Obfuscate email addresses using PHP

If you want to include an email link in a WordPress template, or any other web page for that matter, its advisable to ‘obfuscate’ the address. Unfortunately, spammers scour the web to harvest email addresses, so if you simply place your address online, you’re very likely to get a some extra unwanted email. That’s where obfuscation comes in.

If the address is fixed (the page is custom-made for one site) you can use a service like this to obfuscate that one address. In WordPress, it makes more sense to get the user or admin’s email from the system instead, and handle the obfuscation in the theme’s PHP file. I’ve been using a solution originally devised by Aaron Toponce, but with a few modifications.

<?php
     $link = 'mailto:' . get_bloginfo("admin_email");
     $obfuscatedLink = "";
     for ($i=0; $i<strlen($link); $i++){
         $obfuscatedLink .= "&#" . ord($link[$i]) . ";";
     }
?>
<a href="<?php echo $obfuscatedLink; ?>">email</a>

What this example does is take the WordPress admin email address, create a mailto link and then loop though the characters, replacing each with its ASCII equivalent. Your users won’t notice a thing, but when you look at the code you’ll see that the link is made up of ASCII codes. That’s you first line of defense against spammers.

12 Comments

  1. Hello,

    I advise to wrap the code in function to improve reusability ;-)

    /** @param email email to obfuscate (String)
    * @return String obfuscated email
    */
    function obfuscate($email){
    $link = ”;
    foreach(str_split($email) as $letter)
    $link .= ‘&#’.ord($letter).';';
    return $link;
    }

    With Php in version 5.3.0 it may has only one line, but quite unreadable (I did not testes it):

    function obfuscate530($email){ return join(array_map(function($letter) { return “&#”.ord($letter).”;”; }, str_split($email))); }

    regards,

    Dawid

    Comment by Dawid Fatyga — February 18, 2009 @ 5:27 pm

  2. Hi Dawid. I wanted to keep the example as short and readable as possible, but of course you’re right. In a WordPress theme, the best place would be a function in the functions.php.

    Comment by Roy — February 18, 2009 @ 7:45 pm

  3. Hi,

    I just wanted to warn that email addresses obfuscated in this way (any kind of encoding or using javascript to encode or create the mail-to link) are still picked up by spammers. I’ve tested this myself and the addresses were ‘found’ by spam bots. Recently this has expanded to addresses written like so: name[at]example[dot]com. At this point I have been forced to switch to images of email addresses and avoid the mailto links altogether. That or I create a contact web form instead. *sigh*

    Comment by Sherri — March 17, 2009 @ 9:25 pm

    • You’re probably right. Spammers are getting smarter every day, and this kind of encoding isn’t really very hard to crack. Better than nothing, but definitely not watertight. Nor are images btw, considering how even captchas have been unable to stop spammers in a number of cases.

      This post was more about code than it was about security.

      Comment by Roy — March 18, 2009 @ 11:35 am

  4. Link: Web Development by Christy » Blog Archive » Obfuscate Email Address Using PHP in WP
  5. Thanks guys, this might help me hide the email addresses on my site from email harvesting robots.

    Comment by Simon — July 28, 2009 @ 4:39 am

  6. I’m looking for a method to randomly generate and obfuscate download hyperlinks that expire, such that if a user is given a link for a download and posts the link elsewhere it won’t work again. Can’t seem to turn up anything good on Google.

    Comment by Charles — August 12, 2009 @ 3:32 am

    • @Charles: If you own the site that gets linked to you could probably check for referrers, but if not I have no clue how that would work…

      Comment by Roy — August 13, 2009 @ 1:44 pm

  7. For a free (beer + libre) script that does it automagically, you may want to look at a script I’ve developed called PrivateDaddy. It obfuscates email addresses automatically, then de-obfuscates them using javascript. User agents without JS work as well. Why don’t you check it out for yourself at http://www.privatedaddy.com.
    Thanks,
    ND

    Comment by ND — December 23, 2009 @ 4:24 pm

  8. Hello Roy, I like your post, and I also agree with your post-analysis. It’s not very hard to crack. I wrote a simple function of my own at http://www.php-ease.com/functions/email_link.html that offers a unique solution to the problem which you and your readers might find interesting. Thanks!

    Comment by Kyle — November 19, 2010 @ 5:11 am

  9. Thank you, this is just what I was looking for. I have a prototype site that a client needed up “urgently” (don’t they all) and I haven’t implemented the CMS yet so this is great for a quick ‘n dirty solution for e-mail obfuscation.

    A couple of people commented above that the address could still be harvested but the best approach I’ve found is to use disposable addresses that you publish on the site and get them to forward to another address that a user actually checks – this way when one becomes over-spammed then you can just delete the address (as it is being used for junk) and move onto the next. Personally, my preference is to forgo e-mail links on sites and use contact forms instead but sometimes clients insist. :)

    Comment by Ingrid — March 18, 2011 @ 8:23 pm

  10. I use a php script which was originally conceived and written by Tim Williams of The University of Arizona. The code randomly generate a different encryption key each time it is used and it barely repeating the same. Here is the instruction what and how it does (at) http://www.celticproductions.net/articles/10/email/php+email+obfuscator.html

    Comment by SC — December 15, 2011 @ 8:58 pm