Referrer URL is the address of the webpage that sends users to your website. For example, you find our PDA Gold on the WordPress plugin repository. Click “Check out our Gold version now” on this page and you will be redirected to our Features page. This link, https://wordpress.org/plugins/prevent-direct-access/, is called a referrer link.
Generally, you need to know referrer links to analyze your website traffic. For example: how do potential customers find you?. There are also cases when you want to restrict or allow users to access your private pages from specific referrer links. That is when our Protect Pages & Posts (PPP) Gold plugin comes in handy.
- Grant all access based on referrer URLs
- Grant individual access based on referrer URLs
- Logic & Limitation
- Troubleshooting
Requirement:
- Protect Pages & Posts (PPP) Gold 1.0.14 and greater
How to grant all protected content access based on referrer URLs
After activating PPP Gold successfully, navigate to Content Protection under your admin dashboard to access our plugin settings page.
In the Set Referer Links section under General tab, you will see these 3 options:
(1) Disable referrer links
By default, this feature is disabled. Only certain user roles set under “Access Permission” can access your protected content.
(2) Allow all referrer links
When this option is selected, users have to access your page through a web page’s content (that’s linked to yours).
Users won’t be able to access your private page directly unless they have the right user permission. In other words, if they copy and paste your page’s link directly into the browser address bar, they won’t be able to see the content.
(3) Allow specific referrer links
You can specify the referrer links from which you want to give access to your private content. Similar to the second option, there are only 2 ways users can access your content:
- Click on the page URL from the specified referrer links
- Have the right user permission set under the Access Permission tab
* will match any sequence of characters (including the empty sequence). If you enter something like https://preventdirectaccess.com/* to referrer whitelist, you accept all referrer links under this domain.
Please use the page’s original URL (not our private access link) when embedding it on your referrer content.
Grant Individual Content Access Based on Referrer Links
Go to a page or post you want to protect and click “Configure protection.”
Switch to “Referrer Links” tab after protecting the post and you will see 4 options below:
(1) Use default setting
Follow the global-level Referrer Links option on the plugin settings page.
(2) Disable referrer links
Disallow protected content access based on referrer URLs. The content is still accessible to those having the right permission.
(3) Allow all referrer links
Allow users to access the protected content as long as it’s embedded into a page.
However, they will be redirected to a “No Access” page if they paste the page URL to the browser’s address bar directly.
(4) Allow specific referrer links
Define specific referrer URLs from which users will have access to your protected files.
* match any sequence of characters (including the blank sequence). If your whitelisted referrer link is https://preventdirectaccess.com/*, all referrer links from this domain are valid.
Logic & Limitation
Referrer-Policy
When you block or grant someone access by referrer links, you might come across the Referrer-Policy term. Its value informs browsers which referrer information is included with the page request.
This referrerpolicy="strict-origin-when-cross-origin" value is set by default. In other words, referrer links won’t be sent with the requests from HTTPS to HTTP or cross different domains due to the protocol security. This means:
- If you allow users to access your private content from https://preventdirectaccess.com/*, for example, the content link must be hosted on an HTTPS website too.
- If you allow users to access your private content (https://siteA.com/private-content) from a different domain (https://siteB.com/referrer-link), the referrer rule must contain domain name only (https://siteB.com/*).
Limitation: Our feature won’t work properly if you use referrerpolicy="origin"
Target = “_blank” and rel=”noreferrer noopener”
From the WordPress version 4.7.4, when users set target=”_blank” to a hyperlink, rel=”noreferrer noopener” will be added automatically to the link too. This is part of a security issue fix of TinyMCE on 23rd Nov 2016.
This default WordPress feature will prevent you from whitelisting or blocking users via referrer links as well.
Troubleshooting
If the referrer URLs function doesn’t work, it might be due to one of the following reasons.
- You’re using a caching plugin or enabling server cache.
- Solution: Exclude the protected page from your cache.
You can often do it under the settings page of caching plugins. However, some hosting might require you to disable server cache from the server account or contact hosting support team to set up a caching exclusion for a page.
- You’re redirecting users from a HTTP site.
- Solution: Due to
strict-origin-when-cross-originpolicy, you have to migrate your referrer site to HTTPS.
- Solution: Due to
- You’re redirecting users from a different domain.
- Solution: Due to
strict-origin-when-cross-originpolicy, the referrer rules must to contain domain name only (instead of full referrer URLs) ,e.g.https://your-site.com/*
- Solution: Due to
- The protected page is opened in a new tab.
- Solution: Remove the
rel=”noreferrer noopener”attribute in the <a> tag.
- Solution: Remove the
