregg’s obfuscators can provide some inspiration.

    Best of luck.

  23. Dear Anonymous (aaa),

    Thanks for your comments. I appreciate that it is important with any software related to security to have people taking a critical look at how it works.

    The points that you raise have already been covered above, but let me address them again for clarity.

    First, I would warn you that the first example of obfuscation by using escape codes – you use Paul Gregg’s obfuscator as an an example, but this is one of many – looks very secure at a glance, but is actually relatively lightly encoded. Because the technique used to encode it is (a) simple and (b) common, I would actually expect it to be cracked by spammers ahead of EmailShroud. (That said, it is far better than nothing!)

    On the other hand, the second Enkoder example seems to be stronger, and I applaud it – I have had it as a reference in the Further Reading section for some months, so it has already provided some inspiration.

    As I wrote in the comments above, I did consider the issue that spammers could spend effort to crack EmailShroud:

    If EmailShroud became insanely popular, it might start to become worthwhile for a spammer to automate the detection of EmailShroud and decode the addresses.

    I did start out with some ambitious plans to encrypt the email address with a randomised secret key to make this even more secure, but I realised I was kidding myself. I will deal with the encumbent problems of overwhelming popularity when (and if) they occur. Until then, the simple obfuscation should be more than sufficient. It’ll also load faster than a full solution.

    When the proportion of WordPress blogs that use EmailShroud rises above, say, 0.5%, come right back here for a slower, more secure solution!

    While the popularity of EmailShroud has been personally satisfying to me, I don’t think I am close to approaching that sort of level!

  24. I should point out that Enkoder has been ported to PHP and made available as a wordpress plugin.

  25. I get the plugin to work, but the e-mail addresses disappears in Firefox with JavaScript turned ON. Is this a known bug?

  26. Anders,

    This isn’t a known bug. I just retested it with the latest version of Firefox on Windows, and I am not seeing anything unexpected. I’ve not heard any other complaints from Firefox users either.

    Perhaps you could email me more details of the problem (OS, software versions, steps you took) and/or a screenshot of the problem.

    Please ensure the Status Bar is turned on (under the View | Status Bar menu.)



  27. Following up from his previous comment, Anders kindly emailed me the details of his web-site, and I was able to confirm that, yes, there is a bug in EmailShroud 1.0.1.

    It appears to be limited to pages being served as strict XHTML – that is the DOCTYPE at the beginning of the web page source is for XHTML 1.0 Strict. It also doesn’t affect Internet Explorer, but does affect Firefox and Opera when JavaScript is turned on

    I have a fair idea of the cause, but I haven’t got a clear solution for it yet, and I don’t expect to get a chance to implement a solution for a few months.

    In the meantime, if you are bold enough to go for strict XHTML compliance, I apologise and recommend you don’t use EmailShroud 1.0.1.

    You can check for yourself what your blog’s theme uses by doing a View Source on one of your blog pages, and looking for the text “XHTML 1.0 Strict” hidden in the DOCTYPE line at the very top. Most people will see the word “Transitional” hidden inside it instead; those people should be fine.

  28. Do you know of a similar plugin for Typepad?

  29. …Paul Gregg’s obfuscator as an an example, but this is one of many – looks very secure at a glance, but is actually relatively lightly encoded. Because the technique used to encode it is (a) simple and (b) common, I would actually expect it to be cracked by spammers ahead of EmailShroud.

    Thanks for the references, however Julian, I would like to counter your assertion about my encoding method. If you decode the javascript you would see that it is not trivial to decode back to the actual email address or link.

    For example, I encoded the web address of this page using my routine which produces the following code:

    However, if you actually decode that you will see:
    var s=’thpt/:w/wws.moteihkndo.doc/mdotdihknni/gmeiaslrhuo-dowdrrpse-slpgu
    ni/’;var r=”;for(var i=0;ilink to email or url’);

    I hope you would agree that it certainly wouldn’t be cracked quite as easily as you suggested previously.



  30. I would like to sincerely apologise to Paul Gregg for wrongly maligning his code.

    I overlooked the “eval” call in the decoder, and thought it was just unescaping the text.

    The original anonymous poster (aaa) was absolutely correct that Paul Gregg’s obfuscation is more powerful than the one in EmailShroud.

    I am very sorry, Paul. Thank you for correcting me.

    This might be a opportunity to hint that I have been spending some time on EmailShroud 2.0. In response to requests here, increasing the obfuscation level is on the list of priorities [whether I think it is overkill or not :-)]

Sorry, the comment form is closed at this time.

Web Mentions

  1. schimana.net » Blog Archive » EmailShroud-Test

  2. Spam experiment - rm -rf /bLog

  3. Wireless » Blog addi(c)tions .::::::. le blog de SkyMinds

  4. BusinessBlogHive.com » Blog Archive » EmailShroud Plugin Review

  5. The 6 WordPress plugins that make my life a little easier » Bunch of Nerds - A Collection of All Things Different