Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Google Analytics & Google Sheets
Hi guys, I'm looking to use google analytics google sheets extension to pull data into a google sheet with metrics from other tools e.g. semrush, moz, etc. From my understanding with google analytics google sheet extension its designed to run reports and doesn't really allow you to add other metrics. Basically what i'm trying to do is this: https://www.useloom.com/share/c1e42bfa60bd46fca2b1120018969ce8 Any suggestions/advice on how to do this would be great. Cheers.
Reporting & Analytics | | jayoliverwright0 -
Google Search Console - > Google Search Analytic gives figure for google organic or adwords or combine of both?
Hi All, In Google Search Console -> In Search Analytics. I can see Clicks, Impressions, CTR and Position. I want to know all these 4 - Clicks, Impressions, CTR and Position gives information related to google organic only? or combine or google organic and google adwords? Thanks!
Reporting & Analytics | | wright3350 -
Google Analytics Data
What tools can one use to audit a site to ensure that Google Analytics is capturing all the visits that we are getting? TIA Asif
Reporting & Analytics | | prsntsnh0 -
Bing vs Google Keyword Research
Hi All, I have carried out keyword research based on Google Analytics, Keyword Planner, competitors and various other toolsets.
Reporting & Analytics | | Mark_Ch
My research has been based on performance metrics favored towards Google.
I'm looking to research keyword traffic metrics and suggestions based on Bing Ads Intelligence. My Logic
I have compiled my master list based on Google metrics.
I will carry out Bing search traffic metrics based on my Google master list.
I will carry out Bing keyword suggestions based on my Google master list. My Questions
#1 Will my logic yield me any favorable benefits based on the high number of Google users vs Bing users
#2 Should Bing favor a particular keyword with high search traffic compared to Google, is there a fear that creating a 'seo user friendly website page' could dilute link juice based on the high Google users. Any other useful advice would be welcome. Regards Mark0 -
Google Places Account
Hi, I'm doing Google maps optimization for my local clients, so she uses same login for personal Gmail and Google places, is there a way to change a password for Google places, without giving away her password that she uses for personal Gmail? Thanks for help.
Reporting & Analytics | | tonyklu0 -
Google analytics reality check?
Looking back over a 9 month period tracking analytics with getclicky my site showed a 29% bounce rate, with only about 1/4 of visitors spending 1 minute or less on my site. I've recently implemented GA (removed old clicky code) and although traffic is strong, my site now shows a bounce rate of about 82%. Engagement stats also show that 82% of visitors spend between 0-10 seconds on my site. My site is built on Wordpress and the GA tracking code wasn't placed directly in the footer, my developer built a field in the admin area to insert the UA number which automatically adds the code to all pages. I've checked the code and the tracking seems to appear on all pages. I took a look at AW Stats. It corroborates GA and says that 80% of visitors are spending 0-30 seconds on the site. Potential issues/clues: browser tests show small loading problems in Internet Explorer 7,8,9 (the phone number at the top of the header loads on the wrong side of the page) and major issues in Internet Explorer 6 (site doesn't load at all in IE 6). The thing is no one who uses IE 6 is coming to the site. Second, the site gets a grade of C in YSlow, it's not lightning fast at the moment. GA is showing average page load of 2.4 seconds, but don't think either of these issues should cause an 82% 0-10 seconds engagement number. My site is content rich/focused with very minimal advertising. Content is accessible well above the fold. My question: Does the fact that AW Stats and GA agree mean that those numbers are accurate, or is there a bug I should be looking for? How to explain the clicky numbers?
Reporting & Analytics | | JSOC0 -
Exporting Keywords in Google Analytics
In the old Google Analytics, I would simply add &limit=30000 in the URL. Does anyone know how to export all keywords from the new Google Analytics?
Reporting & Analytics | | TommySwanson520 -
Setting Up Google Analytic with Sub Folder Sites
What is the best way of setting up Google Analytic for a website that has many sub folders? The main site is example.com and it has 40 sub folder sites like example.com/uk example.com/France etc etc Would it be advised to track a single domain in Google Analytic then create filters for the sub folder sites. Filters > Include traffic from > Sub directories Also with this method is it possible to view overall incoming website stats for everything? Previous experience would be great with this thanks 🙂
Reporting & Analytics | | daracreative0