Protect Wordpress external links

How to protect your WordPress external links

As you notice all external links on my Blog are in order to protect the content from being copied. I tried to find a plug-in that does that but I couldn’t so I modified one that encodes external URLS to so instead of encoding the I will show you how to encrypt it with your own defined key. I will show you how I did it through simple steps if you wish having external links encrypted on your WordPress blog.

Please note that the coder has merged my code with his from version 4.2.0 and above so if you are using version 4.2.0 and above you do not need my code.



  • You will need php mcrypt_decrypt installed on your server
  • For CentOS just type
    yum install php-mcrypt
  • For ubuntu just type
    sudo apt-get install php5-mcrypt
  • Install WP No External Links plugin I am currently using version 4.0.2.
  • Activate the plugin.
  • Go to setting then wp-noexternallinks select the check box of Use base64 encoding…etc.
  • Now go to plugin editor.
  • Versions below 4.0 Select WP No External Links then select wp-noexternallinks-parser.php
  • Versions above 4.0 Select WP No External Links then select public then public.php

Search for:


Replace it with:

$salt ='PSOtJIaJCSRthDJ3ZkcNZVubMYZOZZrn'; // <--- This is your secret key it can be anything you like remember only keys of sizes 16, 24 or 32 supported in mcrypt_encrypt.
$url=trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $salt, $url, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))));

Then Search for:


Replace it with:

$salt ='PSOtJIaJCSRthDJ3ZkcNZVubMYZOZZrn'; <--- We use the same key to decrypt
$url=trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $salt, base64_decode($url), MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)));


The reason for using known $salt key is if your content gets copied you can always change the key on both locations and all of the previous links will be invalid to the person who copied your article.


I faced some difficulties with some of the social share links such as (Linkedin , pinterest , mailto , skype and local links starting with #). Though the author of the plug-in did exclude those strings but it did not work as expected so I had to tweak the code as the following:

Search for:

 $this->debug_info('Not in exclusion list, masking...');

Add just before it:

if (false !== strpos($matches[2] . '//' . $matches[3],'javascript') or false !== strpos($matches[2] . '//' . $matches[3],'mailto') or false !== strpos($matches[2] . '//' . $matches[3],'twitt') or false !== strpos($matches[2] . '//' . $matches[3],'skype') or false !== strpos($matches[2] . '//' . $matches[3],'#')) {
return $matches[0];

If you get your page and comments section messed up you will need to replace:

$pattern = '/<a (.*?)href=["\'](.*?)\/\/(.*?)["\'](.*?)>(.*?)<\/a>/si';


$pattern = '/<a (.*?)href=["\'](.*?)\/\/(.*?)["\'](.*?)>(.*?)<\/a>/i';


If all links are labled as _blank you have to add:

$url=$matches[2].'//' .$matches[3];


$ifnofollow=' rel="nofollow"';

Then replace:

return '<span class="waslinkname">'.$matches[4].'</span>';
return '<span class="waslinkname">'.$matches[4].'</span> ^(<span class="waslinkurl">'.$url.')</span>';
$link='<a'.$ifblank.$ifnofollow.' href="'.$url.'" '.$matches[1].$matches[3].'>'.$matches[4].'</a>';


return '<span class="waslinkname">'.$matches[5].'</span>';
return '<span class="waslinkname">'.$matches[5].'</span> ^(<span class="waslinkurl">'.$url.')</span>';
$link='<a'.$ifblank.$ifnofollow.' href="'.$url.'" '.$matches[1].$matches[4].'>'.$matches[5].'</a>';


Download script version below 4.0

Download script version above 4.0


Output examples:

Normal URL to Husmail

With WP No External Links plugin (base64)

With WP No External Links plugin + Encryption


Digiprove sealCopyright protected by Digiprove © 2013-2022 Eagle Eye Digital Solutions
The following two tabs change content below.
Crypto currency , security , coding addicted I am not an expert or a professional I just love & enjoy what I am addicted on🤠

Latest posts by Warith Al Maawali (see all)

Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text.
Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation. The term Base64 originates from a specific MIME content transfer encoding.
URL stands for Uniform Resource Locator, and is used to specify addresses on the World Wide Web. A URL is the fundamental network identification for any resource connected to the web (e.g., hypertext pages, images, and sound files).


  1. Please note that the coder has merged my code with his from version 4.2.0 and above so if you are using version 4.2.0 and above you do not need my code.

  2. Omg, this worked for my blog. I have a question though, does this affect SEO?

  3. Dear Jehy,

    First of all thank you for putting the effort on delivering such a nice WordPress Plugin. I tried to use the parser but I got an error when trying to override the encoding function. So I decided to modify the original script again and it worked smoothly as you can see on my blog now. If you have got the time you can take my changes on your latest version here and show us how to override it on the custom-parser.php file.

    • Hello!
      Please, update to version 3.5.8 and try it like this:

      • Dear Jehy,

        Thank you, when I updated without changing anything I had all my page messed up starting from the comments section and below the solution was as the following:


        $pattern = '/<a (.*?)href=["\'](.*?)\/\/(.*?)["\'](.*?) rel="nofollow">(.*?)<\/a>/si';


        $pattern = '/<a (.*?)href=["\'](.*?)\/\/(.*?)["\'](.*?) rel="nofollow">(.*?)<\/a>/i';

        I also tried deploying the custom-script.php but it returned a blank page due to errors so I had to stick to the old method.

        I have updated the script above to match your latest updates.

  4. Hello! I am the plugin developer. I liked you code so I made plugin parser class overloadable in version 3.5.1. You can define your own parser and redirect functions and they will stay with you even after plugin update!

  5. like even though the link is encrypted in sorce the people can just click this link h

    and the real source link i wish to hide that link entirely

    • Dear AJ,

      If you plan to hide the links even after they are clicked then this plugin has to be modified to have that feature. All you need is server side scripting like PHP file to process the encrypted link and display it on HTML frame. Unfortunately the current modification does not include that you will have to tweak it by your own.

  6. richard

    It is exactly what I wanted

    I want to embed outbound link count 10 seconds and advertising you help me?

    • Hello Richard,

      I am glad it was useful for you I did not clearly understand your need please elaborate and I will try to help.

      • hey i have a video site with a lot of video embeds can i use this plugin to encrypt the video link so they dont get stolen ?

        thanks for your time

        • Yes as long you are using WordPress you can always encrypt your links…

          Check out this post and see how links are protected..

          • wait i dont think you understand what i am trying to achieve basically i dont want the link to be visible at all in source for example

   should be hidden and encrypted that people cant get this link when they open the encrypted link

            is this possible i tried all you have metioned above and see no change

Pin It on Pinterest