Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Strange landing page in Google Analytics
Hello MOZ Community, The website in question is https://x-y.com/ When i looked at the landing pages report in GA , x-y.com is appended at the end of every URL like this. https://x-y.com/x-y.com When i open the above URL in GA interface, it shows page not found. This is obvious as there is no such URL.
Reporting & Analytics | | Johnroger
The metrics like sessions, Users, Bounce rate all look good. In the property settings, The default URL is written like this http:// cell-gate.com (Please note that s is missing in property settings). But how is traffic tracked correctly How do i solve this problem. What settings should we change to make the landing pages report look ok Thanks0 -
Google Analytic Bug For Browser Report
Hi All, I am checking browser report since many years today I was checking browser report what I find "DESKTOP" is showing in Browser & OS section with lots of traffic. Screenshot attached Is it google analytic bug? Can anyone please help me? PeGK7
Reporting & Analytics | | Arnold30 -
Google Tag Assistant showing Error
Hello, I am using google tag assistant extension in chrome and it is giving me one error for google tag manager at my checkout step 1 and error is -
Reporting & Analytics | | devdan0 -
Getting google impressions for a site not in the index...
Hi all Wondering if i could pick the brains of those wise than myself... my client has an https website with tons of pages indexed and all ranking well, however somehow they managed to also set their server up so that non https versions of the pages were getting indexed and thus we had the same page indexed twice in the engine but on slightly different urls (it uses a cms so all the internal links are relative too). The non https is mainly used as a dev testing environment. Upon seeing this we did a google remove request in WMT, and added noindex in the robots and that saw the index pages drop over night. See image 1. However, the site still appears to getting return for a couple of 100 searches a day! The main site gets about 25,000 impressions so it's way down but i'm puzzled as to how a site which has been blocked can appear for that many searches and if we are still liable for duplicate content issues. Any thoughts are most welcome. Sorry, I am unable to share the site name i'm afraid. Client is very strict on this. Thanks, Carl image1.png
Reporting & Analytics | | carl_daedricdigital0 -
Where does the organic keyword information come from in Google Analytics?
I know that Google switch to all encrypted search, but I still show some keywords. Are those keywords that slipped through? Or are they all from Yahoo/Bing?
Reporting & Analytics | | EcommerceSite0 -
Alternative to Google Analytics
Hey Everyone, My company has just changed the order processing software we are using and it's causing some issues with Google Analytics conversion funnel tracking. Specifically, there is one point in the funnel where making certain selections (which about half the people do) causes the page to reload. Also, on the login/register page, if they miss a field, the software tells them missed the field, but loads a new page which has a different URL which is not a part of the funnel when a mistake like that isn't made. All of this is causing Google Analytics to report people as leaving the conversion funnel when they really haven't. About a third of the traffic is being shown as exiting the funnel with the exit URL being the exact same URL as the step they are supposedly exiting from (example: the visitor enters on page1, moves to page2, Google is showing that they exit on page2 and go to...page2. Does anyone have any suggestions of how to deal with this in Google Analytics? If not, do you have a recommendation of an alternative analytics program which can deal with the situations mentioned above? PS - Changing the way the checkout software works does not appear to be a viable option. Kurt Steinbrueck
Reporting & Analytics | | Kurt_Steinbrueck
OurChurch.Com1 -
Google Analytics subdomain ecommerce tracking flatlines :-(
Buongiorno from 19 degrees C wetherby UK 🙂 This website http://www.philpotts.co.uk/ contains a shop sub domian @ http://shop.philpotts.co.uk/. I configured the site Ga analytics code to include the subdomain (see below code). I had to do this as i was getting refferal data from the actuall subdomain. But after following the instructions on p117 of cutroni's ga book things have gone wrong, mainly now eCommerce data has dissapeared 😞 So my question is please: "Why has installing the GA code above caused eCommerce tracking to suddenly go dead?" Grazie tanto,
Reporting & Analytics | | Nightwing
David0 -
Drop in google referral traffic
Hi guys, As we know, GA shows google as traffic source in two ways: google / organic for organic searches and google.TLD / referral for everything else: google groups, base.google.com, static pages, google reader, google image search, google search appliance/mini. What we noticed is that around Oct 20th there's a huge drop of google.TLD / referral traffic to our site. Do you experience something similar? I couldn't find anything Google-related that happened around this specific date. We use GSA for our site search and I'm wondering if this could be the reason - maybe someone from our development team made changes to GSA settings that affected this traffic source. Looking forward to hearing from you! Thanks.
Reporting & Analytics | | lgrozeva0