WordPress starts adding noopener noreferrer tags automatically

Did you notice that noopener noreferrer tags are being added to both external AND internal links that are set to open in a new tab (target_blank) in your WordPress blog? I noticed this happening on my blog last night. I disabled WordPress plugins, changed my browser as well as my PC to check if it was something specific adding them. When I found that it was still happening, I decide to search on the Internet and that is when I found that some users were reporting the same issue on WordPress forums.

WordPress adding noopener noreferrer tags to links

WordPress noopener noreferrer

If you set a link to open in a new tab, WordPress will now, apart from adding the target=”_blank” tag also add the rel=”noopener noreferrer” tag automatically.

Not only that, if you open any old post and save it, the tag will get added automatically.  This has probably been done to avoid what is known as Reverse Tabnabbing. Since the onus is on website owners to prevent such attacks and exploiting of the vulnerability, WordPress has taken this step to protect users.

Reverse Tabnabbing occurs the attacker uses window.opener.location.assign() to replace the background tab with a malicious document.

  • When you add noopener keyword, the new/other page cannot access your window object via window.opener
  • The noreferrer keyword tells the browser to not collect HTTP referrer information when the link is followed.
  • Firefox does not support noopener so you have to use rel=”noopener noreferrer”.

What is Reverse Tabnabbing

Reverse Tabnabbing, a type of Tabnabbing, is a kind of a Phishing attack where the attacker replaces the legitimate and trusted page tab with a malicious document by using window.opener.location.assign().

To put simple, in Reverse Tabnabbing, when we click on a link on a web page to open a new web page, and it opens in a new tab – and if we then come back to the main web page, then behind our backs, that page will have changed automatically. It will look like the original web page which you were viewing but will obviously show a different URL. But most users may not notice the URL change.  related tab from a trusted

When we come back to the original page, we may be asked to log in again to our account. The attackers actually replace the original tab with a malicious document including the favicon as well as the address bar, but we usually don’t notice this. We enter our login details and voila, we are hacked.

Check this example to understand the Reverse Tabnabbing better.

So if you see the rel=”noopener noreferrer” to all links which have target=”_blank”, do not remove them, if you value your site. And even if you remove them – WordPress will put them back when you save the post. And there is no way to disable this feature, from what I can gather.

However, some users have reported that it also made all your internal links nofollow if they open in a new tab, which might definitely be bad for your site’s SEO. So check your links and see if all is fine.

UPDATE: Now I am seeing that it inserts only the noopener tag.

Posted by with Tags
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. He enjoys following and reporting Microsoft news and developments in the world of Personal Computing & Social Media.

14 Comments

  1. Aris

    Hello, I have seen this happening too. Do you know if the noreferrer attribute affects affiliate links? I mean will the affiliate links be tracked with the rel=”noreferrer” ?

  2. The
    noreferrer tag prevents the target sites from tracking your visits. Now I am not sure about this, but since the links will drop Cookies, I think the Affiliates will be able to track your sales.

  3. Just noticed that in an old post updated today. I appreciate your article as i was searching Bing for ‘noopener noreferrer’ and your article came up first. Wonder why WordPress did that? Sure to get penalized as Google will think the link points to a dark-net site or worse.

  4. Fascinating stuff. Just saw this and was wondering!

  5. Hello, thanks for such valuable information. Is the ‘noreferrer’ tag equivalent to the ‘nofollow’ tag? I am asked to add nofollow tags when I am reviewing products or writing sponsored (paid) posts.

    Thanks!

  6. No, the tags are different. Nofollow tells search bots to not follow the link. Noreferrer tells the browser to not collect HTTP referrer information when the link is visited.

  7. Tyler Stokes

    When I source articles in my posts, I like to have the links open in a new window. But I do want to link with “do follow” as these sources I link to are reputable websites. So is there anything wrong with the target=”_blank” + the rel=”noopener noreferrer” in this regard? Or should I just remove the open in a new window altogether?

  8. You can use ‘target=_blank + the rel=noopener noreferrer’. I use it too. Using dofollow is not a must.

  9. You can remove these tags from your link using https://wordpress.org/plugins/udinra-noopener-noreferrer-remove/ plugin as functions.php code changes get wiped out with new theme update

  10. I’m really concerned about the affiliate sales. Because some affiliate platforms might need the referring url to get details regarding the user that sent the sale, in case the sale will not fire directly on their platform.

  11. I am looking for nofollow help. How to add nofollow and noopener together?

  12. Use WordPress plugin ‘NoFollow Link’ by Alex Jose (Ginger Codes). One should use noopener only along with target=”_blank” to prevent Reverse Tabnabbing.

  13. I use “_blank” for all the links whether internal or external. What in this case nofollow or noopener…or both can be possible in same link…?

  14. Yes you can use: target=”_blank” rel=”nofollow noopener”

Leave a Reply

Your email address will not be published. Required fields are marked *


5 + 3 =