WordPress.org

Languages: English • Sending Referrers 日本語 (Add your language)

Your WordPress installation checks sending referrers as a basic form of security to protect your admin area from unauthorized users; disabling it in your WP install would be a bad idea.

How Does It Work? WordPress 2.0.2-

Whenever you want to write a new post, make changes to your blog's layout, or perform any other administrative task, WordPress requires you to log in to a protected admin area. (You log in by submitting the user name and password given to you at the end of installation.) The log in acts as a basic security measure, protecting your blog's admin options from being accessed by unauthorized users.

Once WordPress has identified you as an authorized user with permission to make changes, you can access any of the protected admin options. All the pages within the admin area remain secure, without the nuisance of your having to log in to each page individually. Any additional admin page you choose can verify your status by checking to see which page you just came from.

It does this by checking the referrer that the browser passes to it.

As an example, let's say you are on the main page at www.wordpress.org and you click the link to Get Firefox. Although you can't see it, when you get to the Firefox page, the browser tells the new page which page you just came from. This information is called the 'referrer.' If you have any sort of statistics program or script that monitors traffic to your site, the information it reports to you has been compiled from the referrers.

Those of us who use WordPress and are familiar with its structure know where the file post.php is most likely to be on other WordPress sites, yet we can't go blogging freely across any WordPress site. Even though we know where to look for the page, if we try to access it we will be redirected. This happens because the referrer information the browser supplies to the page shows that you have not successfully logged in.

How do I Enable Sending Referrers?

Unfortunately, there may not be simple straight forward answer. Listed below are methods to enable this function, so please check both what is listed for your browser and also your firewall.

If the program you use is not listed, study what is given for the others - the principle is the same throughout, it is just the method which differs between programs.

I had the same problem, so I went into the cpanel of my server, then to phpMyAdmin, and brought up the WordPress tables, found and edited the wp-options to include the /wordpress/ folder in the url. That did the trick.

Internet Explorer 6

This can be done from the computer's Control Panel > Internet Options, or from within the browser Tools > Internet Options.

1. Click Security.
2. Click Trusted Sites then Sites.
3. Add your website address in the box provided and click Add.
4. Uncheck the box that requires https verification.
5. Click the Privacy tab (Medium is an acceptable setting on the slider, but click Sites and again enter your website address)/
6. Now click Allow.
7. Click Apply.

This has only altered settings for your website and this does not otherwise affect your browsing.

Firefox 1.0+

RefControl

Use the RefControl extention for Firefox: https://addons.mozilla.org/firefox/953/

Manually Setting

Warning: this method may be considered as a privacy risk as all sites will receive referers.

1. Type about:config in the URL address bar.
2. A large collection of alphabetically listed information will appear in the browser window.
3. Search for network.http.sendRefererHeader.
4. By default, this should be set at 2.
5. If it is set to 0 - which disables sending referrers - right click it, select Modify and enter 2 as the value.
6. If that doesn't work, try a value of 1

See http://kb.mozillazine.org/Network.http.sendRefererHeader for more information.

Opera

Sending referrers is enabled by default.

If you have disabled it, go to Tools > Preferences > Privacy and re-enable it.

K-Meleon

Sending referrers is enabled by default.

If you have disabled it, go to Tools > Privacy > Block referrers (if already checked)

Norton Internet Security

Go to Privacy Control > Advanced > Add Site.

Add your URL (ie. example.com) and make sure everything is permitted.

Norton Personal

Some web pages require referrer information before allowing you to view their page. If you want to allow referrer information to pass to a particular web page, you must create a rule for it.

To Create a Rule

Open Norton Internet Security or Norton Personal Firewall and choose one of the following:

In Norton Internet Security/Norton Personal Firewall 2003

1. Click Options > Internet Security or
2. Personal Firewall (This step is not always needed) and click the Web Content tab

In Norton Internet Security/Norton Personal Firewall 2004

1. Double-click Privacy Control
2. Click Advanced
3. Click Add Site (A new site/domain box appears)
4. Enter the name of the site that you want to receive the referrer information and click OK. In this example, it will be www.symantec.com. The site name appears in the left frame of the Options window.
5. Click the name of the new site
6. Click the Global Settings tab
7. In the "Information about visited sites" section, clear "Use default settings"
8. Click Permit
9. Click OK to close the Options window

Norton Support Reference

Netbarrier

Go to Privacy > Surf > Information Hiding, and uncheck the "Last Web site visited" box.

Sygate Firewall

The free version of this firewall does not block sending referrers.

The Pro version:

Click Tools > Options > Security

Ensure that 'enable stealth mode browsing' is unchecked.

Kerio Firewall 4

Turn ON the HTTP referrer under the privacy tab of web filtering.

Zone Alarm Pro

• Under Privacy Button on Left, Click on Site List Tab.
• Right click on "Private Header" column where WordPress URL is located. Or click "Add" to add the URL.
• From the menu, choose Options
• On the first tab named "Cookies", remove checkmark on "third party cookies - remove private header information"
• Click OKAY

Agnitum Outpost Firewall Pro 2008

1. Click on Settings.
2. Click on Web Control.
3. In web control level, clic on customize and then change to allow referrers.

McAfee

1. Right-click the red M icon.
2. Click Privacy Service.
3. Click Options.
4. The McAfee Privacy Service window appears. Click Cookies.
5. Enter each website address from which you would like to allow cookies.
6. Click Add.
7. Once completed, close the window

Privoxy

This might apply to other local proxy servers and ad busters. There is a "+hide-referrer" option that defaults to "forge a url" in the referral header; either disable this option in default.action (-hide-referrer) or simply place your domain in the { fragile } section of user.action. Another option is to exclude your domain from being proxied in your web browser's setings.

Other Methods

If the methods outlined above fail to resolve the problem, there are a few other possible solutions:

• Check CURL's library is installed
• Delete your cookies.
  • This is helpful if you've recently made any changes to your path structure or domain.
• WP 2.0 Only - Delete the wp-content/cache folder. This would be necessary if you just finished Moving WordPress, since the cache retains the previous URI/URL even if changed directly in your database.
• Rename the .htaccess file, if it exists.
  • Under certain configurations, mod_rewrite can interfere with database access causing WordPress to have an incorrect siteurl setting.
• Verify the siteurl setting in the wp_options table of your database is set to the root folder of your WordPress installation.
  • For example: you may have entered http://example.com as the URL which resolves correctly because of DNS but will fail as a referrer unless http://example.com is the siteurl in the database.
• Subdomains may also create problems.
  • You may have created a subdomain blog.example.com, and installed WordPress into www.example.com/blog. Under Options, General look for the WordPress address (URI): field. Change it to read: http://www.example.com/blog. The Blog address (URI): field should still read http://blog.example.com