Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Google Analytic Bug For Browser Report
Hi All, I am checking browser report since many years today I was checking browser report what I find "DESKTOP" is showing in Browser & OS section with lots of traffic. Screenshot attached Is it google analytic bug? Can anyone please help me? PeGK7
Reporting & Analytics | | Arnold30 -
Best way to present Google Analytic Reports
Hi Everyone, I’m just looking to produce some quite detailed reports for our google analytic can someone suggest a format or templates for the best way to present this information. Also can someone suggest what the best variables are to capture from a reporting perspective. We don’t sell on line so im just aliitle bit curious about what to include in terms of conversions etc
Reporting & Analytics | | aplnz20170 -
Google Tag Manager chrome plugin to diagnose Analytics issues
Hi I've just used Google Tag Manager chrome plugin to look at possible analytics issues on a clients site and it has reported that its Analytics ID is being tracked twice. 1 is Universal and the other is Universal Asynchronous And when i click the question mark next to the 'Where to Optimise' info in GTM this page is displayed with teh following info highlighted: https://developers.google.com/analytics/devguides/collection/gajs/asyncMigrationExamples ga.js is a legacy library. If you are starting a new implementation we recommend you use the latest version of this library, analytics.js. For exisiting implementations, learn how to migrate from ga.js to analytics.js. Since both versions seem to be on there surely i dont need to migrate but just delete the old non-asynchronous version ? Or do i need do anything else or additional ? All Best Dan
Reporting & Analytics | | Dan-Lawrence0 -
Conflicting data in Google Analytics
Hi Guys I've been looking at the data for a client in Google analytics and I was wondering if anyone knows why some of the data doesn't tally up. In my case its the following: Under Aquisition
Reporting & Analytics | | Relative
No of Sessions for a Keyword shown in Organic Search tab (compared to)
No of Clicks for a Query in the Search Engine Optimisation tab For example, for a brand term, Google are showing 17 Sessions in Organic Search.
For the same term Google are showing 90 Clicks in the Queries section of Search Engine Optimisation OK, we know that Google are a little cloak and dagger regarding keyword data but surely Sessions and Clicks for the same keyword should be identical unless I'm missing something.0 -
Google Tag Manager breaking integration
Using Live Chat's (www.livechatinc.com) Google Analytics integration was populating events and virtual pageviews into my analytics account. I've since added Tag Manager and moved my analytics tracking code into there, but since doing so, the integration no longer seems to work as there is no population of either events or pageviews anymore. Anyone else had any experience of something similar? Any other suggestions (beyond not using GTM for analytics code anymore)? I was considering setting up the event tracking code manually in GTM, but not really sure how to do so seeing as I'm not sure what to fire the different events on. This is the live chat JS code:
Reporting & Analytics | | AdrianCordiner0 -
Google Analytics Showing Inflated Product Revenue
Hi- For the month of Feb on two of our sites we are seeing inflated product revenues. I have not seen this before and I am not having any luck searching for answers. Here is the issue: Product B sells for $159.95 For the month of Feb we sold 3 thus revenue should be ~$479.85 GA is showing Product B's revenue at $3,360.00 I read online that sometimes folks will bookmark the receipt page and that can cause this and we would need to put a catch in place for this but I am guessing this is not the case as it is happening on two sites. Please let me know if you have any questions.
Reporting & Analytics | | K2_Sports0 -
Where are google analytics stats for iphone4
hi We were looking at the Google Analytics for one of our sites and noticed that there were NO pageviews from device=iphone and resolution=640x960 in the report. Given that iphone4 is supposed to be 640x960, and would be the most popular device (at least in our offices and everyone I know), it seems wierd. I sorted the Mobile Devices report by device and resolution to see what was available. The first 160 results were all device=not set. Finally got to device=iPhone and there were three entries: resolution 0x0 had 11 views resolution 320x396 had 45 views resolution 320x480 had 3,944 views. Hopefully all iphone4 users havent been classified as not set. Or is it possible that iphone4s claim to be 320x480 in browsers, as per http://www.alistapart.com/articles/a-pixel-identity-crisis/ Even worse, if I look at the Samsung Galaxy S II (myown phone), there are over 30 screen resolution combinations. Does anyone have anything to shed on this? I asked about it on the google analytics twitter account last week but havent had a response. Are there other analytics solutions that would distinguish between the iphones? Warning - this is a link to a large image, with the not set stats at the top. 6Sjji
Reporting & Analytics | | ozgeekmum0 -
Google Webmaster not accounting for internal links
Hi SEO gurus! All my websites in GWT show the website in question at the top of the "Links to your site", in the form of: Domains Total links my-site.com 1,000 third-party-1.com 500 third-party-2.com 300 third-party-3.com 200 etc.com 100 However, I have a specific account that suddenly (a few weeks back) disappeared its own link count: Domains Total links third-party-1.com 500 third-party-2.com 300 third-party-3.com 200 etc.com 100 Has this happened to any of you? Any ideas how to solve it? The website is www.gmvbodybuilding.com which you can see has plenty of properly formed links.
Reporting & Analytics | | hectorpn0