Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
How to activate google optimize free version?
HI, How to activate https://www.google.com/analytics/optimize/ free for my ecommerce site? I am already using google analytic and google tag manager? So this is best tool for doing A/B testing? It is free for 30 days only? Thanks
Reporting & Analytics | | dsouzac0 -
Google Analytics - how do you find out Unique Visitors ?
Hi Im trying to find out unique visitors per annum in GA, is this possible, is it simply users ? i know they changed definitions recently cheers dan
Reporting & Analytics | | Dan-Lawrence0 -
Google analytics - landing pages
Hello, I have a website and it contains landing pages. after tracking and analyzing the data in Google Analytics , I found out that the traffic for the whole site is affected by the visits to the landing page. I mean, the bounce rate is less than one minute. this is because users fill their details in the landing pages and leave my website. to improve my website, I need clear data about the traffic, bounce rate etc. in my website. I also need can you help me solve this problem I thought about create another account in Google Analytics and set it to my websites pages (not including the landing pages). and keep the current code for the landing pages. my question is regarding this: Is it legal to use 2 different GA code (each one of them belong to different account) in the same domain ? can you provide me with more information about Multi Account in Google Analytics, and how can I use it to divide the traffic in my website between the traffic and the data for the landing pages and for the website itself ?
Reporting & Analytics | | JonsonSwartz0 -
Google Analytics set up for non-canonicalized domains
Our client's website is non-canonicalized (www.example.com & example.com load the same thing). Google seems to have made a preference for the www, but canonicalizing to www breaks their Flash website. All we're really trying to do at this time is install Google Analytics for them. What's the smartest way to make sure that both www.example.com and example.com are treated exactly the same by Google Analytics? Google Developers: Domains & Directories states that by default visit data will be separately collected between the two domains, although I found no references to the common www/naked domain issue. In stackoverflow: Does google analytics combine naked domains with the www subdomain? Török Gábor says, "Yes, users will be tracked, but the same visitor coming from www.datalookups.com and datalookups.com will be counted as two different visitors." On the same page, Open SEO says, "This is completely false: www.domain.tld and domain.tld are treaded just the same, and get the same value for the HASH code (the number at the start of each __utm cookie). This an exception: every other subdomain.domain.tld will be handeld as a distinct web site". Can any Analytics experts help me sort this out? Thanks!
Reporting & Analytics | | GOODSIR0 -
Re-branding with Google Analytics
GM Mozzers, I apologize in advance if my description of this issue is confusing, but I'm doing my best here. Anyway, due to legal reasons, one of the publications I manage was forced to change their name. We set-up a 301 redirect from the previous domain and have also set-up an analytics profile for the new domain, however, as it stands, visits to the old domain outnumber those to the new domain 12:1. Is there anyway to set-up my analytics profile to the new URL so that this traffic is being attributed to the new domain and the new site, since, after all, it is a redirect. I hope that I explained this sufficiently. Any and all insight will be very much appreciated. Thank you in advance.
Reporting & Analytics | | NiallSmith0 -
My Google Webmaster Search Queries are 0??!!
For the past 2 days Google Webmaster has recorded 0 search queries to my site, but traffic seems stable. Any ideas about why this is happening and what I should do about it? Or is it a Google glitch I should not be concerned about (hoping for this option)
Reporting & Analytics | | theLotter0 -
500 errors and impact on google rankings
Since the launch of our newly designed website about 6 months ago, we are experiencing a high number of 500 server errors (>2000). Attempts to resolve these errors have been unsuccessful to date. We have just started to notice a consistent and sustained drop in rankings despite our hard sought efforts to correct. Two questions... can very high levels of 500 errors adversely effect our google rankings? And, if this is the case, what type of specialist (what are they called) has expertise to investigate and fix this issue. I should also mention that the sitemap also goes down on a regular basis, which some have stated is due to the size of the site (>500 pages). Don't know if they're part of the same problem? Thanks.
Reporting & Analytics | | ahw0 -
Analytics URL Tagging
For some reason I can't get Google Analytics to pick up my URL tags, am I doing something wrong? http://www.example.com/?utm_source=carscom&utm_campaign=3rdparty&utm_medium=referral
Reporting & Analytics | | kylesuss0