Jump to content


Photo

Affiliates Using Wordpress - TinyMCE Update Risks Your Accounts

wordpress update

  • Please log in to reply
1 reply to this topic

#1 xiqual

xiqual

    Gettin' Comfy

  • Bronze
  • PipPipPip
  • 62 posts

Posted 01 May 2017 - 03:19 PM

Hey there fellow marketers!

 
Short and sour: if you're in any affiliate programs requiring referral tracking and you use Wordpress, you need to check if last WP update is killing your sales... AND putting your web at risk!
 
WP updated TinyMCE text editor to include certain tags on any links that open in a new tab or window which will block the referral tracking. This will lead to you losing sales and possibly being banned from programs like Amazon.
 
After update, WP adds the noopener and noreferrer tags to links that open in a new tab.
 
 
What they do is disallow spammers from hijacking the off-tab link.
 
For example: a site with a million links to it gets dropped. Some one buys the domain and recreates it. All of the links pointing to it with:
 
Code:
 
target="_blank"
 
Are now open for a kind of man-in-the-middle attack.
 
In order to open it in a new tab or window has to allow access to some browser Javascript, specifically:
 
Code:
 
window.opener.location
 
So what can happen is the spammers that control the new domain can hijack that line of javascript and send the traffic to a different page, like a fake Facebook phishing login or Viagra page. They can take over the previous tab or the current tab, it seems.
 
Google calls it reverse tabnabbing and says that it's part and parcel of using browsers and to not submit it to them as a bug for a reward, etc.
 
Here's a fix for your functions.php:
 
Code:
 
// Stop TinyMCE adding "noopener noreferrer" to external links with
target="blank"
add_filter('tiny_mce_before_init','tinymce_allow_unsafe_link_target');
function tinymce_allow_unsafe_link_target( $mceInit ) {
    $mceInit['allow_unsafe_link_target']=true;
    return $mceInit;
}
 
TinyMCE is the open source text editor Wordpress uses. This stops it from
adding this code.
 
I suggest doing a Wordpress search inside the dashboard for the phrase "noopener noreferrer" to find any that remain and remove them.
 
A public service brought to you by 
Adrian

  • 0

#2 john566

john566

    Gettin' Comfy

  • Bronze
  • PipPipPip
  • 71 posts
  • LocationCanada

Posted 02 May 2017 - 02:56 AM

interesting thanks for sharing


  • 0





Also tagged with one or more of these keywords: wordpress, update

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users