Note: The recipes here are for PmWiki versions 0.6 and 1.0 only. For PmWiki 2.0 recipes, see Cookbook.


eProtect is an email obfuscation add-on for PmWiki. It intercepts pages before they are saved, and rewrites email addresses in a protected format.

Example: mailto:username@domain.net is automatically replaced with [[hidden-email:hfre@qbznva.arg]].

Upon viewing the page, this [[hidden-email: |<#>]] directive is interpreted by eProtect, and then translated into a small javascript which is programmed to decode the protected address.

Viewing the source-code of the page will not reveal the true email address, nor will clicking on the "Edit Page" link.

About Email Obfuscation

Email obfuscation is simple method of obscuring an email address so email harvesters cannot easily extract that information from your website. Email obsuscation is not encryption, so it's not terribly difficult for someone to write a de-obfuscation script, however, my preliminary research indicated that none of the top email harvesters currently on the market have any such features.


To enable eProtect and render your click-able email address, simply write your email address in the form: mailto:username@domain.net and eProtect will do the rest.

See also: Cookbook.EProtectDemo for a screenshot of my test-page. It shows which instances of email addresses will be touched, and which ones won't.


Just click the file below to download it. Don't forget to rename it to e-protect.php.



  1. Copy this file e-protect.php to your /local/scripts folder.
  2. Add this line to your config.php file:
  3. That's it! You're now protected.


There are (currently) a few limitations.

  • Requires browser with at least basic java support (may enhance later with an alternate obfuscation method that works on browsers without java support).
  • Regular email address are left untouched. Only email address that are preceeded with the mailto: syntax will be processed. (Feature or deficiency? Let me know your thoughts!)
  • PmWiki's default with alt text? is not fully supported. Currently, eProtect processes the mailto: keyword inside the square brackets, alt text or not.

You can check out this screenshot of my testing to get a more visual sense of how it works (or doesn't work as the case may be).

The above limitation are not bugs, they are just features that have not yet been implemented. This is just a beta, so more features will be added in the near future according to my time, your feedback, and your requests.

Thanks, and I hope you enjoy the script.


NOTE: The actual JS code should be run through htmlentities() before being printed out, or else the page won't come out as valid XHTML. --{~Ari}


I did a lot of research on spam, anti-spam, obfuscation, and email harvesters. I found quite a few sites and various methods and approaches. Here are just a few of the (better) sites that I visited.

  • "How Do Spammers Harvest Email Addresses?"
    A very informative arcticle all-around, especially for people who are new to the Internet and don't have a clue. (http://www.private.org.il/harvest.html)
  • "The Spam Definition and Legalization Game"
    An interesting article about spam and law makers (USA). (http://www.spamhaus.org/news.lasso?article=9)
  • "How To Get Rid Of Spam"
    A decent page with a lot of suggestions to reduce spam that you probably wouldn't have thought of. (http://ez2ba.com/html/help/guides/get-rid-of-spam.html)
  • "Proof Of Concept To Throw Off The Bots"
    A very "geek speak" method. It would probably work too, if only I could understand what this guy was talking about. Still good reading if you are really bored one day!
  • Some on-line email obfuscators (cut and paste to your html pages).


Copyright 2004, by Steven Leite under same terms as PmWiki (GNU GPL).

E-mail address: stevenUNDERSCOREleiteATkitimatDOTnet

(If eProtect was enabled on this site, I could have entered my address normally without worrying about my address being picked up by a spam bot!) pmwiki-2.3.7 -- Last modified by {{Joachim Durchholz}}

from IP: ip should be disabled by default for security reasons