Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Goal Totals in Google Analytics
How do I get a cumulative tally of all the goals reached in google analytics? I've been using the percentages currently, but I was wondering if there was an easier way. Thanks
Reporting & Analytics | | OOMDODigital0 -
Google Images referral visits fell off a cliff
As of 28-Jan, referral traffic from Google images (/imgres) to my domain has pretty much vaporized. Visits are down 85%. It's actually not a disaster because most of those visits were from poorly optimized alt tags that were resulting in low quality visits. The interesting thing is that visit duration is up 80% during the same period. So I'm asking this question out of curiosity more than anything. Is this likely an algorithm tweak? I can't think of any major changes on my end. There's only one other data point to mention but I don't see how they'd be connected. I did two PRWEB releases on 29-Jan and 30-Jan that resulted in a few hundred new no-follow links back to my site. 22b7k2.png
Reporting & Analytics | | JonDiPietro0 -
Google referral drop after setting preferred domain
Hey all, After doing a lot of research, and verifying here in the forum, I set our site's preferred domain on monday. We had no preferred domain set for years, but we were already redirecting the non www site to the www one. So, it was evidently an oversight. The day after I set the preferred domain (Jan 29) our google referral traffic hit an all time low. Any other thoughts on the cause? Any ideas on why setting a preferred domain would be a bad idea? Our site is www.mnn.com. Thanks!! Lisa
Reporting & Analytics | | Aggie0 -
Google Analytics-Unique visitors?
Does organic search data show unique visitors or all visits? For example, if someone ( a single person) visits my site multiple times after searching the same keyword phrase, does that show in my analytics data as 1 hit from that keyword, or all hits? Thanks!
Reporting & Analytics | | RickyShockley0 -
Google WebMasters Tool - Preferred Domain
I just added Google Analytics to my wordpress site with Google Analytics by YOAST. I then added Google WebMaster tools through via verify through google analytics account. I then tried to set a preferred domain. I chose the non www. version; however, google wanted me to verify ownership of both versions in order to set a preferred domain. I then added the www. version of my domain. I was able to set the non-www. version to my preferred domain. Now, there are two example.com's in my webmaster tools. I have 10 sites. I intend to replicate this process on all of my sites. Do I have to leave the non-preferred version of my sites in the google webmaster? Can I delete it after I have set my preferred version? If I delete the non-preferred version will it delete my setting on the preferred version because it is now no longer verified (saved)?
Reporting & Analytics | | JML11791 -
Google Analytics Custom Filter
Hello, Quick question, when I create a custom filter on a profile that already has data collected will that filter apply to already collected data or will the filter only apply from the day it was created? Am doing a custom exclude IP filter. Much thanks,
Reporting & Analytics | | Unity
Davinia0 -
Omniture vs Google Analytics
What's your opinion on analytics tools? Specifically Omniture vs Google Analytics. Is Omniture really that much more powerful than GA? Have you used GA Premium, the enterprise package? My main question - Can GA (free or premium) do everything that Omniture can? If GA Premium and Omniture were the same price, which would you choose? Is one harder to implement, pull reports, tweak, ect? Thanks in advance.
Reporting & Analytics | | akim260 -
Track Individual Organic Orders In Google Analytics
I was wondering if there is a way to track information about the individual order in google analytics. Currently I can see all of the organic traffic, rev, transactions, etc, but I would like to be able to know what those individual order numbers are, as well as be able to place test orders to see if organic tracking is correctly working. Does anyone know of a good blog walkthrough for this, or have any suggestions? Thanks (again individual organic order data not all data from a specific search engine or keyword).
Reporting & Analytics | | Gordian0