Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Whatstuffwherebot user agent messing up Google Analytics
Starting yesterday, Aug 26, 2020, I noticed a new bot crawling our site with user agent whatstuffwherebot. Google Analytics is counting these hits as human traffic, completely throwing off my numbers - yesterday, Analytics reported nearly triple my typical number of visitors. As of now, Search Console only shows data through Aug 25 so I don't know if Search Console is also affected. Is anybody else seeing something similar? Does anybody know what the whatstuffwherebot bot is? I don't get any results when I search on Google or Bing. For what it's worth, the traffic is coming from Columbus, OH, running over Amazon AWS via 278 different IP addresses so far. Also, WordFence (my WordPress security plugin) correctly identifies these hits as bot traffic.
Reporting & Analytics | | ahirai0 -
Google Search Console - > Google Search Analytic gives figure for google organic or adwords or combine of both?
Hi All, In Google Search Console -> In Search Analytics. I can see Clicks, Impressions, CTR and Position. I want to know all these 4 - Clicks, Impressions, CTR and Position gives information related to google organic only? or combine or google organic and google adwords? Thanks!
Reporting & Analytics | | wright3350 -
How drop off works in google analytic for enhance ecommerce?
Hello Guys, I have implemented enhance ecommerce ( i.e. - https://developers.google.com/tag-manager/enhanced-ecommerce ) Now i have query how drops off actually works? Like i visited the my site, then product page then checkout step 1 page after that i close the checkout step 1 page that means checkout step 1 drop off will appear in google analytic? right? John
Reporting & Analytics | | varo0 -
Google Analytics Custom Alert For Goal Completions?
Hi currently setting up custom alerts for a website. I want to do a custom alerts for when goal completions decrease or increase by a certain % e.g. 20% as shown in the third example from this Moz Article back in 2012 - http://moz.com/blog/7-essential-google-intelligence-custom-alerts-that-keep-me-sane However when i go into my GA account the only options seem to be for when the goal completion conversion rate % drops. I could use this, but i rather do just based on completions rather than %. Any ideas on how i can do this? Thanks.
Reporting & Analytics | | MBASydney0 -
Will my Google sub domain filter work
Bon Pormeriggio from cloudy hot sticky & Humid Wetherby UK 😉 I have three sub domains which are reporting all the same stat traffic. Phase 1 is complete in that sub domain tracking has been configured in the analytics code for: http://en.lewispr.be/
Reporting & Analytics | | Nightwing
http://fr.lewispr.be/
http://nl.lewispr.be/ But now i want to get traffic just from http://www.en.lewispr.be/ (Previously all three subdomains reported exactly the dame data). But its this stage I just want to double check. Ive set up a filter correcly as illustrated here:
http://i216.photobucket.com/albums/cc53/zymurgy_bucket/check-en-sub-domain-tracking_zps1b24f8af.jpg Will what ive done give me just traffic arriving at http://www.en.lewispr.be/ and not continue the problem of all three sub domains reporting exactly the same traffic?
Grazie tanto,
David0 -
Google Webmaster Tools - When will the links go away!?
About 9 months back we thought having an extremely reputable company build our client some local citations would be a good idea. You definitely know this citation company, but I'll leave names out. Regardless, it's our mistake to cut corners. Google Webmaster Tools quickly picked up these new citations and added them to the links section. One of these citation spawned a complete mess of about 60K+ links on their network of sites through ridiculous subdomains of every state in the country and so many other domain variations. We immediately went into remove mode and had the site's webmaster take down the bad links from their site. This process took about a month for outreach. The bad links (60K+) have not been on the spam site for well over 6 months but GWT still shows them in the "links to your site" section. Majestic, Bing, and OSE only displayed the bad links for a brief time. Why is webmaster tools still showing these links after 6+ months? We typically see GWT update about every 2 weeks, a month tops. Any ideas? Could a changed robots.txt on the bad site prevent Google from updating the links displayed in GWT? We have submitted to disavow, but Google replied with "no manual penalty". We even blasted the bad site with Fiverr links, in hopes that Google would re-crawl them. No luck with anything we do. We have patiently waited for way too long. The rankings for this site got crushed on Google after these citations. How do we fix this? Should we worry about this? Any advice would really help. Thanks so much in advance.
Reporting & Analytics | | zadro0 -
Google Analytics Not Working
I added the code before tag but still google not showing it is installed. Status: Tracking Not Installed Last checked: Mar 15, 2013 10:38:10 PM PDT Can someone check my domain - www.plugnbuy.com
Reporting & Analytics | | chandubaba0 -
Mobile Site on Google Analytics
Hi mozzers, We just launched a mobile site and I was wondering what are the main steps to follow for gettting your mobile site tracked via GA (m.example.com)? We have a profile for www.example.com GATC: javascript or PHP to install? Should the profile be on a subdomain? What else to consider when implementing a mobile site on GA? Thanks
Reporting & Analytics | | Ideas-Money-Art0