Attributing traffic sources properly in Google Analytics is key. However, a significant part of the traffic is attributed to "Direct", when it is actually not. The page "Module 2: Key Metrics, Dimensions and Traffic Sources" explains it all.
Check the source in Real-time Google Analytics with:
- (source=shd.ch): with rel = "noreferrer" not set.
- (source=direct): with rel = "noreferrer" set.
- (source=direct): the tag rel="noreferrer" not set but going from https to http
- (source=shd_UTM.ch): the tag rel="noreferrer" set AND http but with proper UTM codes
- (source=shd.ch): a vanity url, such as tinyurl.com/nicoDurandThroughTinyurl
- (source=shd_tinyUrl): a vanity url with UTM codes, such as tinyurl.com/tinyUrlWithUTMcodes
- Track broken links from an external domain (ideally, click here first and add something unique in the url)
- (source=facebook.com): with fbclid=fromSHD_Facebook - will make believe that it's a Facebook click.
In other words, setting the HTML tag rel = "noreferrer" OR going from https to http will automatically label incoming traffic as "Direct", except if proper UTM codes have been set. I've seen that first hand when this change was widely implemented (around 2016-17) and the traffic from Wikipedia to the World Bank sites dropped to almost nothing. Wikipedia was using https, and the WB http. It's all explained here. Obviously, now most sites are using https, but who knows what will come next in the name of privacy and security and break your measurement?