Restrict Page Access to Specific Referrer URLs

Referrer URL is the address of the webpage that sends users to your website. For example, you find our PDA Gold on the WordPress plugin repository. Click “Check out our Gold version now” on this page and you will be redirected to our Features page. This link, https://wordpress.org/plugins/prevent-direct-access/, is called a referrer link.

Generally, you need to know referrer links to analyze your website traffic. For example: how do potential customers find you?. There are also cases when you want to restrict or allow users to access your private pages from specific referrer links. That is when our Protect Pages & Posts (PPP) Gold plugin comes in handy.

Requirement:

How to grant access based on referrer URLs

After activating PPP Gold successfully, go to a page or post you want to protect and click “Configure protection”.

Switch to “Referrer Links” after protecting the post and you will see 3 options:

(1) Disable referrer links

By default, this feature is disabled. Only certain user roles set under “Access Permission” can access your protected content.

(2) Allow all referrer links

When this option is selected, users have to access your page through a web page’s content (that’s linked to yours).

Users won’t be able to access your private page directly unless they have the right user permission. In other words, if they copy and paste your page’s link directly into the browser address bar, they won’t be able to see the content.

(3) Allow specific referrer links

You can specify the referrer links from which you want to give access to your private content. Similar to the second option, there are only 2 ways users can access your content:

  • Click on the page URL from the specified referrer links
  • Have the right user permission set under the Access Permission tab

* will match any sequence of characters (including the empty sequence). If you enter something like https://preventdirectaccess.com/* to referrer whitelist, you accept all referrer links under this domain.

Please use the page’s original URL (not our private access link) when embedding it on your referrer content.

Logic & Limitation

Referrer-Policy

When you block or grant someone access by referrer links, you might come across the Referrer-Policy term. Its value informs browsers which referrer information is included with the page request.

This referrerpolicy="strict-origin-when-cross-origin" value is set by default. In other words, referrer links won’t be sent with the requests from HTTPS to HTTP or cross different domains due to the protocol security. This means:

  • If you allow users to access your private content from https://preventdirectaccess.com/*, for example, the content link must be hosted on an HTTPS website too.
  • If you allow users to access your private content (https://siteA.com/private-content) from a different domain (https://siteB.com/referrer-link), the referrer rule must contain domain name only (https://siteB.com/*).

Limitation: Our feature won’t work properly if you use referrerpolicy="origin"

Target = “_blank” and rel=”noreferrer noopener”

From the WordPress version 4.7.4, when users set target=”_blank” to a hyperlink, rel=”noreferrer noopener” will be added automatically to the link too. This is part of a security issue fix of TinyMCE on 23rd Nov 2016.

This default WordPress feature will prevent you from whitelisting or blocking users via referrer links as well.

Troubleshooting

If the referrer URLs function doesn’t work, it might be due to one of the following reasons.

  • You’re using a caching plugin or enabling server cache.
    • Solution: Exclude the protected page from your cache.

You can often do it under the settings page of caching plugins. However, some hosting might require you to disable server cache from the server account or contact hosting support team to set up a caching exclusion for a page.

  • You’re redirecting users from a HTTP site.
  • You’re redirecting users from a different domain.
    • Solution: Due to strict-origin-when-cross-origin policy, the referrer rules must to contain domain name only (instead of full referrer URLs) ,e.g. https://your-site.com/*
  • The protected page is opened in a new tab.
Lasted updated on May 13, 2021