In the 4.7.4 release of WordPress (May 2017), a new feature was added that changes the code behind any link you use that opens in a new tab. As a security precaution, these links will no longer send along their origin when clicked (ie, your site, known as the referrer). This is done by adding the code rel=”noopener noreferrer” automatically to these links. This change was reverted to just rel=”noopener” in 4.9, but noreferrer is now been put back with the release of WordPress 5.0.
This might be a problem with your Amazon affiliate links, because the program policies & guidelines state that Amazon needs to know where the link originated from. Also – this prevents the destination site from knowing where the link came from – meaning your site is not getting all the credit it deserves for referral traffic in Google Analtyics.
So why did this happen?
The change protects your blog from a form of phishing hack called “tabnabbing.” If the site you are linking to is compromised, it is possible that malicious code could make your site appear different – like a login page that steals username and password information – when the link is clicked.
While noopener is sufficient to prevent this attack without any negative side affects, it is not currently supported by ALL browsers (currently at 85% of all web users have a browser that support it). Because of this, noreferrer is also added – which has the side affect of not sending the referrer information.
What Amazon is Doing About the “noreferrer” Problem in WordPress
Amazon has confirmed that they need to be able to identify the site a sale is generated. While one of their support representatives did post that they understand the nature of this change and would not ban people for using it, we’ve seen Amazon’s Support and Compliance departments say and do different things in the past.
Many people think the risk to their affiliate account income is greater than the risk of this particular attack. The reasons:
- This change only affects posts you update going forward – all of your existing links will remain at risk of tabnabbing unless you update every single one of your posts. <sarcasm>In other words, with this change, 0.02% of your posts are safe from tabnabbing. Congratulations. Six months from now, likely 1.2% of your posts will be safe! Wow!</sarcasm>
- The chances of Amazon itself being compromised is next to nothing.
- 85% of all traffic is protected by using noopener only.
- This security problem has been around nearly a decade and only recently is WordPress trying to stop it. There just doesn’t seem to be a big rush to fix this.
Our current recommendation is to turn this feature off and wait to see what Amazon decides – it can always be re-enabled later.
How to disable noferrer in WordPress
Manually for Classic Editor
For the more adventurous among us, you can add the code below to your theme’s functions.php file. This will turn off the automatic adding of noreferrer (noopener will remain) but will not remove code that has already been added.
add_filter( ‘wp_targeted_link_rel’, ‘my_targeted_link_rel_remove_noreferrer’ );
function my_targeted_link_rel_remove_noreferrer( $rel_values ) {
return preg_replace( ‘/noreferrer\s*/i’, ”, $rel_values );
}
Manually for Gutenberg
Unfortunately, it is not possible at this time to turn off Gutenber’s use of noreferrer.
Automated with The Blog Fixer
The Blog Fixer has a couple different options available for automatically dealing with this issue.
- Have The Blog Fixer take them out. We’ll remove “noreferrer” from any Amazon links you’ve inserted. This is included with of our Blogging Monetization Compliance Fix or individually here.
- Have The Blog Fixer keep them out. After removing noreferrer, you can sign up for our Live Fix subscription, which is capable of removing them any time they are reinserted, by Gutenberg or any other software.
- Use our Link Target Fix to change all existing Amazon links to open in the same tab. Links that open in the current tab do not suffer from the security problem and will send along the referrer information as normal.
How Big of a Problem is This Really?
Many people are saying that of COURSE Amazon affiliate links still work with noreferrer on them.
Let’s break that down, because there are two issues here, and most people are only seeing one:
- Will Amazon be able to track each transaction, and thus pay you? YES. Not a problem.
- Will the noreferrer code cause your site to be in violation of Amazon’s terms of service, and thus put your entire account at risk of being closed down? YES. If you read Amazon’s Terms of Service – you are in violation.
The Blog Fixer wants to see you win, every time. We can help you protect your Amazon Affiliate status in many ways! We’ll fix the noreferrer problem AND get you in compliance in other ways with our Blogging Monetization Compliance Fix:
- make all your links hit direct products
- remove links to Amazon’s homepage
- take Amazon links out of your full-feed RSS emails
- un “cloak” Amazon links you may have shortened
- take off noreferrer from your links
- nofollow everything required by Google
- AND guess what? Salvage a bunch of broken Amazon links you didn’t know you had.
Leave a Reply
You must be logged in to post a comment.