Obfuscate email addresses using PHP

If you want to include an email link in a WordPress template, or any other web page for that matter, its advisable to ‘obfuscate’ the address. Unfortunately, spammers scour the web to harvest email addresses, so if you simply place your address online, you’re very likely to get a some extra unwanted email. That’s where obfuscation comes in.

If the address is fixed (the page is custom-made for one site) you can use a service like this to obfuscate that one address. In WordPress, it makes more sense to get the user or admin’s email from the system instead, and handle the obfuscation in the theme’s PHP file. I’ve been using a solution originally devised by Aaron Toponce, but with a few modifications.

<?php
     $link = 'mailto:' . get_bloginfo("admin_email");
     $obfuscatedLink = "";
     for ($i=0; $i<strlen($link); $i++){
         $obfuscatedLink .= "&#" . ord($link[$i]) . ";";
     }
?>
<a href="<?php echo $obfuscatedLink; ?>">email</a>

What this example does is take the WordPress admin email address, create a mailto link and then loop though the characters, replacing each with its ASCII equivalent. Your users won’t notice a thing, but when you look at the code you’ll see that the link is made up of ASCII codes. That’s you first line of defense against spammers.

Share and Enjoy:
  • Digg
  • Slashdot
  • del.icio.us
  • Technorati
  • StumbleUpon
  • Google Bookmarks
  • Twitter
  • Facebook
  • FriendFeed
  • MySpace
  • Yahoo! Buzz
  • LinkedIn
  • Netvibes
  • RSS
Related posts:
  1. Are you using comment notification by email?
  2. Making Flash websites search engine friendly
  3. How to show each post’s date in WordPress
  4. The top 5 WP-Cumulus hacks
  5. WP-Cumulus updated to address yet another security issue
Roy | February 18, 2009 | English, Programming, WordPress themes | Comments (9)
Tags: , , , , , ,

9 Comments

  1. Hello,

    I advise to wrap the code in function to improve reusability ;-)

    /** @param email email to obfuscate (String)
    * @return String obfuscated email
    */
    function obfuscate($email){
    $link = ”;
    foreach(str_split($email) as $letter)
    $link .= ‘&#’.ord($letter).’;';
    return $link;
    }

    With Php in version 5.3.0 it may has only one line, but quite unreadable (I did not testes it):

    function obfuscate530($email){ return join(array_map(function($letter) { return “&#”.ord($letter).”;”; }, str_split($email))); }

    regards,

    Dawid

    Comment by Dawid Fatyga — February 18, 2009 @ 5:27 pm

  2. Hi Dawid. I wanted to keep the example as short and readable as possible, but of course you’re right. In a WordPress theme, the best place would be a function in the functions.php.

    Comment by Roy — February 18, 2009 @ 7:45 pm

  3. Hi,

    I just wanted to warn that email addresses obfuscated in this way (any kind of encoding or using javascript to encode or create the mail-to link) are still picked up by spammers. I’ve tested this myself and the addresses were ‘found’ by spam bots. Recently this has expanded to addresses written like so: name[at]example[dot]com. At this point I have been forced to switch to images of email addresses and avoid the mailto links altogether. That or I create a contact web form instead. *sigh*

    Comment by Sherri — March 17, 2009 @ 9:25 pm

  4. You’re probably right. Spammers are getting smarter every day, and this kind of encoding isn’t really very hard to crack. Better than nothing, but definitely not watertight. Nor are images btw, considering how even captchas have been unable to stop spammers in a number of cases.

    This post was more about code than it was about security.

    Comment by Roy — March 18, 2009 @ 11:35 am

  5. Link: Web Development by Christy » Blog Archive » Obfuscate Email Address Using PHP in WP

  6. Thanks guys, this might help me hide the email addresses on my site from email harvesting robots.

    Comment by Simon — July 28, 2009 @ 4:39 am

  7. I’m looking for a method to randomly generate and obfuscate download hyperlinks that expire, such that if a user is given a link for a download and posts the link elsewhere it won’t work again. Can’t seem to turn up anything good on Google.

    Comment by Charles — August 12, 2009 @ 3:32 am

  8. @Charles: If you own the site that gets linked to you could probably check for referrers, but if not I have no clue how that would work…

    Comment by Roy — August 13, 2009 @ 1:44 pm

  9. For a free (beer + libre) script that does it automagically, you may want to look at a script I’ve developed called PrivateDaddy. It obfuscates email addresses automatically, then de-obfuscates them using javascript. User agents without JS work as well. Why don’t you check it out for yourself at http://www.privatedaddy.com.
    Thanks,
    ND

    Comment by ND — December 23, 2009 @ 4:24 pm

Leave a comment

ss_blog_claim=d470d8430338c3ea2e4510a1b5577fa0