Jump to content
Marketing Checkpoint

Affiliates Using Wordpress - TinyMCE Update Risks Your Accounts


Recommended Posts

Hey there fellow marketers!

 
Short and sour: if you're in any affiliate programs requiring referral tracking and you use Wordpress, you need to check if last WP update is killing your sales... AND putting your web at risk!
 
WP updated TinyMCE text editor to include certain tags on any links that open in a new tab or window which will block the referral tracking. This will lead to you losing sales and possibly being banned from programs like Amazon.
 
After update, WP adds the noopener and noreferrer tags to links that open in a new tab.
 
 
What they do is disallow spammers from hijacking the off-tab link.
 
For example: a site with a million links to it gets dropped. Some one buys the domain and recreates it. All of the links pointing to it with:
 
Code:
 
target="_blank"
 
Are now open for a kind of man-in-the-middle attack.
 
In order to open it in a new tab or window has to allow access to some browser Javascript, specifically:
 
Code:
 
window.opener.location
 
So what can happen is the spammers that control the new domain can hijack that line of javascript and send the traffic to a different page, like a fake Facebook phishing login or Viagra page. They can take over the previous tab or the current tab, it seems.
 
Google calls it reverse tabnabbing and says that it's part and parcel of using browsers and to not submit it to them as a bug for a reward, etc.
 
Here's a fix for your functions.php:
 
Code:
 
// Stop TinyMCE adding "noopener noreferrer" to external links with
target="blank"
add_filter('tiny_mce_before_init','tinymce_allow_unsafe_link_target');
function tinymce_allow_unsafe_link_target( $mceInit ) {
    $mceInit['allow_unsafe_link_target']=true;
    return $mceInit;
}
 
TinyMCE is the open source text editor Wordpress uses. This stops it from
adding this code.
 
I suggest doing a Wordpress search inside the dashboard for the phrase "noopener noreferrer" to find any that remain and remove them.
 
A public service brought to you by 
Adrian
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...