New Wordpress Update April 2017: "noopener noreferrer"

Joined
Mar 30, 2017
Messages
10
Likes
7
Degree
0
After the new update wordpress adds the noopener and noreferrer tags to links that open in a new tab. Is this a glitch? Will this affect affiliate links? Can anyone shed some light on this.
 
Not a glitch. It supposedly stops the newly opened page's ability to control the page that opened it.
 
After the new update wordpress adds the noopener and noreferrer tags to links that open in a new tab. Is this a glitch? Will this affect affiliate links? Can anyone shed some light on this.

I noticed this yesterday and had to go learn about it. Here's a summary from:
https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

The purpose is the same on both tags, it's just that different browsers only recognize one or the other. What they do is disallow spammers from hijacking the off-tab link.

Let's say a site with a million links to it gets dropped. Some one buys the domain and recreates it. All of the links pointing to it with:
Code:
target="_blank"
Are now open for a kind of man-in-the-middle attack.

In order to open it in a new tab or window has to allow access to some browser Javascript, specifically:
Code:
window.opener.location

So what can happen is the spammers that control the new domain can hijack that line of javascript and send the traffic to a different page, like a fake Facebook phishing login or Viagra page. They can take over the previous tab or the current tab, it seems.

Google calls it reverse tabnabbing and says that it's part and parcel of using browsers and to not submit it to them as a bug for a reward, etc.

My new concern is what this does to referrer tracking, like with affiliate links where it must be intact.

^ Edit: Yes, it's a problem. Here's the solution for your functions.php:

Code:
// Stop TinyMCE from adding "noopener noreferrer" to external links with target="blank"
add_filter('tiny_mce_before_init','tinymce_allow_unsafe_link_target');
function tinymce_allow_unsafe_link_target( $mceInit ) {
    $mceInit['allow_unsafe_link_target']=true;
    return $mceInit;
}

TinyMCE is the open source text editor Wordpress uses. This stops it from adding this code.

I suggest doing a Wordpress search inside the dashboard for the phrase "noopener noreferrer" to find any that remain and remove them.
 
So will affiliate links with "noopener noreferrer" not work at all?

I noticed that the update also added the new tags to all existing links on my site with target="_blank", it's going to take a while to remove every single instance.
 
So will affiliate links with "noopener noreferrer" not work at all?

No, that's not the case, it just doesn't send the referrer in the HTTP headers. Like when I clicked the link to Google from the page I linked above:

zipvsN9.png


When I view the headers on the Google page it shows me where I came from. Both are being used to stop people from hijacking the javascript to redirect the traffic, but they're including "noreferrer" because not all browsers respond to "noopener."

The problem is that the referral trail gets lost. Programs like Amazon want to see this and are only going to give you credit for sales that originate from sites that you have listed as your own. It stops you from spamming the internet with their links and getting credit.

But some programs don't care. Just like Amazon has something like &tag=myaffiliatename-20, many programs track referrals with an affid=joemomma12. Both programs are receiving that tag in the URL as a parameter. Some care about WHERE the traffic is coming from and some don't. That's the issue and you need to confirm it with each program you're using.

In my case, I'm simply not going to use those two rel="" tags, ever. It's better for me to crawl my OBL's once in a blue moon and make sure nothing weird is going on.

I noticed that the update also added the new tags to all existing links on my site with target="_blank", it's going to take a while to remove every single instance.

That didn't happen to me, it only added it to new posts I created since the update. You can backup your database and then do a PHPMyAdmin search and replace (or use a plugin that makes it easier for you) to replace "rel="noopener noreferrer" with nothing. That will do it all in one shot. Just make sure you take a backup first in case you goof and need to restore.
 
I'm not 100% but I think I lost a ton of money because of this...goddam.

Anyway...
- I added that code to my functions.php
- I removed ALL the noopener noref bullshit from every article
I should be breezy now right?
 
I'm only seeing this added to my posts when I use the "visual" tab and not the "text" tab in WordPress.

Thanks for the tip. I've been going mad for the last couple of hours wondering why I can't find "noopener noreferrer" in my DB.
 
Let me get this right - if I have an Amazon affiliate site, and all of the affiliate links on the site open in new window, I could lose the commission on purchases made through those links?
 
^ Edit: Yes, it's a problem. Here's the solution for your functions.php:

Code:
// Stop TinyMCE from adding "noopener noreferrer" to external links with target="blank"
add_filter('tiny_mce_before_init','tinymce_allow_unsafe_link_target');
function tinymce_allow_unsafe_link_target( $mceInit ) {
    $mceInit['allow_unsafe_link_target']=true;
    return $mceInit;
}

TinyMCE is the open source text editor Wordpress uses. This stops it from adding this code.

I suggest doing a Wordpress search inside the dashboard for the phrase "noopener noreferrer" to find any that remain and remove them.

Hey Ryuzaki, What If I am using a solution such as Thrive themes, you cannot edit it in dashboard since it is drag and drop. Or are such themes unaffected by TinyMCE.

I have lost a lot of money with this update I was wondering why I was getting clicks and no sales, Only to find a lot of "noopener noreferrer" on my non thrive theme/wordpress written pages.

kindly advise
 
Last edited by a moderator:
Cesare, you must be using the editor in the Thrive Theme, not Thrive Content Builder. Thrive Theme which you're probably using, is just a wordpress theme; it uses the same default editor.

If you use Thrive Content Builder to create your posts/pages, you are not affected.
 
Staff: Thanks for sending this out via email! Got back a few days ago and been too busy to really be active.

@CCarter is it possible to build a flat file magazine site? Cuz this shit is ridiculous now

Of course, it is... if you're willing to sacrifice some of the easy interface stuff. What are your requirements? What would be your dealbreakers?
 
Good eye @andrew69 great discussion.
^ Edit: Yes, it's a problem. Here's the solution for your functions.php:
Thanks, @Ryuzaki for providing the snippet. I just started noticing these noopener noreferrer links yesterday as well. Thought it was a new theme I was working with at first.

Thanks, @The Engineer for the email notification.
 
... the other more basic solution is not to use the target="blank" for affiliate links. But if you do that, then the potential to lose sales for a " best of 5 product list " would be high as the visitor would most probably not click the back button to see the rest of the products or even visit other related posts.
 
Let me get this right - if I have an Amazon affiliate site, and all of the affiliate links on the site open in new window, I could lose the commission on purchases made through those links?

No. The summary is that the new version of Wordpress decided to "fix" a "problem" that has been around for over 20 years and isn't really a problem. Their solution is to add a bit of code to any link that you set to open in a new tab, apparently only from the visual editor of the TinyMCE text editor. This code, added to the anchor tag for the link, is:

rel="noopener noreferrer"
It's only being added to new posts or posts that you've gone back and edited (although some are reporting it's on all target="_blank" links now regardless of age). It blocks the browser from showing the site the traffic came from on those links only. Many affiliate programs demand this information and many people are telling us that they haven't been getting credited for sales suddenly, in this thread and in response to the email yesterday. I wouldn't be skeptical if I was you.

The solution to stop it and to mass remove the code in one shot is provided. You'll have to actually read the thread in order to apply the solution.
 
For the lazy among us (hey, I'm guilty), Matt Diggity just dropped a plugin in the Local Client Takeover group on Facebook. You do have to optin to his list to get it, but once you optin it's at the bottom of his bonuses / welcome page under #9 - Leadspring Leak Fix.

I checked the code and, when I downloaded it, it was clean. Check for yourself before you install it on your site. Here's a link to it: http://diggitymarketing.com/leadspring-link-fix/
 
You guys are all up in arms about WordPress, but this code has been in TinyMCE since Nov 2016.

Also, the code is on FaceBook, Instagram, and Twitter too, so if you say you were loosing money the blame is on your networks who had to know this code was implemented.

In short, don't open your site to BS, just get your networks off their ass to fix their referral link systems, I'm sure you're making them enough money to be worth the effort. Unless of course, they've known that these sites have been using those ref's since Nov 2016 and have been cashing in on your hard work.

2017-04-28_19-45-57.jpg
 
You guys are all up in arms about WordPress, but this code has been in TinyMCE since Nov 2016.

Also, the code is on FaceBook, Instagram, and Twitter too, so if you say you were loosing money the blame is on your networks who had to know this code was implemented.

In short, don't open your site to BS, just get your networks off their ass to fix their referral link systems, I'm sure you're making them enough money to be worth the effort. Unless of course, they've known that these sites have been using those ref's since Nov 2016 and have been cashing in on your hard work.

2017-04-28_19-45-57.jpg

"noopener" isn't the problem. It's "noreferrer." URL parameters aren't being impacted, only cases where networks want to see the referrer as well.
 
Exactly Ryuzaki, however, those networks need to get up to speed because they are screwing you guys using them. If referrer is stripped from all those networks, and now WordPress, AND pretty much every HTTPS site then they are getting traffic on your dime and you're not getting credit.
 
pretty much every HTTPS site

HTTPS to HTTPS still sends referring traffic. Simply add SSL to your site and you are in the clear. But if you are HTTPS and sending traffic to an affiliate network that is HTTP then they won't see the referring info. Make sure to know whether the people you are sending traffic to are using SSL or not and do accordingly.

Edit: LOL at Wordpress. I am not going to say I told you guys so, but...
 
Of course, it is... if you're willing to sacrifice some of the easy interface stuff. What are your requirements? What would be your dealbreakers?

I was reading this post where you explained flat file to me...

Gave me another question, can you convert an html theme to a pico theme? In terms of structure I think I'm gonna just try flat file on a smaller site, so something similar to:

Code:
http://www.fitrated.com/

Also found this, which looks quite good. https://getkirby.com/
 
Back