Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Google Analytics Numbers Are Weird
Hi, I'm having a strange problem from past one month. My website gets about 10k pageviews a month with an average bounce rate of 50%. Lately, I observed a strange thing. The avg time on page of visitors from selected countries is less than 1 second and the bounce rate is zero!! How is this possible? This is happening from past one month and it would be really helpful if you guys could tell me what exactly is happening?? Ive attached a screenshot for better understanding. website url : https://www.specbee.com/ fIAXXgF 3zQuBAN
Reporting & Analytics | | ganesh10 -
UTM source errors in google search console
Dear Friends, I need help with UTM source and UTM medium errors. There are 300 such errors on my site which is affecting the site i think, The URL appended at the end is utm_source=rss&utm_medium=rss&utm_campaign= How do i resolve this? Please help me with it.Thanks ccEpFDn.png ccEpFDn.png
Reporting & Analytics | | marketing910 -
Google Analytics goals by source report?
Hello everybody. Is there way in Google analytics to create report on what goals have been completed per each source? Example: Lets say I have 3 goals: Subscription, Purchase, Quote. How can I get report, saying something like this: google / organic - Subscription - 5 conversions
Reporting & Analytics | | DmitriiK
Purchase - 3 conversions
Quote - 10 conversions and so on. P.S. Basically, I want the reverse of standard Google Analytics goal completions report, where you can click on goal and see which sources/mediums completions came from. I'd like to do the opposite - "click" on source/medium and see which goals have been completed. Thanks0 -
Tracking Google places (7 pack listing) traffic in google analytics
Is there a way to see Google Places traffic (traffic from users clicking through the 7 pack listings) segmented in Google analytics ? Normally is it just lumped together with the organic traffic ? Can you see the search phrases used to find your site, or do they also show up under 'not provided' when from Google Places. Im aware i can see some limited data in the Google Places analytics, but these seem to be 2 days behind when ever i view them.
Reporting & Analytics | | Sam-P0 -
Google Crawl Stats
Hi all Wondering if anyone could help me out here. I am seeing massive variations in WMT of google crawl stats on a site I run. Just wondering if this is normal (see attached image). The site is an eccommerce site and gets a handful of new products added every couple of weeks. The total no of products is about 220k so this is only a very small %. I notice in WMT I have an amber warning under Server connectivity. About 10 days back I had warnings under DNS, Server and Robots. This was due to bad server performance. I have since moved to a new server and the other two warnings have gone back to green. I expect the Server connectivity one to update any day now. Ive included the graph for this incase it is relevant here. Many thanks for assistance. Carl crawlstats.png connect.png
Reporting & Analytics | | daedriccarl0 -
Google analytics is not tracking well
Hey, There is something not working in our GA account, its shows too many visits per day, when look where this traffic comes from, the majority comes from (not set). Please find attached. Really appreciate help! Thank you! BvmAKtO
Reporting & Analytics | | Comunicare0 -
Google Places Over Reporting Directions Requests to a Business
I posted a screenshot of a client's Google Places profile reporting strange statistics for driving/direction requests to my website. The post is here: http://www.hoodwebmanagement.com/2054/weird-google-places-statistics/. Full info is there but I have attached a screenshot here as well. I'm wondering if anyone has seen this error with another local business - especially a local business that shares its exact address with another business, since I think that is the cause. weird-google-places-statistics.png?d407e3 weird-google-places-statistics.png?d407e3
Reporting & Analytics | | KaneJamison0 -
Google Analytics Title tag vs landing page visitors numbers
Hi folks, Just wondering if anyone has any ideas as to why im getting different results in Google analytics. I'm using the Content Efficiency Analysis Report from http://www.kaushik.net which is absolutely awesome. When I search via my title tag I get 920 Unique Visitors over the month but when I search via the landing page URL with the same title tag I get 28. Any ideas to why their should be such a difference. I've also noticed that on that page i'm also getting a Rel Cononical TRUE using a site crawl. Any ideas are much appreciated
Reporting & Analytics | | acs1110