Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
I am confuse with google analytic custom and segment report
Hi All, In google analytic when I create custom report for my ecommerce site then figures go mad. I really not able to judge peformance of device, browser and it's version, conversion, ecommerce conversion rate etc. same way if I add secondary dimension in report then also figures are not accurate. Again when I create different segment like desktop, mobile, tablet then in tablet segment mobile devices comes and in mobile device tablet appear why segment also not accurate? Is it because I am using free version? Also do we have alternative of google analytic which give same report like google analytic either device, browser, os, segment, enhance ecommerce etc? Thanks!
Reporting & Analytics | | dhisman0 -
UTM source errors in google search console
Dear Friends, I need help with UTM source and UTM medium errors. There are 300 such errors on my site which is affecting the site i think, The URL appended at the end is utm_source=rss&utm_medium=rss&utm_campaign= How do i resolve this? Please help me with it.Thanks ccEpFDn.png ccEpFDn.png
Reporting & Analytics | | marketing910 -
Google Analytics View Filters
Using the same GA property, I would like to set up three filtered views: 1. Tracking across one subdomain and one primary domain (example: shop.example.com & example.com) 2. Track only primary domain (example.com) 3. Track only subdomain (shop.example.com) Can this be achieved by using view filters? If so, how do they need to be set? Also, according to this article: https://mza.seotoolninja.com/blog/cross-domain-subdomain-tracking-in-google-analytics, with cross domain tracking, I need to ignore self-referrals, which can only be done at the property level. If set up to ignore example.com referrals, will this cause problems with filter 2 and 3?
Reporting & Analytics | | Evan340 -
Google Places Account
Hi, I'm doing Google maps optimization for my local clients, so she uses same login for personal Gmail and Google places, is there a way to change a password for Google places, without giving away her password that she uses for personal Gmail? Thanks for help.
Reporting & Analytics | | tonyklu0 -
Goal tracking in Google Analytics
Hi folks I read from various sources that if you setup goals in Google Analytics each of these goals can only be fulfilled once per visit. Also some sources suggesting that only one goal from each goal group can be fulfilled per visit. On our site we have a goal for external links since this provides value to partners. Some users do open an external link in a new tab, then come back to the main site. Any further goal completions would then not get tracked. Since we apply a result based payment model for our work this means we are literally loosing money. Anyone has official info from Google on this? Can it be configured? How long is a visit? Thanks a million and have a great day. Fredrik
Reporting & Analytics | | Resultify0 -
Regular Expressions in Google Analytics
I want to use the Google Analytics landing page reports to look at the bounce rate of top level pages excluding the homepage. So pages with urls: www.example.com/example Does anyone know a regular expression that will allow me to do this? Just to clarify I do not want to look at the bounce rate of the homepage or any pages deeper than www.example.com/example e.g: www.example.com/example/example www.example.com/example/example/example etc Thanks in advance
Reporting & Analytics | | CPLDistribution0 -
Google Webmaster not accounting for internal links
Hi SEO gurus! All my websites in GWT show the website in question at the top of the "Links to your site", in the form of: Domains Total links my-site.com 1,000 third-party-1.com 500 third-party-2.com 300 third-party-3.com 200 etc.com 100 However, I have a specific account that suddenly (a few weeks back) disappeared its own link count: Domains Total links third-party-1.com 500 third-party-2.com 300 third-party-3.com 200 etc.com 100 Has this happened to any of you? Any ideas how to solve it? The website is www.gmvbodybuilding.com which you can see has plenty of properly formed links.
Reporting & Analytics | | hectorpn0 -
Tagging URLs Linkbuilding and anchor links
Hi, I am going to publish a press release on a number of different websites. First and foremost, I want to build anchor links back to website for specific keywords. Secondly I want to measure clickthrus from each site using parameter tracking in GA. I want to know if I put in a url with ?utm_source=xxx, will this have any impact upon my linkbuilding efforts? i.e. will search engines attribute the keyword to the long url with tracking or the url without tracking. I understand that everything from the ? mark is ignored. However, i just want to double check before I publish release. Thanks for your help. Mik
Reporting & Analytics | | increation0