Do you want to protect your email address from spam bots on your WordPress site? When you display your email address in plain text, bots can find and harvest it, leading to unwanted spam. To keep your inbox clean and secure, it is important to hide your email from bots while still making it accessible to real visitors.
Nexter Extension includes a built-in email obfuscation tool that hides your email address from spam bots in WordPress while displaying it normally to human visitors.
Best Used For:
- Contact pages and About pages where email addresses are displayed publicly.
- Business websites where client-facing email addresses need protection from spam harvesters.
- Membership or community sites where member email addresses appear in user profiles or directories.
Learn via Video Tutorial
How to Hide Email from Spam Bots with the Nexter Extension Pro?
To set up email spam protection, from the WordPress dashboard go to Nexter → Extensions → Security.
In the Advanced Security section, enable the toggle and click the gear icon (⚙). To add similar bot protection to your contact forms, see How to Add Google reCAPTCHA in WordPress.

In the Advanced Security popup, enable the Hide Email from Spam Bots toggle and click Save.

Enabling the toggle activates the [obfuscate] shortcode. It does not change any emails on your site automatically — you place the shortcode wherever you want a protected email shown.
Basic usage — display an email (not clickable)
[obfuscate email="john@example.com"]
The address appears normally to visitors, but in the page source it is reversed and encoded so bots can’t read it.
Show a clickable (mailto) email — spam-safe
Add link="yes" to turn it into a working email link whose address is NOT present in the page source. The mailto: link is assembled by JavaScript only when a real person clicks, taps, or keyboard activates it:
[obfuscate email="john@example.com" link="yes"]
Add a pre-filled subject line:
[obfuscate email="john@example.com" link="yes" subject="Website Inquiry"]
Shortcode attributes
| Attribute | Default | Description |
|---|---|---|
| Required | The email address to protect. Must be a valid email address; otherwise, nothing is displayed. | |
| link | no | Set to yes to display a clickable, spam-safe mailto: link. Set to no to display the email address as plain text. |
| subject | Empty | Pre-fills the email subject. Only applies when link="yes". |
| display | newline | Set to inline to display the email within a line of text. Set to newline to display it on its own line. |
| text | Empty | Displays custom text (for example, “Email us”) instead of the email address. |
| class | Empty | Adds a custom CSS class for styling. |
Examples
[obfuscate email="sales@example.com" display="inline"]
[obfuscate email="sales@example.com" link="yes" text="Email our team"]
[obfuscate email="sales@example.com" link="yes" subject="Support" class="my-email"]
How to confirm it’s protected
Check the RAW source, not the browser inspector:
1. On the published page, press Ctrl + U (Windows) or Cmd + Option + U (Mac) to open View Page Source.
2. Search (Ctrl/Cmd + F) for your address, e.g. john@example.com.
3. It should NOT be found. You’ll only see reversed text and an encoded data-nxt-mail value — never a plain mailto:john@example.com.
Note: The browser’s “Inspect Element” tool shows the LIVE page after scripts run,
So it may display the assembled mailto: once you’ve clicked or focused the link.
Always use “View Page Source” (Ctrl+U) to see what bots actually download.
Good to know
- Important: Don’t also put a plain
mailto:in a button/widget’s URL field — that link is separate and would expose the address in the source. Use[obfuscate ... link="yes"]for the clickable email instead. - The clickable link requires JavaScript. With JS disabled, it stays inert (the visible address still shows) — this is by design, since the address must never exist in the source.
Where to use it
- Contact and About pages
- Footers and business listings
- Author/profile pages and community directories












