How to disable “noreferrer” tag – easy and effective way

If you are 100% sure that “noreferrer” is affecting your affiliate revenue, you can disable it and I am here to tell you a very simple and very easy way to disable “noreferrer” tag in your WordPress even when you are using Gutenberg editor. Lets add WordPress “noreferrer” tag to your links and we can remove them before they appear in browser. No messing with php function, no need to disable Gutenberg or no need to use a poorly coded plugin that is built just to remove “noreferrer” tag.

  • First of all install RFR Plugin for free. WordPress repository link is given below
  • After installing and activating the plugin go to WordPess admin menu > tools > plugin options
  • In the “find” field hit the keyboard space button and then type “noreferrer” (without inverted commas)

  • Leave the “replace” field blank and then update the settings.
  • Clear your WordPress cache and that’s all. Now RFR Plugin removes the “noreferrer” tag automatically from browser generated source code. Is it not so easy?

Why WordPress added “noopener” and “noreferrer” tag?

Tabnabbing

Two years back WordPress post editor tinymce had started adding link relation “noreferrer” and “noopener” automatically to the links that were set to be opened in a new browser tab or window. This was a security implemented to protect website visitors from a known phishing attack called tabnabbing. Tabnabbing is an old  phishing technique that was usually used by hackers to steal login detail or any other sensitive data by sending them a link in an email message.

How tabnabbing works for hackers

  • Hacker sends an email to the user
  • User read the email
  • It is a fake email asking user to reset password for any target website (like social media websites, bank website etc)
  • The email contains a link to follow
  • If user click the link it takes him to a page that includes a link to the authentic website
  • If user click the link it takes him to the authentic real website
  • User check the URL in browser address bar and becomes sure that he is on the safe site
  • If he leaves both tab opened and jump to anywhere else in the browser he generally forgets about the incident
  • When he gets back to the second tab (where he left authentic website opened) he usually doesn’t notice the page address in browser bar and think that it is the same website he left before a while. But in fact the parent page has redirected the authentic page to a phishing page that is clone HTML page of authentic website.
  • If user fill his login detail on the phishing page, it will be sent to the attackers server and thus with tabnabbing attacker will be successful in stealing the credentials

Reverse tabnapping

Tabnabbing is not a vulnerability, it is a phishing attack. It has been using for a long time and people are well aware of it. But reverse tabnabbing is a way dangerous because it doesn’t involve any email, it doesn’t force someone to click on a link. All that happened is natural and by the user itself in a web browser.

If a good and honest website contains a malicious link set to be opened in a new tab (target blank) and someone clicks on the link, the malicious link can control the parent page using window.opener script. User leaves the parent webpage and goes to the page opened in the new tab. In the background, this newly opened page can redirect the parent page to any phishing page lookalike authentic page and the user remains totally unaware of this change. reverse tabnabbing is an advanced form of tabnabbing.

To prevent reverse tabnabbing there are two new html tags are introduced “noopener” and “noreferrer”. noopener tag stops window.opener script to prevent child tab from controlling parent tab. “noreferrer” removes referring website information from header and hence completely rules out the possibilities of tabnabbing.

How to save your website visitors from phishing happens due to reverse tabnabbing without adding “noreferrer” tag

“nopener” tag is enough to prevent tabnabbing at an extent but “noreferrer” adds an extra layer of security to prevent it. So we can’t deny that removing “noreferrer” from a link set to be opened in a blank tab reduces the security of website visitors. But “noreferrer” tag may affect affiliate tracking and affiliate income.

Does “noreferrer” tag really affect affiliate income?

To check out whether “noreferrer” tag affects affiliate tracking, I manually tested some of the affiliate programs like A2 Hosting, Elegant Themes etc. and I found that clicks are recorded properly but referring URL is absent in the click report. This simply indicates that affiliate link tracking is being done by affiliate software and if direct traffic without any referrer is valid in an affiliate program, you will be credited your affiliate share.

Adding that different affiliate software have different ways to work. It may be possible that with a specific affiliate tracking software your click might not be counting if links contain “noreferrer” tag.