Why do my links have "noopener noreferrer" on them?

As of WordPress 4.7.4, when you create a link in a post that opens in a new tab (target="_blank"), the WordPress visual editor will automatically modify the link to include the following attributes:

<a href="https://www.google.com" target="_blank" rel="noopener noreferrer">Google</a>

This new feature is to avoid a potentially serious vulnerability on these kind of links.

The vulnerability explained

You have a link on "Page A" to "Page B". Let's say that link has a  target="_blank" tag, which means that "Page B" will open in a new tab or a new window of your browser. Now, here comes the issue. 

For some reason, when the above scenario happens, "Page B" can for a moment control "Page A" with a simple Javascript code. An attacker could use this to download something to your device, intercept private data being sent, change cookies that are dropped, or take your reader to any page they wanted. So, it's serious.

Beating the vulnerability 

To avoid this behavior you can use the following attribute:


“Instructs the browser to open the link without granting the new browsing context access to the document that opened it — by not setting the Window.opener property on the opened window (it returns null).”

However, not all browsers support the previous tag, so to be sure you've closed the vulnerability you also need to use the following attribute on your links:


“Prevents the browser, when navigating to another page, to send this page address, or any other value, as referrer via the Referer: HTTP header.”

And that's why WordPress has automated adding the code on all links with  target="_blank". It fixes a security issue with no actions needed by you.

Collateral damage

Unfortunately the fix will also affect referrer tracking and some affiliate links. This means some users would like to disable the new default functionality altogether. 

Lost referrer tracking should only be an issue if you have a non-secure http connection in the mix.  The "noopener noreferrer" tag should not impact https transfers (i.e from your https site to another https site).

Removing the security fix

There are a few things you can do to disable the  noopener noreferrer issues:

  • Avoid using target="_blank" on your links. Google recommends you don't use this code in your links if you can avoid it, but some SEO specialists don't like the idea of giving it up because that will hurt the "time on page" stat and bounce rate. 
  • Upgrade your site to HTTPS and only link to sites using HTTPS. All your affiliate links should be to HTTPS anyway. You don't want to try running a tracking campaign over http. Our HTTPS upgrade package is designed to upgrade your site smoothly.
  • Disable the visual editor on WordPress (TinyMCE) and use the text view. Alternatively you could install a different visual editor.
  • Use a plugin to block the feature. We have already created a simple plugin that does this. We see this as a last possible option because of the security improvements that the new feature offers. But sometimes, it's a needed update. We understand.

Whichever course of action you want to take, please contact us on support@performancefoundry.com and we'll take care of it for you.