Matomo 5.4.0

What’s new in Matomo 5.4.0

Matomo 5.4.0, our latest minor release, delivers a range of improvements focused on security, data archiving, and user experience, as well as general bug fixes.

Release Highlights

Security enhancements: For stronger protection and smarter safeguards

This release introduces several security enhancements to strengthen account security.

1. Superusers now have the option to enforce strong password requirements across all accounts to improve user account security. When enabled, users will need to follow industry-standard complexity rules when creating or updating their password. Existing passwords that do not meet the new rules will continue to work until changed. Read more about How to enforce strong passwords for all users in Matomo.
   
2. Additional protections against password reuse, automatic clearing of inactive password fields, inactivity notifications for superusers, and safer password reset messages further strengthen account security.
3. Token authentication has also been improved with new expiry and notification features. Users can now define a custom expiry date when creating a personal auth token, and a scheduled task will notify them by email before their tokens expire.

Matomo user interface updates: clearer choices for a quicker start

1. The Add New Measurable modal now features rich, descriptive cards that make it easier to choose the right option.
   
2. The Matomo login screen and dashboard have been updated with a cleaner design, refined icons and buttons, and consistent tooltips.

Update Matomo to the latest release

Database upgrade

This release does not contain any major database upgrade.

Need help upgrading Matomo?

Read the Updating Matomo user guide or for more help we offer paid support plans.

After you update

• Please help us spread the word! Maybe you can write about the project on your blog, website, social media, get involved with MatomoCamp or let your friends and colleagues know what is Matomo. Already 1,000,000+ websites are keeping full control of their web analytics with Matomo!
• Use the forums if you have any question or feedback (free support),
  or purchase a Support Plan to get professional support and guidance.
• To improve Matomo in your language consider contributing to translations.
• You can also support our efforts by purchasing valuable Premium Features for Matomo or try our Matomo Cloud solution.

Tickets closed in Matomo 5.4.0

Privacy and Security

• #19961, #23400: Superusers can enforce strong password requirements to improve account security and reduce the risk of brute-force attacks. [by @michalkleiner, @nathangavin]
• #23356: Password input fields now automatically clear after 10 minutes of inactivity by default, reducing the risk of leaving sensitive data exposed. Developers can configure the timeout per field instance if needed. [by @michalkleiner, @caddoo]
• #19839, #23294: Users are prevented from using their current password to set a new password. [by @sgiehl, @nathangavin]
• #23425, #20102: A new scheduled task notifies superusers of accounts inactive for 180 days, and improvements to the password reset process prevent user enumeration by standardising error messages. [by @michalkleiner]
• #13654, #23320: Improved the password reset process to prevent possible user enumeration. [by @caddoo, @michalkleiner]
• #23330: Improved usability by adding automatic focus to password confirmation fields. [by @michalkleiner, @sgiehl]
• #20677, #23335: The API now supports passing authentication tokens via the standard Authorization: Bearer token HTTP header. [by @sgiehl, @caddoo]
• #23354: Token authentication has been improved with new expiry and notification features. [by @michalkleiner, @caddoo, @nathangavin]
• #12278, #23321: Resolved an issue that could expose internal server IPs in redirect headers. [by @nathangavin, @mneudert]
• #19480, #23317: Replaced ssl:// with tls:// in HTTP connections to strengthen security. [by @sgiehl, @michalkleiner]
• #23318: Migration details during core updates are now protected by a token, ensuring only the user performing the update (or someone with the token) can view them. [by @mneudert, @sgiehl]
• #23324: Improved security by hiding sensitive parameters from stack traces on PHP 8.2+. [by @sgiehl]
• #23304: Matomo now logs a warning for insecure HTTP requests when force_ssl is active. [by @sgiehl]
• #3620, #23372: Error and exception handling has been restructured to improve security and clarity. Stack traces are now only shown when explicitly enabled or in development mode, file system paths to the Matomo root are redacted, and sensitive values are removed from exception messages. The error page shown for unsupported PHP versions or missing Composer has also been improved. [by @sgiehl, @michalkleiner]
• #23352: Improved security by redacting SMTP credentials from logs and error traces. [by @sgiehl, @mneudert]
• #23385: Password confirmation fields now support custom IDs, avoiding duplicate IDs when multiple password forms appear on the same page and improving accessibility. [by @michalkleiner, @sgiehl]
• #23503: Updated the opt-out form to use event listeners instead of inline onclick attributes, improving compatibility with stricter Content Security Policies. [by @heikojansen, @michalkleiner, @mneudert]

Reporting

• #23451: Requesting row evolution for flattened Page URL reports is now automatically redirected to subtable row evolution to avoid excessive memory usage. [by @sgiehl, @caddoo]
• #23505, #23506: The Hits metric is now available in the evolution graph. [by @sgiehl, @mneudert]
• #21664, #23271: Goal reports now include a breakdown of conversions by individual social networks. [by @sgiehl]
• #23347: Added a new API parameter show_dimensions that allows multi-level reports to display each dimension in separate columns when using flat=1. [by @sgiehl, @caddoo]
• #23456: Introduced a new copy component that enables duplicating reports and other entities such as Heatmaps. This feature will be extended to additional report types in future releases. [by @snake14, @mneudert]
• #23299: The and string in the Goal overview top dimensions is now translatable, ensuring full localisation support. [by @sgiehl, @caddoo]
• #23291: Updated url_query_parameter_to_exclude_from_url to include LinkedIn clickID, preventing these parameters from appearing in Page URL reports. [by @AltamashShaikh, @sgiehl]
• #19060, #23315: Resolved low-risk issue where the configuration option for email reports now prevents showing the report owner’s username in the Reply-To header. [by @sgiehl, @michalkleiner]
• #23452, #23453: Include Campaign names in Transition reports when either referer_keyword or referer_name is NULL. [by @peterbo, @michalkleiner, @sgiehl]
• #23283, #23312: Fixed issue where ChatGPT visitors were showing in campaigns. [by @sgiehl, @michalkleiner]
• #23417, #23448: Fixed eCommerce Overview comparisons that were incorrect. [by @nathangavin, @michalkleiner]
• #23144: Remove token_auth from image graph urls in API response. [by @sgiehl]

Performance and Archiving

• #22450, #23421: New maintenance task added to clean up broken archives and keep database storage healthy. [by @nathangavin, @michalkleiner]
• #23408: Fix invalidation processing for report specific archives for periods including today. [by @sgiehl, @michalkleiner]
• #23309: Respect ts_archived when purging ERROR/ERROR_INVALIDATED archives [by @mneudert, @caddoo, @sgiehl]
• #23413: Ensure partial archives are marked correctly. [by @sgiehl, @nathangavin]
• #23412: Metrics with zero values are now stored consistently, improving archive completeness and ensuring exports include all metrics. [by @sgiehl, @caddoo]

Measurables (Websites)

• #23277: Update styling and structure of the Create Measurable modal. [by @spludlow, @michalkleiner, @sgiehl]
• #23488: Allow legacy/bc timezones when creating sites (through API). [by @sgiehl]
• #23422: Allow filtering out sites by site types and allow selecting only sites for which the user has at least write access. [by @snake14, @sgiehl]

Matomo User Interface

• #23496: Prevent rendering admin area when screen height or with is below 200px. [by @sgiehl]
• #23264: Improve UI login screen. [by @james-hill-matomo, @sgiehl]
• #23274: Refined dashboard top bar with new icons and consistent tooltips. [by @spludlow, @sgiehl]
• #23279: Adds code to accept editURL parameter in ContentBlock.vue to link the title. [by @AltamashShaikh, @mneudert]

Customisation

• #17451, #23268: Logo and favicon updates now only apply after saving, as expected. [by @michalkleiner, @caddoo]

Compatibility and Requirements

• #23429: Matomo shows a warning when the database version in use has reached end of life. This works for both MySQL and MariaDB, which now follow different versioning. [by @sgiehl, @michalkleiner, @nathangavin]
• #23410: Remove CASE/WHEN around aggregate function in favour of a simple boolean expression. [by @michalkleiner, @mneudert]
• #23220: Drop Flattr as a donation link option. [by @williamdes, @sgiehl]
• #23261: Tweak regex for host checks. [by @michalkleiner, @mneudert]
• #23281: API responses using format=original now consistently return the Content-Type: text/plain header instead of text/html. [by @sgiehl, @caddoo]
• #23336: Fix creation of MySQL optimizer hint comments for multiple hints. [by @mneudert, @sgiehl]

Matomo Tag Manager (MTM)

• #929, #1010: Add description for the History Change Trigger in Matomo Tag Manager. [by @AltamashShaikh, @snake14]
• #989, #1019: Removed Save button from custom templates if a user does not have access to edit custom templates. [by @AltamashShaikh]
• #1011, #852: The headers for Container Components, Tags, Triggers, Variables, and Versions are now clickable, allowing quick access to each section. [by @AltamashShaikh, @snake14]
• #1017: Adds the tooltip directive to the ContainerSelector to align with upcoming changes that standardise tooltip behaviour across dashboard headers. [by @spludlow, @snake14]