This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Hikari Email & URL Obfuscator


Spam is website publishers #1 concern, we wanna share our and our visitors’ emails to those who should have access to them, but don’t want spam harvesters stealing them and sending garbage to us. A lot of techniques had been developed to hide our emails from these delinquents, while having them shown to real people.

And together with spam harvesting, on 15 June 2009, Matt Cutts, a well known software engineer of Google, announced that Google Bot will no longer ignore nofollowed links for PageRank, and now we lose PR/link juice for every link we add to our pages, even if we use rel=”nofollow” on them. So, now we must hide links from Search Engines too!

I’ve been searching for an ultimate obfuscation solution for both emails and URLs, that would be user-friendly for me the content publisher, and for my visitors. I’ve seen a lot of solutions, some that inspired me, but none that would fit my needs. It was time to start coding 🙂

Hikari Email & URL Obfuscator plugin obfuscates emails and URL links, to hide them from spam harvesters and Search Endigne crawlers. It uses ROT13 or cc8b to encode each link while PHP is building the page, then uses JavaScript to decode it and show it to the user. If JavaScript is not available, it uses CSS to hide them.

It doesn’t use shortcodes, it works directly over HTML links, parsing and obfuscating them. By default it filters all texts in posts, comments, comments authors and text widgets, but you can manually use it anywhere you want.

Basically, Hikari Email & URL Obfuscator plugin searches for links that contain URLs and emails on their href atrribute. For each found link, it is replaced by an obfuscated string, and a JavaScript function is called, having in its parameters the required data for JavaScript to decode and recreate the original link.

The obfuscated string is then merged back by CSS to a readable URL/email text, so that human visitors can read it while spam harvesters and searchbots will not be able to detect it as a valid email/URL.

And, for JavaScript-enabled visitors, this string is replaced by a link with the exact same behavior and attributes of your original link, so that they can interact with it as if there was no obfuscation in place!
(Really, there is no way to diferenciate an obfuscated link generated by JavaScript from the original link, unless the HTML document’ source is verified or a development tool as FireBug is used!)

It uses 4 obfuscation techniques, 2 JavaScript solutions and 2 CSS alternatives for JavaScript-disabled browsers.

For CSS, it may revert the link string while PHP is building the page and then CSS reverts it back. Or it may add garbage text between the link, and CSS prevents this extra text from being rendered, so any user-agent that doesn’t use CSS can’t find the link but browsers show it clearly.

Now, when JavaScript is available, it is delivered with the original link, encoded using ROT13 or cc8b by PHP. The link is then decoded back by JavaScript and added to the page, so that real users don’t even notice the original link was replaced.

And, disregarding the used technique, we content publishers must do nothing different while building our content, just activate the plugin and it does everything else for us 🙂

I dedicate Hikari Email & URL Obfuscator to Ju, my beloved frient ^-^


  • Works instantly, no need to edit your posts to have your links obfuscated: Hikari Email & URL Obfuscator plugin automatically detects them and starts obfuscating as soon as it is activated.
  • Unobstructive JavaScript: links are obfuscated and shown for visitors with and without JavaScript, forget those “you must enabled javascript to see this email” messages!
  • They are real links!: any attribute you can use in an <a> tag you also can use in obfuscated links (JavaScript version only).
  • Customization: CSS doesn’t let we have real links, but we can at least choose if our obfuscated text will have email only, text only, or both!
  • XHTML 1.1 valid: obfuscated links and JavaScript code are valid even in XHTML 1.1 standard. It makes the plugin valid inclusive in HTML 4.0, XHTML 1.0 Strict, XHTML 1.0 Transitional and HTML5!

Advantages over other obfuscation solutions

  • Your visitors will see your emails and URLs even if they keep JavaScript disabled.
  • Automatic: you don’t need to take special actions to start obfuscating, as using shortcodes in place of links or an external tool to get your obfuscation code. Just normally use your links in your posts and let the plugin do the rest!
  • Sitewide: instantly works in your existing posts, pages, comments and text widgets, just after you activate it.
  • Diversity: for each link, it randomly chooses between 2 CSS and 2 JavaScript obfuscation methods, making it harder for spammers to crack it.
  • Extensible: you can call it manually, and add it to other plugins and themes filters.
  • Customizable: use custom parameters to force or avoid specific links from being obfuscated, and to define how non-JavaScript obfuscation will behave.


Hikari Email & URL Obfuscator requires at least WordPress 2.8 and PHP5 to work.

You can use the built in installer and upgrader, or you can install the plugin manually.

  1. Download the zip file, upload it to your server and extract all its content to your /wp-content/plugins folder. Make sure the plugin has its own folder (for exemple /wp-content/plugins/hikari-email-url-obfuscator/).
  2. Activate the plugin through the ‘Plugins’ menu in WordPress admin page.
  3. That’s it! Go back to your home page and see how your old links are with JavaScript enabled and disabled 🙂
  4. Go to options page if you wanna add whitelist and blacklist and do some deeper configs.


If you have to upgrade manually, simply delete hikari-email-url-obfuscator folder and follow installation steps again.


If you go to plugins list page and deactivate the plugin, it’s data stored in database (configs, whitelist, blacklist) will remain stored and won’t be deleted.

If you want to fully uninstall the plugin and clean up database, go to its options page and use its uninstall feature. This feature deletes all stored options, restoring them to default (which can also be used if you want defaults restored back), and then gives you direct link to securely deactive the plugin so that no database data remains stored.


Don’t I really need to change anything in my links for them to be obfuscated?

No, you don’t. Hikari Email & URL Obfuscator plugin uses WordPress hooks to filter links on the fly, it automatically finds all your links and obfuscate them for you, directly in your posts / comments / text widgets.

Does your plugin change ANYTHING in my content stored in database?

This is a dilemma I always have with plugins that I install and I feel in need to explicitly explaining it.

No, Hikari Email & URL Obfuscator plugin does NOT touch your content database! Its filter runs in read time, AFTER your content is queried from database and before it is sent to your visitor. Your original content and your original links will remain untouched, and as soon as you deactivate the plugin your site will go back to what it was before it ever knew the plugin existed.

Can I have a usage exemple?

You can go to my sites at Hikari WebSite or Consciência Planetária and take a look, they use it. Verify its page source and how links look like with JavaScript disabled and then enabled.

Is there any way to customize the plugin default behavior?

Yes, it has custom parameters that are used as CSS classes, in the same way some microformats do. You can see a list of them, with description and exemples at Hikari Email & URL Obfuscator – Advanced Usage.

Is there any way to block it from obfuscating one of my links?

Yes, in the previous question I mensioned custom parameters.

One of them is hkmuob_no_obfuscate, and when used the link won’t be obfuscated.

Are my internal links obfuscated too?

No, links with your website URL and relative links (without http:// ) are not obfuscated.

How can I obfuscate stuff out of post / comment / text widget areas?

If you wanna obfuscate emails and URLs that are our of these areas (in the theme templates or in another plugin for exemple), it’s pretty easy.If you wanna obfuscate emails and URLs that are out of these areas (in the theme templates or in another plugin for exemple), it’s pretty easy.

First you prepare the content and store it in a string variable normally, let’s say it is in $footerContent. Once you have the string, you verify if the plugin is activated by testing if its class HkMuob exists, and if so you grab it’s object $hkMuob and call the method $hkMuob->filter($footerContent). It will return a string variable with your content already obfuscated and ready to be echoed. Attention! You must use the global object the plugin creates, because it has internal variabled that will be used in the page footer to interact with JavaScript, if you create another object it will not work! Here’s a full exemple:


// first we repare our content with anything we want, and store it in a variable
$footerContent = "I'm a neat content with links inside." .
    ' <a href="" title="c\'mon mail me!" target="_blank" class="stylish-class">mail me</a>';

// if the class exists, then the plugin is availabe and we can use it to obfuscate any content
// if not, then we just echo the original content without obfuscating

    // class is available, let's get its global variable
    global $hkMuob;

    // now we ask the plugin to filter our content and add any found link to plugin's internal queue
    $footerContent = $hkMuob->filter($footerContent);

    // now $footerContent has the same content as before, but with obfuscated links

// whether or not we were able to obfuscate our links, let's print our neat content
echo $footerContent;


You can see a more detailed explanation at Manually filtering other links

Help! My link has a small text and large URL, and now it is breaking my layout!

Oh man, it can happen for links with small texts in small places.

Fortunately, there are a bunch of custom parameters that can help you tune up your links when JavaScript is disabled. Just take a look on the link referenced in previous questions and read about these custom parameters, you’ll be able to do some interesting stuff with them 🙂


There are no reviews for this plugin.

Contributors & Developers

“Hikari Email & URL Obfuscator” is open source software. The following people have contributed to this plugin.




  • Fixed styling incompatibility with Sociable plugin
  • Fixed wp_enqueue_style() not providing media parameter
  • Fixed adding JS code to wp_footer, now properly using wp_print_scripts
  • addes support for PHP Code Widget plugin’s filter


  • New: Finally an options page!
  • Options page made the plugin incompatible with WordPress 2.7, now it requires 2.8 to work.
  • New: Whitelist and Blacklist, to list URLs and emails to not be obfuscated (Whitelist) and to be forced to (Blacklist).
  • New: Also added options related to the position of JavaScript calls for de-obfuscation , and how these calls should be marked up.
  • New: Options page also has a proper uninstall feature, which deletes all data the plugin had added to database and also can be used to reset options to default.
  • New: If you want a whole block of content (a post, a comment, a text widget, etc) to be skipped from having its links obfuscated, just add to it a comment <!-- HkMuob NO OBFUSCATE -->.
  • Further tests for XHTML valid code, now I hope I can assure it 🙂


  • Fix: plugin CSS is no longer being added to Admin Pages.
  • JavaScript decoding code is back to header, instead of footer.
  • Added option for JavaScript call be done just after the link it decodes, I belive having those calls spreaded across the page is harder for spam bots to crack than having all of them inside a unique <script></script> at the footer… but WordPress breaks XHTML validation, gg.
  • Increased filter’s priority to surpass raw-html plugin filter.


  • Fix: now plugin’s js is added only when there are links to be obfuscated.
  • Fix: now plugin folder name is not hardcoded anymore, we can use any folder name we want.


  • First public release.