FidoSysop's Blog

WordPress 4.7.4 ‘Noopener Noreferrer’ Added to target=”_blank” Links

WordPress is adding both ‘noopener and noreferrer’ tags to external AND internal links opening in a new tab. Essentially anything that opens in a new window or tab (target_blank) on your WordPress site.

We noticed this earlier today after updating an article then viewing it’s source.

WordPress Noopener Noreferrer Links

WordPress started adding ‘noopener noreferrer’ to both external and internal links opening in a new tag.

If you set a link to open in a new tab, WordPress will now, apart from adding the target=”_blank” tag. WordPress also adds the rel=”noopener noreferrer” tag automatically.

Not only that if you open any old post and save it, the tag will get added automatically.  This has probably been done to avoid what is known as Reverse Tabnabbing.

Website owners should help to prevent such attacks and exploiting of the vulnerability. WordPress has taken this step to protect users.

Reverse Tabnabbing occurs the attacker uses window.opener.location.assign() to replace the background tab with a malicious document.

  • When you add noopener keyword, the new/other page cannot access your window object via window.opener
  • The noreferrer keyword tells the browser to not collect HTTP referrer information when the link is followed.
  • Firefox does not support noopener so you have to use rel=”noopener noreferrer”.

Reverse Tabnabbing can occur when we click on a link on a web page to open a new tab. That page opens in a new tab or window. If we come back to the main web page, behind our back, that page has changed to a different url. Most users may not notice the URL change.

When we come back to the original page we may be asked to log in again to our account. Attackers replace the original tab with a malicious document including the favicon. We usually don’t notice this url change. We enter our login details and we are hacked.

Were not sure how this change will effect our sites SEO. This url meta change was done to WordPress 4.7.4 as far as we know. When we find additional details we will update this article. We appreciate visitors to add their comments below.

Conservative Blogger stumping for Donald Trump and Hobbyist DOS days Fidonet Bulletin Board System Operator (BBS SysOp) turned net guru. Specializing in FREE Webmaster Help. SEO, Social Media, Tweaking and Modding WordPress. Need help? Ask Doc!

  • Alex Kogan

    I am using a user-friendly GoDaddy/ GSP Network website builder program that replaced the old program with one based on WordPress. The old program, which is still active for two of my old sites, made it east to add html scripts for Amazon links; they still work on the old sites. However, I am building a site using the upgraded version, and find that while I can copy and paste the html scripts into the pages, and publish the site, the links do not appear. I have read the discussions on Amazon Associates and here, but I am not a sophisticated programmer. All I want to know is whether there is a specific bit of WordPress code that I can copy and paste in or before the scripts, so that the links will work, and if the snippet is to go in the script, where it should go — at tge beginning or at tge end. I have many hundreds of scripts that are being blocked.

    • FidoSysop

      It’s been my experience that anything GoDaddy just don’t work quite right. There are numerous WordPress plugins available that will insert html / JavaScript code via shortlink.