NoFollowr Security & Risk Analysis
wordpress.org/plugins/nofollowrBrowsing a site as an admin, icons are added to external links indicating their nofollow status. Clicking the icons toggles nofollow status via Ajax.
Is NoFollowr Safe to Use in 2026?
Generally Safe
Score 85/100NoFollowr has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The nofollowr plugin v1.2.0 exhibits a generally strong security posture based on the static analysis. The absence of any identified dangerous functions, raw SQL queries, file operations, external HTTP requests, and the complete reliance on prepared statements for SQL indicate good development practices. Furthermore, the lack of critical or high severity taint flows suggests that the plugin is not introducing obvious vulnerabilities related to data handling.
However, there are a few areas that warrant attention. The complete lack of nonce checks, coupled with the presence of capability checks without clear indication of their scope, raises a minor concern. While the attack surface appears to be zero, the absence of nonce checks could become a vulnerability if any entry points were to be introduced in future updates or if the existing capability checks are not robust enough to prevent privilege escalation. The imperfect output escaping, with 20% of outputs not being properly escaped, also presents a potential risk for cross-site scripting (XSS) vulnerabilities, albeit likely of lower severity given the limited scope of outputs.
Notably, the plugin has no recorded vulnerability history, which is a positive sign. This suggests a history of secure development or diligent patching of any past issues. Overall, nofollowr appears to be a secure plugin with a good track record, but the minor concerns around output escaping and the complete absence of nonce checks should be monitored, especially if the plugin's functionality or attack surface expands in the future.
Key Concerns
- 20% of outputs not properly escaped
- 0 nonce checks present
NoFollowr Security Vulnerabilities
NoFollowr Code Analysis
Output Escaping
NoFollowr Attack Surface
WordPress Hooks 5
Maintenance & Trust
NoFollowr Maintenance & Trust
Maintenance Signals
Community Trust
NoFollowr Alternatives
External & Affiliate Links Processor
external-links-nofollow-open-in-new-tab-favicon
Process outbound (external) links to make useful changes, including adding affiliate ID tags, rel=nofollow or target=_blank attributes, and adding ico …
Auto External Link Nofollow
auto-external-link-nofollow
Automatically adds rel="nofollow noopener noreferrer" to all external links in post and page content.
Nofollow Adder WordPress Plugin
nofollow-adder
A simple plugin to add 'nofollow' relation attribute to all external links.
External Links – nofollow, noopener & new window
wp-external-links
Internal links & external links manager: open in new window or tab, control nofollow, ugc, sponsored & noopener. SEO friendly.
External Links
sem-external-links
The external links plugin for WordPress lets you process outgoing links differently from internal links.
NoFollowr Developer Profile
1 plugin · 200 total installs
How We Detect NoFollowr
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/nofollowr/css/NoFollowr-min.css/wp-content/plugins/nofollowr/js/NoFollowr-min.js/wp-content/plugins/nofollowr/js/NoFollowr-min.jsnofollowr/css/NoFollowr-min.css?ver=nofollowr/js/NoFollowr-min.js?ver=HTML / DOM Fingerprints
jbPostid="jbID-class="jbPost"jbirchPlugin