Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Google Search Console
To the Moz Community, Should we be considering the information that Google Search Console is telling us? It is showing a dramatic drop in our SEO and our pages are not being indexed, however it is showing differently in our Moz Analytics section. Any clarification will be greatly appreciated. Many thanks Dawn
Reporting & Analytics | | DawnQ0 -
Google Analytics SEO Queries Not Showing
Hi All, This might be a silly question, but for all the properties I monitor in Google Analytics, I'm now showing no data for SEO Queries under Acquisition for the past 6 days. Normally I would expect a few day delay in queries, but nothing for 6 days is somewhat peculiar especially as it was functioning fine prior to November 12th. Does anyone have insight into what might be going on? Thanks! URaNMa3
Reporting & Analytics | | amichaels0 -
Conflicting data in Google Analytics
Hi Guys I've been looking at the data for a client in Google analytics and I was wondering if anyone knows why some of the data doesn't tally up. In my case its the following: Under Aquisition
Reporting & Analytics | | Relative
No of Sessions for a Keyword shown in Organic Search tab (compared to)
No of Clicks for a Query in the Search Engine Optimisation tab For example, for a brand term, Google are showing 17 Sessions in Organic Search.
For the same term Google are showing 90 Clicks in the Queries section of Search Engine Optimisation OK, we know that Google are a little cloak and dagger regarding keyword data but surely Sessions and Clicks for the same keyword should be identical unless I'm missing something.0 -
Identifying Bots in Google Analytics
Hi there, While you can now filter out bots and spiders in Google Analytics, I'm interested in how you identify a bots and spiders in the first place. For example, it used to be thought that Googlebot wouldn't appear in GA as it 'couldn't process Javascript' but now Google has announced new developments for its crawler with regards to interpreting javascript and CSS, this argument isn't as cut and dry. I'm not suggesting Googlebot appears in Google Analytics, but I am saying that you can't make the case that it won't appear only because it can't interpret JavaScript. So, I'm interested to see what metrics you use to identify a bot? For me, the mix of Users > Browser, Users > Operating System Version is still quite handy, but is it possible to identify individual bots and spiders within Google Analytics? And would Googlebot appear?
Reporting & Analytics | | ecommercebc0 -
Google Analytics Code
We have a quick question about our Google Analytics code: We recently updated to a re-marketing Analytics code, and some of our traffic numbers seem to be off by a bit. I used the Google Tag Assistant Chrome Extension today, and noticed that it's finding our old Analytics code on our pages, but it's coming up as an error due to "no HTTP Response". I am attempting to remove this code from the website, but it is nowhere to be found in the HTML coding. Only the current one is there. So I'm wondering if this second Analytics code is effecting our traffic and reporting, even if the code is currently non-functional? and if it is, how could I go about removing it if it's not currently in our HTML? Thanks!
Reporting & Analytics | | PlanetDISH0 -
Installing Google Analytics tracking code on Landing Pages
Hello, I have my landing pages located on a separated subdomain (LP.example.com). I've created a new property in Google Analytics for that subdomain. My question is: where do I have to place the GA tracking code ? in the header ? before I close the tag or before I close the tag ? I have another issue: I've placed the GA Tracking code on some pages in the way below:
Reporting & Analytics | | JonsonSwartz
in the body tag of that Landing page HTML Code I added this line:0 -
Editing Google Analytics eCommerce Javascript for Volusion
Does anyone know how to edit the ecommerce javascript with Volusion dynamic variables? I thought I did it correctly but none of the information got recorded in GA. It recorded that there was a transaction made but not info on the purchase price, order #, etc. This is the current code I am using: NOTE: In Volusions customer support center they provided this information: Where Order-Specific Information is Generated Order-specific information can be generated by JavaScript on the OrderFinished.asp page within Volusion. On this page, two JavaScript arrays will be initialized that advanced users may need to be aware of. The arrays and their contents are as follow:
Reporting & Analytics | | jhooley
Order Array Contents Order[0] = Order ID
Order[1] = Unused
Order[2] = Payment Amount
Order[3] = Affiliate Commisionable Value
Order[4] = Sales Tax
Order[5] = Total Shipping Cost
Order[6] = Billing City
Order[7] = Billing State
Order[8] = Billing Country OrderDetails Array Contents OrderDetails[X][0] = Order ID
OrderDetails[X][1] = Order Detail ID
OrderDetails[X][2] = Product Code
OrderDetails[X][3] = Product Name
OrderDetails[X][4] = (unused)
OrderDetails[X][5] = Product Price
OrderDetails[X][6] = Quantity Note that in the above example, X refers to a line item number (beginning from zero). Note that there can be multiple Order Details arrays - one for each item contained within an order. I'm a newbie at Analytics installation and could really use any help. Thanks!1 -
Analytics URL Tagging
For some reason I can't get Google Analytics to pick up my URL tags, am I doing something wrong? http://www.example.com/?utm_source=carscom&utm_campaign=3rdparty&utm_medium=referral
Reporting & Analytics | | kylesuss0