Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
How to activate google optimize free version?
HI, How to activate https://www.google.com/analytics/optimize/ free for my ecommerce site? I am already using google analytic and google tag manager? So this is best tool for doing A/B testing? It is free for 30 days only? Thanks
Reporting & Analytics | | dsouzac0 -
Question re Google Analytics and its more accurate alternatives
Hi guys There are two main issues we have with Google Analytics, and I'd really appreciate if anyone has the time to give an answer to that. We completely miss organic traffic data before 7/22/2013 although our account is active since 2005. Any thoughts on that? Is it the not provided move that swiped out all data or something else? Even for the data we do have there is lots of inaccuracies, and we are thinking on switching or at least adding a new analytics software, any recommendations? (FYI, it turns out we do not keep access logs on the server for more than 2 months, and we might fix that for future references, but now we are looking for external solution). Any help will be much appreciated Thanks Lily
Reporting & Analytics | | wspwsp0 -
Whats 'Other' in Google Analytics (in Acquisition)
When i look in GA under Channels (under Acquisition) 'other' is listed What is 'other' ? I have been told its other unidentified channels as they did not allow 3rd party cookies or surfers were in anonymous/private mode. Other is usually organic traffic that couldn't be identified for the aformentioned reasons. This data is encrypted and available but it violates Google guidelines as they are not allowed to pass personal info//data to third parties so it is automatically filtered. But they are not 'Not Provided' (since that still shows under organic) but is usually/mainly some form of organic visits. Hence Seo can take credit for much of that traffic, is this correct ? Many Thanks
Reporting & Analytics | | Dan-Lawrence0 -
Google Analytics and Webmaster Tools Setup for Agencies
Hi, As agencies, what are people finding to be the best practices for allowing multiple members of the agency's team to access client WMT and GA data? Have a generic "analytics@myagency.com" account that's used for the shares, that anyone in the agency can use as needed (limited, of course, not admin). Have the individual person at the company use their company email for the share for each particular client? employee@agency.com. Yet what happens when we need someone else to check the GA or WMT data? Any advice is much appreciated.
Reporting & Analytics | | Titan552
Thank you!0 -
Google Analytics underreporting
I have a site selling items, I use paypal buttons and get a report using ipn back from paypal telling me when I have sold a item. I also have a Google analytics event setup on the button, and one on the confirmation page.
Reporting & Analytics | | AlanMosley
For example in the last few days I have sold over 10 items from the website, but have only 2 events from the button and none from the confirmation page. The confirmation page depends on the user getting redirected back from PayPal so I can see that being upper reported, but there is no way you can buy without clicking the button.
I have the chrome addon from google to debug your analytics code and it fires every time.
The figures seem to report only about 20% of events over a long period of time. If it was not working at all, I could assume I have not set things up correctly but this is not the case, I get a regular flow of events but at about 205 of sales.
I am very disappointed with GA, seems a waste of time. anyone else had the same expirence?0 -
Tracking PDF Downloads in Google Analytics
Hi, I work on a site that allows users to download whitepapers after filling out a form. Once they do this they are redirected to a URL which is the PDF. We use Wordpress and these documents were uploaded to the media center. I've tried researching how to track these downloads in GA, since the code is not present on these pages, but have read a few different answers. Anyone have firsthand experience? Thanks!
Reporting & Analytics | | tinarose0 -
Why is a section of our website dropping in&out of Google SERPs?
In July 2011 we started a news section that has it's own 'subfolder' /news/ (http://www.chorder.com/news/new_gear/, http://www.chorder.com/news/gear_deals/ etc.) The whole news section is dropping in&out of Google SERP's since late October, as show in attached graph. All news texts are real deal, written by our own staff, linked from homepage. Any idea why this happens and how to prevent it? cmqky.png
Reporting & Analytics | | imventurer0 -
Google Analytics | REAL TIME
So I noticed today that there is now Real Time Data: http://analytics.blogspot.com/2011/09/whats-happening-on-your-site-right-now.html and I cannot figure out how to access this.
Reporting & Analytics | | joseph.chambers1