New Wordpress Update April 2017: "noopener noreferrer"

Joined
Mar 30, 2017
Messages
10
Likes
7
Degree
0
#1
After the new update wordpress adds the noopener and noreferrer tags to links that open in a new tab. Is this a glitch? Will this affect affiliate links? Can anyone shed some light on this.
 
Joined
Jan 24, 2016
Messages
72
Likes
60
Degree
0
#2
Not a glitch. It supposedly stops the newly opened page's ability to control the page that opened it.
 

Ryuzaki

女性以上のお金
Staff member
BuSo Pro
Digital Strategist
Joined
Sep 3, 2014
Messages
3,107
Likes
5,678
Degree
7
#3
After the new update wordpress adds the noopener and noreferrer tags to links that open in a new tab. Is this a glitch? Will this affect affiliate links? Can anyone shed some light on this.
I noticed this yesterday and had to go learn about it. Here's a summary from:
https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

The purpose is the same on both tags, it's just that different browsers only recognize one or the other. What they do is disallow spammers from hijacking the off-tab link.

Let's say a site with a million links to it gets dropped. Some one buys the domain and recreates it. All of the links pointing to it with:
Code:
target="_blank"
Are now open for a kind of man-in-the-middle attack.

In order to open it in a new tab or window has to allow access to some browser Javascript, specifically:
Code:
window.opener.location
So what can happen is the spammers that control the new domain can hijack that line of javascript and send the traffic to a different page, like a fake Facebook phishing login or Viagra page. They can take over the previous tab or the current tab, it seems.

Google calls it reverse tabnabbing and says that it's part and parcel of using browsers and to not submit it to them as a bug for a reward, etc.

My new concern is what this does to referrer tracking, like with affiliate links where it must be intact.

^ Edit: Yes, it's a problem. Here's the solution for your functions.php:

Code:
// Stop TinyMCE from adding "noopener noreferrer" to external links with target="blank"
add_filter('tiny_mce_before_init','tinymce_allow_unsafe_link_target');
function tinymce_allow_unsafe_link_target( $mceInit ) {
    $mceInit['allow_unsafe_link_target']=true;
    return $mceInit;
}
TinyMCE is the open source text editor Wordpress uses. This stops it from adding this code.

I suggest doing a Wordpress search inside the dashboard for the phrase "noopener noreferrer" to find any that remain and remove them.
 
Joined
Jan 14, 2017
Messages
249
Likes
235
Degree
1
#4
So will affiliate links with "noopener noreferrer" not work at all?

I noticed that the update also added the new tags to all existing links on my site with target="_blank", it's going to take a while to remove every single instance.
 

Ryuzaki

女性以上のお金
Staff member
BuSo Pro
Digital Strategist
Joined
Sep 3, 2014
Messages
3,107
Likes
5,678
Degree
7
#6
So will affiliate links with "noopener noreferrer" not work at all?
No, that's not the case, it just doesn't send the referrer in the HTTP headers. Like when I clicked the link to Google from the page I linked above:



When I view the headers on the Google page it shows me where I came from. Both are being used to stop people from hijacking the javascript to redirect the traffic, but they're including "noreferrer" because not all browsers respond to "noopener."

The problem is that the referral trail gets lost. Programs like Amazon want to see this and are only going to give you credit for sales that originate from sites that you have listed as your own. It stops you from spamming the internet with their links and getting credit.

But some programs don't care. Just like Amazon has something like &tag=myaffiliatename-20, many programs track referrals with an affid=joemomma12. Both programs are receiving that tag in the URL as a parameter. Some care about WHERE the traffic is coming from and some don't. That's the issue and you need to confirm it with each program you're using.

In my case, I'm simply not going to use those two rel="" tags, ever. It's better for me to crawl my OBL's once in a blue moon and make sure nothing weird is going on.

I noticed that the update also added the new tags to all existing links on my site with target="_blank", it's going to take a while to remove every single instance.
That didn't happen to me, it only added it to new posts I created since the update. You can backup your database and then do a PHPMyAdmin search and replace (or use a plugin that makes it easier for you) to replace "rel="noopener noreferrer" with nothing. That will do it all in one shot. Just make sure you take a backup first in case you goof and need to restore.
 
Joined
Dec 20, 2014
Messages
46
Likes
41
Degree
0
#9
I'm not 100% but I think I lost a ton of money because of this...goddam.

Anyway...
- I added that code to my functions.php
- I removed ALL the noopener noref bullshit from every article
I should be breezy now right?
 
Joined
Jan 23, 2017
Messages
27
Likes
28
Degree
0
#10
I'm only seeing this added to my posts when I use the "visual" tab and not the "text" tab in WordPress.
Thanks for the tip. I've been going mad for the last couple of hours wondering why I can't find "noopener noreferrer" in my DB.
 
Joined
Feb 12, 2015
Messages
18
Likes
26
Degree
0
#11
Let me get this right - if I have an Amazon affiliate site, and all of the affiliate links on the site open in new window, I could lose the commission on purchases made through those links?
 
Joined
Jan 14, 2017
Messages
14
Likes
5
Degree
0
#14
^ Edit: Yes, it's a problem. Here's the solution for your functions.php:

Code:
// Stop TinyMCE from adding "noopener noreferrer" to external links with target="blank"
add_filter('tiny_mce_before_init','tinymce_allow_unsafe_link_target');
function tinymce_allow_unsafe_link_target( $mceInit ) {
    $mceInit['allow_unsafe_link_target']=true;
    return $mceInit;
}
TinyMCE is the open source text editor Wordpress uses. This stops it from adding this code.

I suggest doing a Wordpress search inside the dashboard for the phrase "noopener noreferrer" to find any that remain and remove them.
Hey Ryuzaki, What If I am using a solution such as Thrive themes, you cannot edit it in dashboard since it is drag and drop. Or are such themes unaffected by TinyMCE.

I have lost a lot of money with this update I was wondering why I was getting clicks and no sales, Only to find a lot of "noopener noreferrer" on my non thrive theme/wordpress written pages.

kindly advise
 
Last edited by a moderator:
Joined
Jan 24, 2016
Messages
72
Likes
60
Degree
0
#15
Cesare, you must be using the editor in the Thrive Theme, not Thrive Content Builder. Thrive Theme which you're probably using, is just a wordpress theme; it uses the same default editor.

If you use Thrive Content Builder to create your posts/pages, you are not affected.
 
Joined
Nov 18, 2014
Messages
563
Likes
344
Degree
2
#16
Staff: Thanks for sending this out via email! Got back a few days ago and been too busy to really be active.

@CCarter is it possible to build a flat file magazine site? Cuz this shit is ridiculous now
Of course, it is... if you're willing to sacrifice some of the easy interface stuff. What are your requirements? What would be your dealbreakers?
 

Jitsiereveld

I'm just going to listen and learn today...
BuSo Pro
Joined
Jan 4, 2016
Messages
85
Likes
52
Degree
0
#17
Good eye @andrew69 great discussion.
^ Edit: Yes, it's a problem. Here's the solution for your functions.php:
Thanks, @Ryuzaki for providing the snippet. I just started noticing these noopener noreferrer links yesterday as well. Thought it was a new theme I was working with at first.

Thanks, @The Engineer for the email notification.
 
Joined
Mar 30, 2017
Messages
10
Likes
7
Degree
0
#18
... the other more basic solution is not to use the target="blank" for affiliate links. But if you do that, then the potential to lose sales for a " best of 5 product list " would be high as the visitor would most probably not click the back button to see the rest of the products or even visit other related posts.
 

Ryuzaki

女性以上のお金
Staff member
BuSo Pro
Digital Strategist
Joined
Sep 3, 2014
Messages
3,107
Likes
5,678
Degree
7
#19
Let me get this right - if I have an Amazon affiliate site, and all of the affiliate links on the site open in new window, I could lose the commission on purchases made through those links?
No. The summary is that the new version of Wordpress decided to "fix" a "problem" that has been around for over 20 years and isn't really a problem. Their solution is to add a bit of code to any link that you set to open in a new tab, apparently only from the visual editor of the TinyMCE text editor. This code, added to the anchor tag for the link, is:

rel="noopener noreferrer"
It's only being added to new posts or posts that you've gone back and edited (although some are reporting it's on all target="_blank" links now regardless of age). It blocks the browser from showing the site the traffic came from on those links only. Many affiliate programs demand this information and many people are telling us that they haven't been getting credited for sales suddenly, in this thread and in response to the email yesterday. I wouldn't be skeptical if I was you.

The solution to stop it and to mass remove the code in one shot is provided. You'll have to actually read the thread in order to apply the solution.
 
Joined
Feb 21, 2016
Messages
100
Likes
90
Degree
0
#20
For the lazy among us (hey, I'm guilty), Matt Diggity just dropped a plugin in the Local Client Takeover group on Facebook. You do have to optin to his list to get it, but once you optin it's at the bottom of his bonuses / welcome page under #9 - Leadspring Leak Fix.

I checked the code and, when I downloaded it, it was clean. Check for yourself before you install it on your site. Here's a link to it: http://diggitymarketing.com/leadspring-link-fix/
 
Joined
Oct 8, 2014
Messages
6
Likes
4
Degree
0
#21
You guys are all up in arms about WordPress, but this code has been in TinyMCE since Nov 2016.

Also, the code is on FaceBook, Instagram, and Twitter too, so if you say you were loosing money the blame is on your networks who had to know this code was implemented.

In short, don't open your site to BS, just get your networks off their ass to fix their referral link systems, I'm sure you're making them enough money to be worth the effort. Unless of course, they've known that these sites have been using those ref's since Nov 2016 and have been cashing in on your hard work.

 

Ryuzaki

女性以上のお金
Staff member
BuSo Pro
Digital Strategist
Joined
Sep 3, 2014
Messages
3,107
Likes
5,678
Degree
7
#22
You guys are all up in arms about WordPress, but this code has been in TinyMCE since Nov 2016.

Also, the code is on FaceBook, Instagram, and Twitter too, so if you say you were loosing money the blame is on your networks who had to know this code was implemented.

In short, don't open your site to BS, just get your networks off their ass to fix their referral link systems, I'm sure you're making them enough money to be worth the effort. Unless of course, they've known that these sites have been using those ref's since Nov 2016 and have been cashing in on your hard work.

"noopener" isn't the problem. It's "noreferrer." URL parameters aren't being impacted, only cases where networks want to see the referrer as well.
 
Joined
Oct 8, 2014
Messages
6
Likes
4
Degree
0
#23
Exactly Ryuzaki, however, those networks need to get up to speed because they are screwing you guys using them. If referrer is stripped from all those networks, and now WordPress, AND pretty much every HTTPS site then they are getting traffic on your dime and you're not getting credit.
 

CCarter

If they cease to believe in u, do u even exist?
Staff member
BuSo Pro
Boot Camp
Digital Strategist
Joined
Sep 15, 2014
Messages
2,043
Likes
4,574
Degree
5
#24
pretty much every HTTPS site
HTTPS to HTTPS still sends referring traffic. Simply add SSL to your site and you are in the clear. But if you are HTTPS and sending traffic to an affiliate network that is HTTP then they won't see the referring info. Make sure to know whether the people you are sending traffic to are using SSL or not and do accordingly.

Edit: LOL at Wordpress. I am not going to say I told you guys so, but...
 

built

Gotta get it before its too late
BuSo Pro
Boot Camp
Joined
Jan 23, 2015
Messages
1,571
Likes
1,340
Degree
4
#25
Of course, it is... if you're willing to sacrifice some of the easy interface stuff. What are your requirements? What would be your dealbreakers?
I was reading this post where you explained flat file to me...

Gave me another question, can you convert an html theme to a pico theme? In terms of structure I think I'm gonna just try flat file on a smaller site, so something similar to:

Code:
http://www.fitrated.com/
Also found this, which looks quite good. https://getkirby.com/