Does Installing Google Tag Manager Compromise Server Security?
-
Greetings MOZ community!!!
Both my hosting company and developer have told me that in order to install Google Tag Manager it is necessary to disable the rule securing against malicious i-frame attacks in Mod Security and that this would leave the site (we operate on a virtual private server and out hosting company is InMotion Hosting) extremely vulnerable to attack.
I can't believe that Google would write code that could allow potential security issues? Is this true?
Does anyone know of a way to install GTM while maintaining site security?
What functionality will we lose if we choose to stick with the old version of Google Analytics rather than upgrade?
Thanks everyone!!!
Alan -
And to be clear - you CAN run the newer Universal version of Google Analytics without needing to use Tag Manager. There are some management advantages to running Analytics from within Tag Manager, especially if you are managing a large number of other tracking tools in it as well, but it is not required in order to run Universal.
If you want a terrific Analytics plugin for WordPress that handles Universal really well, have a look at Google Analyticator. It also allows easy implementation of event tracking, and you can even customise the snippet manually for additional capabilities if you wish. (I always add config to track pagespeed for 100% of pageviews, for example).
Hope that helps?
Paul
-
No it won't unless your GTM account compromised.
-
Alan,
i would have to say they don't know what they are talking about. Mod_sec is in a sense like an ip black list, if no one ever changes it, it is pretty ineffective in terms of security. I would imagine that inmotion is running a configuration that they have been running for 5 years with no updates. Mod_sec is an old module that there really was a time when it was more useful, but apache has been updated and php to be pretty secure by itself.
On another note, I develop pretty much exclusively in Prestashop and Prestashop is a partner with inmotion hosting. Inside Prestashop is a method to disable mod_sec that runs on inmotion's servers. They don't seem to have an issue with that. Here is a screenshot of it, http://screencast.com/t/gDqO9a8axf
I would think you can safely disable it, but at the same time I would still install a wordpress security plugin just to keep wordpress safe, it has a lot of security holes.
-
Thanks your response Lesley!!
Not worried about my password being hacked by very concerned about disabling Mod Security as both my developer and the hosting company have told me that could cause major security risks.
At the same time I have have not seen any documentation about sites running GTM ever getting hacked. Our site runs on Wordpress in a virtual server environment. Are you saying that disabling Mod Security in this environment is not going to increase risks of getting hacked in a major way? It is really strange as tech support at InMotion Hosting strongly advised against disabling Mod Security. At the same time I would like the more advanced features available with GTM.
Thoughts??
Thanks, Alan
-
There is an inherit risk with everything you do. Putting a webpage up itself can put you at risk for being hacked. But as for GTM, the risk is very low, but the burden is all on your shoulders. If someone gains access to your GTM they can execute malicious code on your site, yes. But the only way they are going to gain access to the account is because of bad security practices for who ever has or sets the passwords. If you use a weak password, someone might can guess it. Or if you use open publicly accessible networks, someone can grab it that way. I would suggest turning two factor identification on in your Gmail account and following good password practices. Don't use the same password for any other service, make a strong password, don't email the password to other people, things like that.
As for mod_sec, it is more of a problem for most cases than it is good for any more, in my opinion. A lot of web applications need it totally disabled to run correctly, or major parts of it. Also if no one is actively monitoring it and adding to it, it is pretty much useless.
Here is a great comic on setting your password to a strong one. http://xkcd.com/936/
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Can I redo my submitted sitemap to Google?
We are a electronic hardware manufacture with a fairly large catalog of products. I dynamically built our site and we have over 705,000 unique products that we can offer. With our php framework I was able to create sitemaps that hold every product unique url. After doing all of that I submitted our data to Google. Then waited with a cocktail encouraged that we'd grow up the ranks of Google organically. Well, that didn't happen. Besides several other problems (lack of overall unique content, appearance of duplicate content, no meta description, no unique page titles, poor use of heading tags and no rel canonical tags) how can I get a "do-over" with Google and my submitted sitemaps? Can they be re-submitted? Can they even be deleted?
Reporting & Analytics | | jandk40140 -
Search and Replace filter on Google Analytics?
Hello! On our GA account for one of our clients, we'd like to add a search and replace filter to the Views section of the account. The URL is www.askergoworks.com (it redirects to askergoworks.com), and Google has flagged us to have redundant hostnames. This is why we'd like to add the filter. Would the regular expression be askergoworks.com|www.askergoworks.com ? Any help would be great - I'm not a regex expert, so I really don't how to go about this. Thanks!
Reporting & Analytics | | AGILITY0 -
How does Google measure page position in Webmasters?
Does anyone know exactly how Google measures page position in Webmaster Tools? For example: In Google Webmaster Tools, we had a product which on the 22/12/15 was at position 7, and then dropped to position 112 on the 30/12/15. It then rose back up to position 7 on the 6/01/16 and then down to position 25 on the 16/01/16. What does this mean and why?
Reporting & Analytics | | CostumeD0 -
Google Analytics - how do you find out Unique Visitors ?
Hi Im trying to find out unique visitors per annum in GA, is this possible, is it simply users ? i know they changed definitions recently cheers dan
Reporting & Analytics | | Dan-Lawrence0 -
Testing IP Exclusion Filters in Google Analytics
(I hope I haven't missed something simple 😉 I have add IP exclusion filters in Google Analytics. What I haven't been able to determine is how to test to see if it is working. I'd imagine there would be a dip in traffic but if a site is low volume it might not even register. Thanks!
Reporting & Analytics | | AUDigitalMarketing0 -
Google Analytics subdomain ecommerce tracking flatlines :-(
Buongiorno from 19 degrees C wetherby UK 🙂 This website http://www.philpotts.co.uk/ contains a shop sub domian @ http://shop.philpotts.co.uk/. I configured the site Ga analytics code to include the subdomain (see below code). I had to do this as i was getting refferal data from the actuall subdomain. But after following the instructions on p117 of cutroni's ga book things have gone wrong, mainly now eCommerce data has dissapeared 😞 So my question is please: "Why has installing the GA code above caused eCommerce tracking to suddenly go dead?" Grazie tanto,
Reporting & Analytics | | Nightwing
David0 -
Google is just plain confusing now
I know, many people are up in arms with Google with their very frequent recent changes. I guess some of this is good - but at times I am also warming to the opinion that they are just losing the plot. To illustrate my point - check this ranking history for a keyword: Toyota South Africa I'm not sure how this image will display - but for no obvious apparent reason, from 02/10 - we were ranked 5, and now on 9/10 dropped right down to 44. I mean how is on supposed to explain, and rectify this when Google just keeps on changing the playing fields? shrug Ranking.png
Reporting & Analytics | | ZakD0 -
Google Analytics Tracking Code Queries
Hello, I have taken on a new client who has Google Analytics installed. The tracking code is set to 'single domain'. Recently they added a mobile site using a sub-domain (m.website.com) which means that Google Analytics is not picking up this traffic. I want to revise the account so that I have a master account (raw data) and then profiles for the mobile site, main domain (www.website.com) and one other for a sub-domain that they are using. I am aware that there is mobile specific tracking code however I thought it would be easier (re conversions/goals/eCommerce tracking) to not use this and by changing the account to 'multiple domains' we could also get data for another sub-domain that they are using . My questions are: Am I right to want to use individual profiles over web properties. If not please explain why. When installing the tracking code (where the profile number is changing) I believe that I need to add that code with the changing profile number to the sub-domain sections. So my question is a) is that correct, and b) if I use a profile number on a sub-domain section will the master account still gather the data for the main URL as well as all sub-domains. If I change the master account from using 'single domain' tracking code to 'multiple domain' tracking code will this affect historical data? Will I lose the data? When changing from 'single domain' tracking to 'multiple domain' tracking does this affect eCommerce tracking? Or do we only need to be adding the additional lines of tracking code that allow sub-domains to be tracked? The web developers are using asynchronous code however half is in the and the other half is at the bottom of the source code. Given that traffic is being reported in the Google Analytics account should I have any concerns that the code is split? I have done a lot of reading but seem to be going around in circles, so your help is much appreciated! Thanks,
Reporting & Analytics | | Unity
Dinny0