Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Was Google Analytics and Adsense Down Today?
For the last 4 hours of so we were registering zero users and Adsense reporting has not changed. We checked the site, and there were no problems. It seems for some reason there was no reporting. Just now it came back up and we are showing live traffic. Trying to figure out if this was a problem specific to us or if it is on Google's end. Thanks,
Reporting & Analytics | | akin670 -
Google Analytics - Tracking multiple thankyou pages?
Hi Guys, I want to track email opt-ins for multiple thank you pages. The setup is as follows: http://image.prntscr.com/image/57632e05a15f42fda0b8ffec2d176460.png I have not yet built the thank you pages, so i was wondering what the URL should be to make it easy to track them in GA? I'm thinking: domain.com/thankyou-page/page1 Then using regular expression in GA to track /thankyou-page/ Would this be a good way to go about it? Cheers. f6c7r0
Reporting & Analytics | | spyaccounts110 -
What will be configuration for new version of tag manager for given below code?
Hello Expert, I am using new version of tag manager for enhance ecommerce. Now i have post related to enhance ecommerce for old version of tag manager this one - https://developers.google.com/tag-manager/enhanced-ecommerce In this post, below is the configuration of "Measuring Views of Product Details" for old version of tag manager, can you please tell me what will be configuration for new version of tag manager? ( mainly basic setting and firing rule ) Tag type : Universal Analytics
Reporting & Analytics | | bkmitesh
Track type : Pageview
Enable Enhanced Ecommerce Features: true
Use Data Layer: true
Basic Settings - Document Path: {{url path}}
Firing Rule: {{event}} equals gtm.js Thanks! BK Mitesh0 -
Google Ad referral
I was wondering if someone could decode the jumble of a referral - this is supposedly the referal that led to a click through to my site via a product listing ad. I am trying to figure out how www.nextag.com comes in to the picture as we do not have refurbexperts even listed there? Thanks to anyone who tries/does work it out. http://www.googleadservices.com/pagead/aclk?sa=L&ai=CGXud6DmDU_qeL5THygHpuICwCaTZwMYD_Nvvv0bEwMS50wEIBhAEIOn5-gEoBVCl7P7f-v____8BYMnu8omYpPQSoAHAhIv9A8gBB8gDG6oEJ0_QwcNc5zNun_d7S5KNcMT6uPjjH_mMDkKFFgBCQ6aKICRPJVVa7MAFBYgGAaAGJoAHqPv0ApAHAeASupqdo-ypit0m&ohost=www.google.com&cid=5GhZEzUCSC6x9n2wxOdz3-mrAfSUkvHKPN3wD5yLInnlNil_&sig=AOD64_1D1z1JPYbFP0UnUglJVOfvd25RfA&adurl=http://refurbexperts.com/product/527/HP-LaserJet-P2015-Laser-Printer-RECONDITIONED%3Futm_source%3Dproductlistingads%26utm_medium%3Dadwords%26utm_campaign%3Dadwords&ctype=5&nb=0&res_url=http%3A%2F%2Fwww.nextag.com%2Fhp-p2015-laserjet%2Fproducts-html%3Fnxtg%3D116d0a1c0504-9FFEB16DE52A7E2A&rurl=http%3A%2F%2Fwww.nextag.com%2Fgoto.jsp%3Fp%3D3652%26search%3Dhp%2520p2015%2520laserjet%26t%3Dag%253D1384181795%26crid%3D48271786%26gg_aid%3D20169721025%26gg_site%3D%26gclid%3DCjgKEAjwzIucBRDzjIz9qMOB3TASJABBIwL1LHK7GcAPS6yHGpd9Kq3wsZrcPORAWD8QCWivr4W75PD_BwE&nm=11&nx=43&ny=12&is=700x181&clkt=187
Reporting & Analytics | | henya0 -
Google Analytics: Okay to change domain?
So, we are a long time user of GA and we're planning a domain change.
Reporting & Analytics | | jmueller0823
Does anyone know if I can 'change the domain' in GA so we don't lose our past data?
Thanks!0 -
Google Analytics complexe solution?
Hello, We have Google Analytics on our website and we have started to track the conversions.
Reporting & Analytics | | lunacloud
Basically we have a goal with 3 steps: Account Details (Personal Information) Confirmation (Mobile Confirmation Code) Email ( confirmation link) On the last step (Destination Goal) we send an email to the customer with the account confirmation link, the tracking works perfectly. Our problem is with the Goal Completions on "Traffic Sources" >> "AdWords" >> "Campaigns", Analytics doesn't add the conversions. This problem is related to the email confirmation? There is any solution to overcome this problem? Thank you! yzujFZU.png f4fay1G.png0 -
Advanced Segment on Google Analytics
Hello there, hope everyone is allright and rockin' the SEO world 🙂 Was wondering if anyone could give a tip on how to configure an 'Advanced Segment' on Google Analytics. Basically I need to isolate traffic for 4 specific subfolders. E.g. www.mywebsite.com/solutions/A www.mywebsite.com/solutions/B www.mywebsite.com/solutions/C www.mywebsite.com/solutions/D/part1 Please note that the website has more pages under the specific section. E.g www.mywebsite.com/solutions/Z www.mywebsite.com/solutions/D/part2 but I only need to isolate the 4 directories (and their own sub-folders) mentioned above. Any idea how I could do this? Thanks a lot Joe
Reporting & Analytics | | Joseph.Volcy0 -
Correlation between google and yahoo indexed pages
My blog ocpatentlawyer.com has about 130 pages or so. Google has indexed most if not all of the posts and pages. In contrast, yahoo has only indexed about 1/4 of the pages and posts. Are there any actions that can be taken based on this information? For example, if i prepare a blog post should I prepare it so that it will most likely be indexed into yahoo knowing that google will also index it. If so, how can i prepare blog posts that will most likely be indexed into yahoo's index?
Reporting & Analytics | | jamesjd70