WordPress is adding both ‘noopener and noreferrer’ tags to external AND internal links opening in a new tab. Essentially anything that opens in a new window or tab (target_blank) on your WordPress site.
We noticed this earlier today after updating an article then viewing it’s source.
If you set a link to open in a new tab, WordPress will now, apart from adding the target=”_blank” tag. WordPress also adds the rel=”noopener noreferrer” tag automatically.
Not only that if you open any old post and save it, the tag will get added automatically. This has probably been done to avoid what is known as Reverse Tabnabbing.
Website owners should help to prevent such attacks and exploiting of the vulnerability. WordPress has taken this step to protect users.
Reverse Tabnabbing occurs the attacker uses window.opener.location.assign() to replace the background tab with a malicious document.
- When you add noopener keyword, the new/other page cannot access your window object via window.opener
- The noreferrer keyword tells the browser to not collect HTTP referrer information when the link is followed.
- Firefox does not support noopener so you have to use rel=”noopener noreferrer”.
Reverse Tabnabbing can occur when we click on a link on a web page to open a new tab. That page opens in a new tab or window. If we come back to the main web page, behind our back, that page has changed to a different url. Most users may not notice the URL change.
When we come back to the original page we may be asked to log in again to our account. Attackers replace the original tab with a malicious document including the favicon. We usually don’t notice this url change. We enter our login details and we are hacked.
Were not sure how this change will effect our sites SEO. This url meta change was done to WordPress 4.7.4 as far as we know. When we find additional details we will update this article. We appreciate visitors to add their comments below.
Ed 'Doc' Koon
I'm an original Floridian and hobbyist Internet webmaster who specializes in SEO and WordPress while hanging out in cyberspace keeping up with tech. I am healthy and still going strong at 72, and are a non smoker/drinker/substance user, living a healthy lifestyle. looking for a good hearted lady friend/lover near my age who wants to enjoy her golden years with good looking southern boy. Is that you? Say hello 52FLC.ORG❤️
I am using a user-friendly GoDaddy/ GSP Network website builder program that replaced the old program with one based on WordPress. The old program, which is still active for two of my old sites, made it east to add html scripts for Amazon links; they still work on the old sites. However, I am building a site using the upgraded version, and find that while I can copy and paste the html scripts into the pages, and publish the site, the links do not appear. I have read the discussions on Amazon Associates and here, but I am not a sophisticated programmer. All I want to know is whether there is a specific bit of WordPress code that I can copy and paste in or before the scripts, so that the links will work, and if the snippet is to go in the script, where it should go — at tge beginning or at tge end. I have many hundreds of scripts that are being blocked.
It’s been my experience that anything GoDaddy just don’t work quite right. There are numerous WordPress plugins available that will insert html / JavaScript code via shortlink.
It’s been my experience that anything GoDaddy just don’t work quite right. There are numerous WordPress plugins available that will insert html / JavaScript code via shortlink.
I am using a user-friendly GoDaddy/ GSP Network website builder program that replaced the old program with one based on WordPress. The old program, which is still active for two of my old sites, made it east to add html scripts for Amazon links; they still work on the old sites. However, I am building a site using the upgraded version, and find that while I can copy and paste the html scripts into the pages, and publish the site, the links do not appear. I have read the discussions on Amazon Associates and here, but I am not a sophisticated programmer. All I want to know is whether there is a specific bit of WordPress code that I can copy and paste in or before the scripts, so that the links will work, and if the snippet is to go in the script, where it should go — at tge beginning or at tge end. I have many hundreds of scripts that are being blocked.
It’s been my experience that anything GoDaddy just don’t work quite right. There are numerous WordPress plugins available that will insert html / JavaScript code via shortlink.