Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Google My Business app search report
What is the deal with the search reports in the Google My Business app? I downloaded this app so prospective customers could message my business, and when I look at the search reports on the app, the results seem nonsensical. According to google analytics my business receives pretty steady traffic every day. Why does the report say that I receive zero visitors one day and 400 the next? (See the screenshot below) 4yLRCHG
Reporting & Analytics | | RandyHT1 -
Strange 404 Pages Appearing in Google Analytics
Hi, My client has some strange urls appearing in GA which lead to error pages. Please see the following image: https://imgur.com/a/6TPO8yL e.g URLs like /h/6445738.html I've used screaming frog to see if these pages exist on the website and I can't find them, anywhere. Therefore how are they coming up in GA? If anyone could please help I'd really appreciate it.
Reporting & Analytics | | SolveWebMedia0 -
Google Tag Manager for cross-domain tracking
Anybody experience with setting up Google Tag Manager to contain the Analytics script including cross domain tracking? We have a marketingwebsite .com / .com.br and an application running in a subdomain, but have always had some difficulties in getting the cross domain tracking working. Would be great to be able to exchange some experience with fellow Mozzers.
Reporting & Analytics | | jorisbrabants1 -
Google Tag Assistant showing Error
Hello, I am using google tag assistant extension in chrome and it is giving me one error for google tag manager at my checkout step 1 and error is -
Reporting & Analytics | | devdan0 -
Implications of Google discontinuing Website Optimizer
Hi Guys, As most of you probably know, Google is discontinuing Website Optimizer and introducing Experiments within Google Analytics. However, doesn't this mean that now, every site you want to run an experiment for has to be using Google Analytics? This is possibly one of the motivations for them making the change I guess? I also find it inconvenient that every 'experiment' now has to be based on improving a pre-defined goal in Google Analytics. This means that for a lot of situations we'll be creating goals just for the experiment and the clients actual goal conversions will appear quite inflated. I guess we'll just have to filter the new 'goals' out from the actual goals.
Reporting & Analytics | | David_ODonnell1 -
How can I verify if someone is Google Analytics certified?
I am looking to hire an IC to help with analytics. I need to know how I can verify if they are GA certified. They gave me a link to a http://www.starttest.com profile. Is that legit?
Reporting & Analytics | | inhouseseo0 -
Why is Webmaster Tools not Linking Correctly Google Analytics?
I have a global site with .com as the US site and then /country for all other markets i.e. .com/uk .com/de etc. Each site has it's own WMT profile. Each site has it's own GA profile. Since Google added Search Engine Optimization to the GA interface, I can't track these sites separately under this new feature. It seems to me that it can only be associated with a single WMT profile at a time or rather that WMT can only be associated with a single GA profile at a time. The numbers for the UK and US site are identical, but when I try and link the UK WMT account with GA it removes it from the US profile and vice versa.
Reporting & Analytics | | Red_Mud_Rookie0 -
Looking for a Google Analytics expert
Looking to hire a Google Analytics expert for a project. Dealing with trying to track traffic across multiple domains and then work with the Ecommerce options. Contact Jeff Logan @ Avelient with costs and time frame for work. [personal information removed by editors. please contact via private message system to exchange information]
Reporting & Analytics | | Avelient0