Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Attribution of conversions to payment gateway in Google Analytics
Hi all, We have been having a problem for a while now where most transactions are attributed to referrals from our payment gateway Sagepay. The issue started a couple of months ago, when we finally upgraded our website to https:// for logged in users and transactions. Before, when we were using http://, transactions were attributed to the correct channel. Even weirder, we upgraded 4 websites and only 2 of them have the issue now, the other two continue to attribute transactions correctly. I added Sagepay to the referral exclusion list which made no difference. Over the weekend, we upgraded to the global site tag and it seems to have improved somewhat, but yesterday 50% of transactions were still attributed to referral/sagepay. I am also seeing an odd issue, where for half of the transactions, the revenue and transaction are attributed to one channel, but the products (quantity) are attributed to another. One of the channels is always referral/sagepay and the other is the channel that the transaction should be attributed to. Has anyone seen this issue before? I'd appreciate any tips that might help us fix this issue. Thanks in advance!
Reporting & Analytics | | ViviCa10 -
How to exclude IP from Google Analytic?
Hello Guys, I am admin of google analytic, i am trying to exclude traffic in google analytic from admin, view section then filter but not there is no button of save? Can anyone please help me? PFA of image. zOkvX1n.jpg
Reporting & Analytics | | devdan0 -
Some goal conversion in Google analytics showing under referral
Yesterday I have created Google analytics account for a new website but few goal conversions comes from payment gateway site (paypal.com, epdq.co.uk) and showing under referral. How to fix this issue so I can know the real source of Goal conversion. *Note - utm_nooverride=1 on thank you page applied, payment gateway URL is already placed in Referral Exclusion List. So please don't suggest either of them. Thanks
Reporting & Analytics | | Alick3000 -
How do I set a filter in Google Analytics?
I want to filter out direct traffic from the service provider msn. For some reason they are crawling our traffic and its throwing off my data. So I want to exclude direct, but only from msn. Would I set my first filter for direct then msn or vice versa? Thanks
Reporting & Analytics | | EcommerceSite0 -
Google Analytics
Good Morning, I am trying to understand 2 issues in Google Analytics. 1. When look at : Traffic Source --> SEO --> Quesrios - i see the impressions column and its always a whole number 1550, 500, 5500, etc.. I never saw (for example) 702, 313, etc... impressions Can anyone explain why and how does it work? 2. In the same report i see my AVG. position for each query, the question is how come i have AVG, position of (290, 230, 190) for some of the queries and still i get clicks on these queries. My guess is that from time to time these queries have better position and the clicks are from these time. Do you familiar with a way to the the distribution of a specific query over time? for example: 1.3.2013 avg position = 4 2.3.2013 avg position = 7 3.3.2013 avg position = 2 4.3.2013 avg position = 8 etc... 3. This report say its for: "Top 1,000 daily queries" - What does it mean? Thank you and sorry for this long question SEOwiseUs
Reporting & Analytics | | iivgi0 -
Mobile Site on Google Analytics
Hi mozzers, We just launched a mobile site and I was wondering what are the main steps to follow for gettting your mobile site tracked via GA (m.example.com)? We have a profile for www.example.com GATC: javascript or PHP to install? Should the profile be on a subdomain? What else to consider when implementing a mobile site on GA? Thanks
Reporting & Analytics | | Ideas-Money-Art0 -
301 redirect visible on Google.
Hello, This is a strange one for me. We have 301 redirected our .com domain to the .co.uk domain. The strange thing is that if you gogole the .com domain (theloanengine.com) there is a result with the website description. If you click on the result you are redirected tot he website homepage. One other thing: I've discovered this 301 issue because Google Analytics started to show me a few days ago referrals from the .com domain. I don't know if these things are connected. Cornel
Reporting & Analytics | | Cornel_Ilea0 -
Google Analytics - multiple counters
Hey there Mozzers! One of our customers wants to seperate one Google Analytics account into multiple accounts. The website is divided in three parts: Main: www.website.nl Sub1: www.website.nl/sub1 Sub2: http://www.website.nl/sub2 And they would like 4 different reports under one account. R1: Total count R2: Website.nl (without Sub 1 & Sub2) R3: Sub1 R4: Sub2 I know multiple counters will get in conflict with each other, so I have to implement some filters. E.g: We can configure a filter for R3 on "astmakids" in URL. My question is: is there a safe way to implement multiple Analytics filters on one website? And how will R3 see visitors that come from the root domain astmafonds.nl? Are they referrals? Thanks a lot in advance!! Partouter
Reporting & Analytics | | Partouter0