How to Hide Email from Spam Bots in WordPress?

Key Takeaways

{"bullets":["Nexter Extension features a built-in email obfuscation tool that protects email addresses from spam bots in WordPress.","Advanced Security settings in Nexter allow users to enable the Hide Email from Spam Bots toggle for enhanced protection.","Shortcode [obfuscate email="john@john.com" display="inline"] displays email addresses normally to visitors while encoding them in the source code."]}

Table of Contents

Do you want to protect your email address from spam bots on your WordPress site? When you display your email address in plain text, bots can find and harvest it, leading to unwanted spam. To keep your inbox clean and secure, it is important to hide your email from bots while still making it accessible to real visitors.

Nexter Extension includes a built-in email obfuscation tool that hides your email address from spam bots in WordPress while displaying it normally to human visitors.

Best Used For:

  • Contact pages and About pages where email addresses are displayed publicly.
  • Business websites where client-facing email addresses need protection from spam harvesters.
  • Membership or community sites where member email addresses appear in user profiles or directories.

 

Learn via Video Tutorial

Youtube video

How to Hide Email from Spam Bots with the Nexter Extension Pro?

To set up email spam protection, from the WordPress dashboard go to Nexter → Extensions → Security.

In the Advanced Security section, enable the toggle and click the gear icon (⚙). To add similar bot protection to your contact forms, see How to Add Google reCAPTCHA in WordPress.

In the Advanced Security popup, enable the Hide Email from Spam Bots toggle and click Save.

Enabling the toggle activates the [obfuscate] shortcode. It does not change any emails on your site automatically — you place the shortcode wherever you want a protected email shown.

Basic usage — display an email (not clickable)

[obfuscate email="john@example.com"]

The address appears normally to visitors, but in the page source it is reversed and encoded so bots can’t read it.

Show a clickable (mailto) email — spam-safe

Add link="yes" to turn it into a working email link whose address is NOT present in the page source. The mailto: link is assembled by JavaScript only when a real person clicks, taps, or keyboard activates it:

[obfuscate email="john@example.com" link="yes"]

Add a pre-filled subject line:

[obfuscate email="john@example.com" link="yes" subject="Website Inquiry"]

Shortcode attributes

AttributeDefaultDescription
emailRequiredThe email address to protect. Must be a valid email address; otherwise, nothing is displayed.
linknoSet to yes to display a clickable, spam-safe mailto: link. Set to no to display the email address as plain text.
subjectEmptyPre-fills the email subject. Only applies when link="yes".
displaynewlineSet to inline to display the email within a line of text. Set to newline to display it on its own line.
textEmptyDisplays custom text (for example, “Email us”) instead of the email address.
classEmptyAdds a custom CSS class for styling.

Examples

[obfuscate email="sales@example.com" display="inline"]
[obfuscate email="sales@example.com" link="yes" text="Email our team"]
[obfuscate email="sales@example.com" link="yes" subject="Support" class="my-email"]

How to confirm it’s protected

Check the RAW source, not the browser inspector:

1. On the published page, press Ctrl + U (Windows) or Cmd + Option + U (Mac) to open View Page Source.

2. Search (Ctrl/Cmd + F) for your address, e.g. john@example.com.

3. It should NOT be found. You’ll only see reversed text and an encoded data-nxt-mail value — never a plain mailto:john@example.com.

Note: The browser’s “Inspect Element” tool shows the LIVE page after scripts run,

So it may display the assembled mailto: once you’ve clicked or focused the link.

Always use “View Page Source” (Ctrl+U) to see what bots actually download.

Good to know

  • Important: Don’t also put a plain mailto: in a button/widget’s URL field — that link is separate and would expose the address in the source. Use [obfuscate ... link="yes"] for the clickable email instead.
  • The clickable link requires JavaScript. With JS disabled, it stays inert (the visible address still shows) — this is by design, since the address must never exist in the source.

Where to use it

  • Contact and About pages
  • Footers and business listings
  • Author/profile pages and community directories

About the Author

Photo of Aditya Sharma CMO of Nexter
CMO at POSIMYTH Innovations · Nexter · 7 years experience

He has spent years in the WordPress ecosystem building, breaking, and optimizing sites until they actually perform. He works at the intersection of speed, growth, and usability, helping creators ship websites that load fast and convert. An active WordPress community contributor sharing through tools, tutorials, and direct collaboration. Tested practice, not theory.

WordPressThemesElementorn8nAIClaudeAutomationServer

Share your Thoughts

Still in Doubt? Let’s Assist You

Have Feedback or Questions?

Join our WordPress Community on Facebook!