Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Google Analtyics during site redesign
Hi, We will be launching a new redesign for our website. There will be new URLs and navigation and almost everything (except for static pages like about and contact) will be different. The overwhelming opinion seems to say that it's important to keep the same Google Analytics profile. How can we compare the past URLs to the new ones if they are completely different. Does anyone have any experience in this? Did you create any segmentation? Thanks 🙂
Reporting & Analytics | | WSteven0 -
Universal Analytics & Google Tag Manager - Track URLs that include hashes
Does anyone have any experience tracking URLs that include hashes (#) using Universal Analytics and Google Tag Manager? Can it be done using GTM's container for UA, using the "more settings" options? Or building another tag to work with the GTM UA container? The fallback I'm considering is implementing the UA code in GTM for every page as Custom HTML with the "ga('send', 'pageview', location.pathname + location.search + location.hash);" solution, rather than GTM's specialized UA tag. I'm not yet sure what problems may arise from that, if any. Thanks in advance.
Reporting & Analytics | | 352inc0 -
Google Analytics Myth?
Dear Moz-members, I have read several discussions regarding not to implement Google analytics on your website. Reason: Google is tracking your website behavior, for example you have a high bounce rate it will affect your rankings negative. See it as we are opening the doors too much to Google so it can have a negative impact on your online business, especially when your site is new and you are still building your credit. Because of this i have not chosen to install GA. What is your experience with this? Most of the time if i read analytics posts at Seomoz, people do have GA installed. I am also in doubt whether to switch over at GA, but then again mine site is relative new and i am still working on the negative bounce rate/daily visitors. Would like to hear from you pro's whether this is a myth or not 🙂 Thanks!
Reporting & Analytics | | mcweb0 -
Google Analytics - my continuing adventures
Hello I'd appreciate views of the various metrics I'm struggling with in GA: I've run 2 different reports that provide 2 different outputs. 1. In Standard Reporting you can report in Traffic Sources on Organic Search by Keyword, which returns the number of Visits. 2. In Custom Reporting you can define the Keyword dimension and the Organic Searches metric, which returns the number of Organic Searches. This returns 2 different numbers. For example, over the last month for a given term report 1 returns 77,306 visits whilst report 2 returns 52,589 organic searches. I have found some definitions: "Visits represent the number of individual sessions initiated by all the visitors to your site." "Organic Searches: number of organic searches that happened within a session. This metric is search engine agnostic." My understanding of these definitions is that report 2 should return a larger value than report 1 rather than what is happening (i.e. report 1 returns a greater value than report 2). Does anyone have a greater understanding of what these mean and relate to? Does anyone have any views on which metric is more useful? Thanks Neil
Reporting & Analytics | | mccormackmorrison0 -
Google Analytic Tracking Issue (&utm_nooverride=1)
Hello, We have a problem that means we are unable to track our AdWords and organic work at all. Looking at "/All Traffic Sources" and clicking on "Ecommerce Tab" in Analytics we can see that (made up ratio :)):
Reporting & Analytics | | jannkuzel
£2 is attributed to Google/ CPC
£1 is attributed to Google / Organic
But £100 to Payment Provider/ referral and also various referrals from banking transaction pages. All of the revenue/conversions are being credited to the payment provider or the bank security checks the payment goes through. After having done some research we have found that the problem may be that Google Analytics attributes the purchase to the most recent click (on the payment provider button) rather than the initial click on the cpc campaign/organic or direct etc. Some people have suggested using the "&utm_nooverride=1"
tag which we wanted to run past you guys and confirm whether adding
this tag to the payment provider 'buy now' button on our website will
presumably fix this referral problem? Alternatively does the tag need
to be entered into our CPC campaigns as well? Or can you please guide
us in another way? We have also heard that "cross-domain" tracking could be the solution. So we are really confused what to do and where hoping someone had maybe been through something similar and could advice before we fully launch into a solution. In addition, it should be noted that our 'Goals Funnel Visualisation'
of 'checkout' breaks up at the penultimate stage of the checkout. All
customers exit through the /checkout_process (penultimate) but are recognised returning to the successful checkout page but there is a missing link in between these
two stages as 0% pass through is shown even though they do return? Thank you so much in advance for all your help.0 -
Not ranking in Google.com
I put up my last site on the web since a month. So far I have been optimizing mainly to Hungary and I got used to that my content was indexed in a day and if content was good it sometimes appeared in the first two pages in a couple of days. Now with my new site I am targeting google.com. I put it up since a week, sent the sitemap to google, it was intresting for mee te see that even the pages to get into the web index needed two days. Seomoz says my site is all right besides some duplicate content issue i will solve soon. So it is past a week and even if I copy a complete sentence from the beginning of my home page and paste it into google my site does not appear. I also purchased couple of backlins but they have not appeared so far as well. Is that really this slow? Am I to impatient? Or should there be something else problem I should be looking for? Thanks for any feedback
Reporting & Analytics | | sesertin0 -
Google Webmaster not accounting for internal links
Hi SEO gurus! All my websites in GWT show the website in question at the top of the "Links to your site", in the form of: Domains Total links my-site.com 1,000 third-party-1.com 500 third-party-2.com 300 third-party-3.com 200 etc.com 100 However, I have a specific account that suddenly (a few weeks back) disappeared its own link count: Domains Total links third-party-1.com 500 third-party-2.com 300 third-party-3.com 200 etc.com 100 Has this happened to any of you? Any ideas how to solve it? The website is www.gmvbodybuilding.com which you can see has plenty of properly formed links.
Reporting & Analytics | | hectorpn0 -
How do shortened links show up in Google Analytics?
Hey, How do shortened links show up in GA? So if I tweet about something and use bitly, does twitter get the referral? I am thinking not. I have never seen bitly show up as a referrer, but we gets lots of clicks from those links. Hmmmm. Anyone? E
Reporting & Analytics | | ErinTM0