Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Google webmaster tools hiccup?
Our flagship website, up until March 16 was getting 1600 impressions and 300 branded clicks per day as per GWT. After 3/16, branded search fell to 300 impressions and 25 clicks per day. Our rankings haven't changed, and neither has our traffic. We would definitely notice the decline in GA and Core Metrics, and it is running about the same. according to GWT, 75% fewer people started searching for our brand on 3/16, but all of our other metrics are indicating otherwise. Has anyone seen this before? Is it a tracking issue on our side?
Reporting & Analytics | | AMHC0 -
Homepage disappeared from Google's index
The Title says it all..I just discovered that the Homepage is not in Google's index anymore. Homepage rankings have plummeted, our top keywords are nowhere to be found but most of keywords from deeper pages have dropped just one or two places. We just change the website design and some content but I strongly believe this is definitely something else due to the fact that it all happened so fast! There is one thing that I have to mention that might have been caused all this..our email client (Outlook) is using a lot of resources from our server and for the last couple of days the website was down quite a lot.
Reporting & Analytics | | echo1
There are some crawling errors in GWT but the homepage has been crawled because is not there, no other messages. Where should I look for?0 -
Google as referring domain
Hi all, a colleague asked a question, which I could not answer (never even noticed this "problem") 😞 When we are logged into our GA account and go the referring domains section, we find Google. I always thought that these visitors came via Google Image Search, but not all of them do. Most of them come via "/imgres", but some come via "/" (always thought that "/" was the homepage?), "/url" and "//" Maybe I am just stupid, but honestly I could not explain what these strings mean... or how these visitors landed on our site... Can you help me???
Reporting & Analytics | | accessKellyOCG0 -
Analytics package beside google analytics
Hi, What analytics package can i use to track ecommerce transaction besides gogole analytics that is free of charge? Thanks Arthur
Reporting & Analytics | | VivaArturo0 -
Weird info from google analytics?
Hi Could anyone explain what these visits are in Google Analytics? Under traffic sources and organic I am seeing lots of entries with data like below. Any ideas what kind of traffic this is? Is it a bot and if so what is their purpose of it and is it recommended that you block it? Pages/Visit 1.00 Avg. Time on Site 00:00:00 % New Visits : 100% Bounce Rate: 100.00% Many Thanks
Reporting & Analytics | | ocelot0 -
Tracking PDF Downloads in Google Analytics
Hi, I work on a site that allows users to download whitepapers after filling out a form. Once they do this they are redirected to a URL which is the PDF. We use Wordpress and these documents were uploaded to the media center. I've tried researching how to track these downloads in GA, since the code is not present on these pages, but have read a few different answers. Anyone have firsthand experience? Thanks!
Reporting & Analytics | | tinarose0 -
Google Analytics/ Contact 7 Plugin
I have a site that uses the contact 7 plugin for its contact form sitewide in a sidebar and on a contact us page. I've set up a goal in analytics and tracked using the "on_sent_ok" hook but the number of goals GA is creating is far outweighing the number of times the form is actually completed. I figured my initial mistake was to use the contact-us page as the page tracker variable for the goal but wondered if it was counting all form completions AND anyone who went to the contact page. So I amended it to a contact-us/thank-you page that no site visitor could navigate to, and since I have no goals completed, even though we're getting enquiries through the form. Am I being dumb here and missing something quite simple?
Reporting & Analytics | | PerchDigital0 -
Mobile and Google Analytics
As my mobile numbers are going up in Google Analytics I'm trying to figure out what phone runs what browser. I see that 93% of mobile users have Safari which I believe is iPhone, iPad and iPods. There is a 6% usage of "Mozilla Compatible Agent". What cell phone would this be?
Reporting & Analytics | | LabadieAuto0
