Keeping your email address safe on Gravatar enabled sites (or if you don’t know if it is or not)

Do you consider your email address to be private information but use it to register and comment on WordPress powered sites? Many WordPress sites use Gravatar to provide the avatars on comments and user lists and this can be an issue if you do.

It’s fairly easy to crack a large proportion of the Gravatar email address hashes on a site because many email addresses use similar structures (eg, and it’s straightforward to enumerate these then test them against the md5 hash used in the image or profile url.

Many times this is ok! If you’ve registered at a conference or on a site with your work email address that’s the same as the one you’re handing out on business cards or is already public and this email address is the primary email address on the Gravatar account — or doesn’t have one — then it probably doesn’t matter if people can crack the hash.

There are few things to keep in mind about Gravatar and the sites which use it:

  • the primary email address hash is always publicly available via a request to your profile url, even if you use a different email address on the account:gravatar_emails
  • your WordPress username and display name are also always public via your profile url
  • as is anything you’ve added to your profile like images or your name
  • on WordPress sites, even anonymous comments try to pick up the Gravatar and display whatever it finds
  • for WordPress sites which use Jetpack, even if Gravatar is disabled in the admin, the Gravatar hash is available for posts and comments via the API
  • the more personal data available on the site, the easier many emails will be to crack

You can view the email addresses registered to your Gravatar account and see the details profile details you’ve entered. More details on how Gravatar works are here.

So how do you choose an email to use?

If you can, and especially if there is a lot of other personal information about you on the site — eg if you’ve registered for a conference and your name, twitter handle and website are listed with your avatar — then use a work email address you don’t mind people knowing with its own Gravatar account. That way it doesn’t matter if it’s cracked.

Or make a separate Gravatar account with a new email address for online registrations and commenting that can’t be traced back to your usual accounts. Then just forward that email address to wherever you want to manage those emails.

Otherwise, make sure the email address you use is difficult to crack. For email addresses on your own domain, make it long and with something not related to your name like If you have a gmail or GSuite account, use the + feature to add something to your name, eg (plus it makes emails easier to filter)

It’s starting to sound like horrible password advice isn’t it? That’s because it kind of is. The general idea is that, like passwords, it’s more difficult to guess email addresses with random stuff in them. I think it’s fine to have one email address you use in general or one for work and one for play; at this point having more or applying proper password advice to them is serious overkill for the majority of people on the majority of sites.

One last caveat is that all of these hashes are crackable via brute force with enough time and computing power. But right now at least, this probably isn’t too much of an issue.

Leave a Reply

Your email address will not be published. Required fields are marked *

By submitting this comment, you are agreeing to the use of Akismet which helps reduce spam. You can view Akismet’s privacy policy here. Your email, website and name are also stored on this site.