Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Why No Goal is recorded in Google Analytics
Hello, I am not sure if i made an error. Can someone please point out. On our sales form, when a user submits the form, the URL displayed is - https://x-y.com/thank-you-2/ I created a Goal like this - 1 ) Under Goal set up, i choose Template option 2 ) Under Goal description, i choose Type > Destination 3 ) and finally, in Goal details field, destination equals to /thank-you-2/ But, no Goal is being tracked. In the first step, should i have selected 'Custom' instead of 'Template' Thanks
Reporting & Analytics | | Johnroger0 -
Track PDF's in Google Analytics
Hi Mozzers, Is it possible to track PDF's via Google Analytics/Google tag manager? I'm not only looking for PDF downloads but for the actual activity when someone opens an interactive PDF document. So would it be possible to have onclick events on buttons in the PDF etc... Many thanks!
Reporting & Analytics | | WeAreDigital_BE
Sander0 -
Google Tag Manager chrome plugin to diagnose Analytics issues
Hi I've just used Google Tag Manager chrome plugin to look at possible analytics issues on a clients site and it has reported that its Analytics ID is being tracked twice. 1 is Universal and the other is Universal Asynchronous And when i click the question mark next to the 'Where to Optimise' info in GTM this page is displayed with teh following info highlighted: https://developers.google.com/analytics/devguides/collection/gajs/asyncMigrationExamples ga.js is a legacy library. If you are starting a new implementation we recommend you use the latest version of this library, analytics.js. For exisiting implementations, learn how to migrate from ga.js to analytics.js. Since both versions seem to be on there surely i dont need to migrate but just delete the old non-asynchronous version ? Or do i need do anything else or additional ? All Best Dan
Reporting & Analytics | | Dan-Lawrence0 -
Google penalty
Hi, I've seen a steady improvement in my google search referrals since optimising my site and keeping an eye on SEO over the last few months. I'm only getting relatively small numbers of referrals, around 120-130 a day, but this has steadily increased from about 40 before Christmas. It's been a fairly consistent increase until 4 days ago when suddenly my referral numbers were cut in half. I'd be surprised if google was penalising me since I'm such a small site, but are there any obvious signs I should look out for? Oh, and my site is www.madegood.org should that be of help. Thanks! Will
Reporting & Analytics | | madegood0 -
Google Analytics and DNS change
Our new alumni application is going be tested at domain uva.imodules.com . We are going to collect traffic data with a Google analytics account number UA-884652-XX. So going to uva.imodules.com/myPage.html would send its data to Google Analytics with that account number. Then when it is ready for production we are going to just change the domain name of the application and switch the DNS over to dardencommunity.darden.virginia.edu . So going to dardencommunity.darden.virginia.edu /myPage.html would send its data to Google Analtics with that SAME account number. Aside from having the testing domain data in the same profile are there any other issues/problems we may run into?
Reporting & Analytics | | Darden0 -
Easiest way to get out of Google local results?
Odd one this, but what's the easiest way to remove a website from the Google local listings? Would removing all the Google map listings do the job? A client of ours is suffering massively since the Google update in the middle of last month. Previously they would appear no1 or no2 in the local results and normally 1 or 2 in the organic results. However, since the middle of last month any time they rank on the first page for a local result, their organic result has dropped massively to at least page 4. If I set my location as something different in google, say 100 miles away, they then rank well for the organic listings (obviously not appearing for local searches). When I change it back to my current location the organic listing is gone and they are back to ranking for the local. Since the middle of July the traffic from search engines has dropped about 65%. All the organic rankings remain as strong as ever just not in the areas where they want to get customers from!! The idea is to remove the local listing and get the organics reranking as the ctr on those is much much higher. On a side note, anyone else notice very poor ctr on google local listings? Maybe users feel they are adverts thanks
Reporting & Analytics | | ccgale0 -
Google Analytics' Goals and Cold Fusion
We are having an issue tracking goal completions in GA with a cold fusion site. I would like to know if anyone as had similar issues and found a solution.
Reporting & Analytics | | JamesBarry0 -
Why does Google Analytics think PPC traffic is organic?
I have a bastard of a problem... Google Analytics is incorrectly tracking PPC traffic as SEO which is screwing up all my reporting . I don't care for rankings, I care for actual SEO traffic and I can't be sure that what i am seeing is correct which is driving me nuts. Any ideas?
Reporting & Analytics | | Red_Mud_Rookie1