How to Protect Emails from Being Scraped Off Of Your Website
If you’ve ever listed your email address directly on your website, chances are it’s been harvested by spam bots. Email scraping is a common tactic used by spammers to collect contact details from public websites — and if you’re a small business owner, that can mean floods of unsolicited emails. Fortunately, there are secure and simple ways to protect your inbox without sacrificing customer communication.
What Is Email Scraping and Why Does It Matter?
Email scraping is the automated process of scanning websites for plain text email addresses using bots or scripts. Once collected, these emails are sold to spammers, used in phishing scams, or added to unsolicited mailing lists. According to Cloudflare, scraping bots account for nearly 30% of all internet traffic[1], and much of that activity targets contact info.
Real-World Example:
Let’s say you’re a local electrician with “[email protected]” listed on your homepage. A scraping bot can pick that up in milliseconds and feed it to a list-building service that sends you fake business inquiries, phishing attempts, or worse.
Best Practices to Protect Your Contact Information
1. Use a Contact Form Instead of a Public Email Address
Instead of listing an email like [email protected], use a secure contact form that routes messages to your inbox without revealing the address publicly. Most CMS platforms like WordPress (WPForms) or Shopify (Form Builder) have built-in or plugin-based contact forms.
2. Obfuscate Your Email with JavaScript
If you must show your email, obfuscate it. Tools like Email Obfuscator let you convert the email into JavaScript that users can see but bots can’t easily parse. Example:
<script type="text/javascript">
var user = 'hello';
var domain = 'example.com';
document.write(user + '@' + domain);
</script>
3. Encode Your Email in HTML Entities
Using character encoding makes your address less machine-readable. For instance:
[email protected]This still renders as “[email protected]” to users but can confuse basic scraping bots.
4. Use CAPTCHA and Spam Filters on Forms
Tools like Google reCAPTCHA help filter out spam submissions without frustrating users. Always pair this with a good backend spam filter if you’re routing form responses to your inbox.
5. Hide Emails with CSS Display: None (Not Recommended)
While some try hiding email addresses in hidden divs or footers, most bots can still parse this content. It’s not foolproof and may even violate accessibility standards.
6. Track Email-Specific URLs
If you’re using custom tracking URLs in your emails or contact pages, you can monitor bot traffic and take mitigation steps like WAF (Web Application Firewall) rules.
How Platforms Like WordPress, Shopify, and Wix Handle This
- WordPress: Use plugins like WPForms or Contact Form 7 with CAPTCHA, and consider installing security plugins like Wordfence.
- Shopify: Embed contact forms or use third-party apps. Avoid hardcoding your email address in the theme.
- Wix: Built-in contact form tools automatically protect email visibility; avoid adding email addresses in text blocks.
What to Avoid
- Posting your email in plain text (even with “at” instead of “@” — bots are smarter than that)
- Using the same email across multiple domains publicly
- Replying to spam — this confirms your address is active
Key Takeaways
- Email scraping is an automated process that targets public email addresses.
- Use contact forms instead of publishing your email.
- If displaying your email, obfuscate it using JavaScript or HTML encoding.
- Use CAPTCHA and form spam filters to prevent bot submissions.
- Platform tools (WordPress, Wix, Shopify) offer safe alternatives — use them.
Need Help Securing Your Website?
Don’t let spammers eat up your inbox. Our free SEO and security audit checks for exposed emails, contact form vulnerabilities, and more. If you’re unsure about your current setup, reach out for expert support.
