Why do my links have "noopener noreferrer" on them?

Why do my links have "noopener noreferrer" on them?

As of WordPress 4.7.4, when you create a link in a post that opens in a new tab (target="_blank"), the WordPress visual editor will automatically modify the link to include the following attributes:

Google

This new feature is to avoid a potentially serious vulnerability on these kind of links.

The vulnerability explained

You have a link on "Page A" to "Page B". Let's say that link has a  target="_blank" tag, which means that "Page B" will open in a new tab or a new window of your browser. Now, here comes the issue. 

For some reason, when the above scenario happens, "Page B" can for a moment control "Page A" with a simple Javascript code. An attacker could use this to download something to your device, intercept private data being sent, change cookies that are dropped, or take your reader to any page they wanted. So, it's serious.

Beating the vulnerability 

To avoid this behavior you can use the following attribute:

noopener

“Instructs the browser to open the link without granting the new browsing context access to the document that opened it — by not setting the Window.opener property on the opened window (it returns null).”

However, not all browsers support the previous tag, so to be sure you've closed the vulnerability you also need to use the following attribute on your links:

noreferrer

“Prevents the browser, when navigating to another page, to send this page address, or any other value, as referrer via the Referer: HTTP header.”

And that's why WordPress has automated adding the code on all links with  target="_blank". It fixes a security issue with no actions needed by you.

Collateral damage

Unfortunately the fix will also affect referrer tracking and some affiliate links. This means some users would like to disable the new default functionality altogether. 

Lost referrer tracking should only be an issue if you have a non-secure http connection in the mix.  The "noopener noreferrer" tag should not impact https transfers (i.e from your https site to another https site).

Removing the security fix

There are a few things you can do to disable the  noopener noreferrer issues:

  • Avoid using target="_blank" on your links. Google recommends you don't use this code in your links if you can avoid it, but some SEO specialists don't like the idea of giving it up because that will hurt the "time on page" stat and bounce rate. 
  • Upgrade your site to HTTPS and only link to sites using HTTPS. All your affiliate links should be to HTTPS anyway. You don't want to try running a tracking campaign over http. Our HTTPS upgrade package is designed to upgrade your site smoothly.
  • Disable the visual editor on WordPress (TinyMCE) and use the text view. Alternatively you could install a different visual editor.
  • Use a plugin to block the feature. We have already created a simple plugin that does this. We see this as a last possible option because of the security improvements that the new feature offers. But sometimes, it's a needed update. We understand.

Whichever course of action you want to take, please contact us on support@performancefoundry.com and we'll take care of it for you. 

    • Related Articles

    • Should I add "nofollow" to all my outbound links?

      In the name of SEO we've received requests to add a "nofollow" attribute to all outbound links on a site. Unfortunately there is no definitive conclusion regarding whether this is a good or bad idea.  According to Google, nofollow links don't get ...
    • Finding broken links

      Broken links make your readers unhappy! They make search engines pretty grumpy too, and can cause your search engine rankings to drop if left unattended. This is a pretty low priority though - so while we'd recommend it as a housekeeping exercise ...
    • Performance Foundry affiliate programme

      We love it when people refer clients to us! If you tell someone about us, and they sign up for one of our services, we'd like to give you something back to say thanks. That's why we set up our affiliate programme. You'll get a $100 bonus for each new ...
    • When and how to use redirects

      When a post or a page on your site changes its URL, you need to create a redirect rule from the Old URL to the New URL so that users can get to the content. Never use a WordPress plugin to redirect Redirecting with a plugin adds about 200% to the ...
    • What should I do with 404s on my site?

      What are 404s? 404s are the technical term for "missing content" on your site. Basically, there's a wrong address somewhere, or someone's trying to access information you have deleted or never published. They are very low-priority items, but fixing ...