Contact
Site: US UK AU |
Nexcess Blog

What Does rel=noopener Do In WordPress Posts

December 20, 2017 1 Comment RSS Feed

What Does rel=noopener Do In WordPress Posts

Photo by JJ Ying on Unsplash

With the release of WordPress 4.7.4, there was a change to the way links are created in WordPress posts and pages. If you flip over to the “text” view in the WordPress editor, you’ll see that links you’ve told to open in a new tab are now tagged with rel=“noopener”. Many WordPress users have wondered what this attribute means, why it’s being added to their links, and, in particular, whether it has an impact on search engine optimization in the way that attributes like rel=“nofollow” and rel=“noindex” can.

In fact, rel=“noopener” is added to links that open in a new tab as a security precaution. When a link opens a new tab, the page that opens in the second tab is able to exert some control over what appears in the original tab. This ability is conferred by the JavaScript window.opener object, which gives JavaScript running on the child tab access to the contents of the parent tab.

The window.opener can be used to “hack” the contents of the parent tab. That’s bad news if the original tab contains sensitive information or forms that could be used to input sensitive information. You can see an excellent demonstration of this process on the “about rel=noopener” site.

A simple application of this hack would be to embed a link in a WordPress page that opens a new page in a new tab. Code in the new page could then be used to change the contents of the original tab to a fake login page, which would then transmit the user’s login details to the malicious third-party. If the parent and child tabs contain pages on different domains, there are greater restrictions on the window.opener object, but the child tab is able to redirect the parent tab to a different page. It’s easy to imagine a situation in which an attacker spams malicious links that redirect the parent tab to a phishing site.

As you can see, the window.opener object presents a security risk without adding much that’s useful for the vast majority of WordPress sites. The rel=”noopener” attribute tells web browsers to disable the window.opener object. Without access to that object, there’s no way a child tab can influence its parent.

Does rel-noopener Hurt SEO?

The short answer is no. The rel=”noopener” attribute has nothing to do with search engine optimization. Search engine crawlers ignore it, and it doesn’t impact the pages they crawl or how they rank and index pages.

Although rel=”noopener” removes the security risk, WordPress hosting clients should think twice before forcing pages to open in new tabs or windows. If users want to open tabs in new windows, their browsers make it easy to do so. Forcing pages to open in new tabs is an unnecessary imposition on the expected user experience of the web.

Posted in: Webmaster, WordPress
  • Amanda Pj Mitchum

    Excellent post! Easiest to understand over other search results.