Understanding rel=”noopener noreferrer” in WordPress: A Complete Guide to Security and Privacy
Introduction
If you have ever peeked into the source code of your WordPress website, you likely noticed a recurring string of text attached to your external links: rel="noopener noreferrer". Whether you use the modern Block Editor (Gutenberg) or the classic editor, WordPress automatically injects these attributes whenever a link is set to open in a new tab (target="_blank"). But what exactly do these terms mean, and should you be concerned about them?
This comprehensive guide breaks down the technical functionality of these attributes, their impact on your SEO, and how they affect affiliate marketing and site security.
What is rel=”noopener”?
Introduced to the WordPress core in version 4.7.4 back in 2017, rel="noopener" was implemented as a critical security measure to prevent a vulnerability known as “Reverse Tabnabbing.”
In a reverse tabnabbing attack, a malicious destination page can use JavaScript to access the window.opener object of the page that linked to it. This allows the attacker to silently redirect the original tab to a phishing site—such as a fake login screen—without the user realizing it. Because the user believes they are still on a trusted site, they are more likely to enter sensitive credentials.
By adding rel="noopener", WordPress instructs the browser to block the new page from accessing the original window, effectively closing the security hole.
What is rel=”noreferrer”?
While noopener focuses on security, rel="noreferrer" is primarily about privacy. This attribute prevents the browser from sending the “Referer” header to the destination website.
Normally, when a user clicks a link, the destination site can see exactly which URL the visitor came from. When noreferrer is present, this data is stripped away. The owner of the receiving site will see the traffic as “Direct” in their analytics rather than as a referral from your specific page.
Modern Browsers and Redundancy
An important detail often overlooked is that modern web browsers have largely automated this protection. Since early 2021, major browsers including Chrome (version 88+), Firefox, Safari, and Edge treat target="_blank" links as if they have rel="noopener" by default.
WordPress continues to include these attributes to ensure backward compatibility for users on outdated browsers. For the vast majority of site owners, leaving these attributes in place is the safest and most efficient choice.
The Impact on SEO and Affiliate Links
Does it Affect SEO?
The short answer is no. Google and other major search engines treat noopener and noreferrer as security and privacy signals, not ranking signals. They do not block “link juice” or authority; that is the role of rel="nofollow". Your outbound links will still be treated as standard followed links unless you specifically add a nofollow tag.
The Affiliate Link Dilemma
This is the one area where rel="noreferrer" can cause issues. Some older affiliate programs rely on the Referer header to verify that a lead came from your site. If noreferrer is active, that tracking data is lost.
While most modern networks (like Amazon Associates or ShareASale) use unique URL parameters for tracking, some niche programs may still struggle. If you notice a drop in reported conversions, you may want to use rel="sponsored noopener" instead, which preserves the referral data while following Google’s guidelines for paid links.
Comparing Key Link Attributes
| Attribute | Primary Purpose | Effect |
|---|---|---|
| noopener | Security | Prevents tabnabbing by blocking window.opener. |
| noreferrer | Privacy | Hides the referring URL from the destination site. |
| nofollow | SEO | Tells search engines not to pass authority to the link. |
How to Remove These Attributes
If you absolutely must remove these attributes (usually for specific affiliate tracking needs), you have two primary options:
1. Using a Plugin
The Remove Noreferrer plugin is a lightweight solution that automatically strips the noreferrer attribute from your outgoing links without requiring any code knowledge.
2. Using a Code Snippet
Advanced users can add a filter to their functions.php file or use a plugin like Code Snippets to modify how WordPress handles targeted links. By using the wp_targeted_link_rel filter, you can customize exactly which attributes are added to your links. Note that this typically applies to new links; existing links would need to be updated using a tool like Better Search Replace.
Final Verdict
For 99% of WordPress users, rel="noopener noreferrer" is a helpful, invisible feature that keeps your visitors safe. Unless you are experiencing specific tracking issues with an affiliate partner, it is highly recommended to leave these attributes exactly as they are.