Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Different transaction data social channel on Google Analytics
Hi there, On my ecommerce, in order to find out the number of transactions that came directly from my social channels I go to Acquisition->Channels and then I look at the column Transactions for the Social channel. Surprisingly this number differ from the one that I find under Acquisition->Social->Overview and then I select Transaction under Conversions. Then I look at Last interaction Social Conversions to find the number of transactions. The two quantities are totally different for a month window and they should be the same. Can any of you explain to me the reason why? Thanks and regards
Reporting & Analytics | | footd0 -
How can I track my rankings on Google Images?
I noticed a small amount of traffic coming from a particular very generic keyword. Being pleasantly surprised that we are ranking for this, and after some digging, I found that we are actually ranking in Google images, rather than in the web results. How can I track whether other keywords are ranking in Google images? I use Rank Checker to track keywords in the main web results, but this doesn't have a function for Google Images. Help please - thanks.
Reporting & Analytics | | TheJewelleryEd0 -
Google Analytics Report throws up Google as a referrer
Good morning from Wet & Windy 12 degrees C wetherby UK... Using Google analytics I've noticed in the traffic sources refferer subsection some traffic is categorized as originating from Google. Whats puzzling me is.... I know a huge amount of traddic stems from Google but as the below screenshot illustrates only 21 visitors come from Google: http://i216.photobucket.com/albums/cc53/zymurgy_bucket/google-refferal-sources-top-levelcopy.jpg And when i drill down some are coming from Google mobile 😞 http://i216.photobucket.com/albums/cc53/zymurgy_bucket/google-referral-sourcescopy.jpg Is traffic categorised as Google referrer down to Google hiding searches via ssl as explained here: http://i216.photobucket.com/albums/cc53/zymurgy_bucket/google-referral-sourcescopy.jpg Any insights welcome 🙂
Reporting & Analytics | | Nightwing0 -
Traffic Down for Most Referrers - not just Google
Our traffic has taken a severe hit, over the past 3 weeks - down about 60%, which I had assumed was caused by the Penguin update. However on closer inspection of our analytics, our traffic is is down by between 30 and 50% for nearly all our referrers - including Bing and other search engines, referring sites, and even direct traffic! Google provides the vast majority of our traffic, so in terms of the absolute visitor count, the drop in Google traffic has the biggest effect - by some distance. But the fact that traffic is down by similar percentages suggest that Penguin isn't the cause of our troubles at all. We sell garden products in the UK, and it's just coming into peak season. Last year, May was one of our top months, External conditions - such as the very wet weather over the past month, economic gloom and doom - don't begin to explain this sudden and dramatic drop in traffic. We are very perplexed. If anyone has any bright ideas, I'd be interested to hear them. Ben
Reporting & Analytics | | atticus70 -
My own brand searches stopped appearing in google
Hi everyone, I've never asked a question here before, so go easy on me 🙂 I've noticed recently that my site is not showing up for my own brand searches anymore, and that my organic google results are way down. For example, it used to be if you would search for "grouvee kings quest 6" you would either see http://www.grouvee.com/news/kings-quest-6-retro-rerun-playthrough-part-1/63/ or http://www.grouvee.com/games/kings-quest-vi-heir-today-gone-tomorrow/69/ show up first in google. Now they're nowhere to be found. Here's another example. If you would search for "grouvee mass effect 3" you'd either see http://www.grouvee.com/games/mass-effect-3/75/ or http://www.grouvee.com/news/mass-effect-3-lets-take-the-earth-back/136/ show up first in google. Once again, nowhere to be found. I could go on with several other examples, but I don't really know what I've done. I 301 redirected 2 pages a few weeks ago because I added a /reviews/ structure to my site and needed to move a couple of pages that used to be under /news/ over to the new section, but those shouldn't have had anything to do with the pages I referenced above. I haven't done any link building really. I submit some of my articles occasionally to places like reddit or n4g, but that's about it. Anyone have any tips or things I should be looking at?
Reporting & Analytics | | petecorsaro0 -
Google Analytics
Hello In Google analytics you can obtain the number of visits as a result of non-paid search. You can also set up custom reports to find the number of organic searches. The numbers are different, so what is the obvious difference between these two metrics that I'm missing. Thanks in advance for any assistance. Neil
Reporting & Analytics | | mccormackmorrison0 -
Strange increase in Direct traffic in Google analytics
For past 2 weeks, several of our sites have strange increase in direct traffic in Google Analytics. we also have another tracking code, and in this account we don't have any big changes, so this is very strange what is happening. We didn't changed any codes, and none of the changes were done to application. Any ideas why this is happening? z7ME9.jpg
Reporting & Analytics | | InformMedia0 -
Google Analytics should track users from iPhone App
Hi Mozzers, you say there are no dumb questions, here is one. We've build an iPhone App for our Website working-dog.eu. So users can read there new messages with ease when they are out of the office, read about breeds, ... do all the nice stuff they want. I don't think so, but is it possible to track these users with Google Analytics? When the come via App, the Analytics code will not run for them. But maybe it could start an AJAX request or something like this? But how should the code run, without a browser which can interprete JavaScript? So, in short: Is it possible to track users from iPhone App with Google Analytics? Kind regards Patrick
Reporting & Analytics | | mdoegel0