“Get that bot away from me!”: solutions to stop email harvesting

March 26, 2021

An simple email in a footer for contacting purposes. That’s all that a bot or a crawler needs to take your address and start using it in the worst way: for SPAM.

I know, I know, I am more dramatic than I should be sometimes, but what I referenced here, email harvesting, is and will forever be a serious topic when it comes to web development. Email harvesting is done in many ways, by buying or trading lists of email addresses from other spammers or by using harvesting bots. These nasty bots can be trained to look after any sign of an email address, from the @ sign to a simple mailto tag. And this is where email obfuscation comes in. By definition, this just means hiding it, obscuring it, but it does sound way cooler this way. Down below we have found a plethora of ways to do exactly that. Starting with the most rudimentary ones, you can “hide” your email address by spelling it out.

In this case,
john dot doe at example dot com

Another solution is to use an image with your email address. But both this solution and the one before can be very inconvenient to users, having to type the address themselves. They are also not necessarily effective, bots being able in most cases to overcome these measures. Until recently, a very popular solution and countermeasure was using CAPCHA Mailhide service, but as of 2018, Mailhide is no longer supported, so we suggest looking for other solutions. Another solution that you might find useful is using a short script. Joe Maller suggests on his blog a quite nice and easy solution:

<script type="text/javascript"> 
emailE = 'emailserver.com' 
emailE = ('yourname' + '@' + emailE) 
document.write('<A href="mailto:' + emailE + '">' + emailE + '</a>')

Sweet and short, isn’t it?

A very elegant solution is given for the lucky users of WordPress. The reliable CMS system has a function for this exact situation, and it is fittingly named, antispambot, and it looks like this:

<?php antispambot( $email_address, $hex_encoding ) ?>

As the WordPress codex notes, this function converts selected email addresses characters to HTML entities to block spam bots.The email addresses that are going to be encoded will be either in decimal encoding, by using the default 0, or hex encoding by choosing the value 1, depending on your preference . An important thing to note here is the fact that not all characters in the email address are converted. This function is very useful because everytime the function is called the selection will be random and it will change each time. An alternative way to call this function is using:

<?php echo esc_html( antispambot( 'john.doe@mysite.com' ) ); ?>

And even thought the output in the HTML will be similar to this:


For any other user on a web browser it will appear as a normal email address:


If delving deep into coding side of things is not for you, while still on WP, you can choose to install a plugin. WordPress will never lack plugin solutions for any type of problem, so again you have plenty to choose from. One such plugin is, again, very appropriately titled, Obfuscate E-mail. A more popular solution, which has many more anti-spam options, is Akismet Anti-spam. We suggest giving a chance to both of them.

Do you have any other solutions for this problem? Let’s talk!

Let’s talk!

Explore related posts