The Matomo (Piwik) team does its best to ensure that the Matomo source code is secure. We do this by:
- proactively rewarding scientists for finding bugs
- conducting and supporting external professional security reviews
- conducting code reviews on commits
However, these security steps are restricted to the Matomo software. Once you download and install Matomo, more factors come into play.
Tips that will help you keep your Matomo secure
There are a few things that you can easily change in your routine to make your data more secure. This page will specifically explain how to harden your Matomo installation. This will ensure that it is difficult for anyone to enter, modify or simply read unwanted data on your server. Please check that the person who installs Matomo and handles the web server has read the following guide and spent some time implementing some or all of these changes.
Here are a few tips to make your Matomo server more secure and analytics data safer:
- Install Matomo in a separate MySQL (or MariaDB) Database
By doing this you are making sure that if a hacker gains access to your CMS database, they won’t be able to access Matomo, and vice versa.
Make your database more secure.
Run the MySQL secure installation tool to improve the default security settings:
We recommend to answer Yes to all the security questions in order to protect the MySQL server and implement best practises. This also works for MariaDB.
- Use a New MySQL user and password for your Matomo DB
If you use the same user and password everywhere, you are making it easy for hackers to access your data.
Make sure the usernames and passwords are unique for each database, ensuring that SQL injection would only impact one product.
- Check your database server is not accessible from the Internet.
For optimal security, your database server should not be available from the Internet. Only Matomo web (app) servers should be able to connect to your DB servers.
- Always use Matomo over https://
Sensitive information in Matomo includes the login, password, and token_auth (used for API authentication). This information is regularly included in the responses from the Matomo server, and could be viewed by anyone seeing the traffic. Public or unencrypted Wi-fi networks are easy to spy on. The solution is relatively simple: if you really care about your security and want to make sure that nobody could access your password or API tokens, make sure you always connect to Matomo over https://
- Turn on automatic SSL redirection in your Matomo: see FAQ.
- Back up the complete MySQL Database and your
Back up the MySQL Database, and test to restore it to ensure your backups are working.
Also the config file is the file which holds the status of your Matomo install, including the MySQL password, so make sure you backup and handle it safely, like your database.
- Use the latest PHP, MySQL (or MariaDB), web server (Apache/Nginx), Operating System (Linux/Windows)
Performance and security updates are often released by these popular tools required by Matomo.
We highly recommend that you only use free software, for example Linux+Apache/Nginx and use the latest versions.
- If you use a Nginx webserver
We recommend to use the Matomo Nginx configuration to make sure access to your temporary Matomo files (
matomo/tmpfolder) is blocked.
- Subscribe to the Matomo changelog & keep Matomo up-to-date
When security issues are reported, we try to fix them as soon as possible and release a new version.
We highly recommend that you subscribe to the Changelog and keep your Matomo up-to-date (have you tried the one-click automatic upgrade?).
- Purchase and Download the Activity Log plugin
Keep an eye on everything that is happening on your Matomo platform with the Activity Log plugin, also known as audit log or audit trail. It allows Matomo Super Users to quickly review the actions performed by members of your organization or clients, and also lets every user review details of their own actions. This premium plugin was created by the makers of Matomo and is recommended for all businesses especially when more than one person is using Matomo.
- Use Two Factor Authentication
We strongly recommend you to use two-factor authentication for the safety of your account.
You can activate two-factor authentication by going to “Administration => Personal Settings”. When you set this up, make sure to backup your recovery codes (ideally in your encrypted password manager) in case you lose your mobile device or if you cannot access it anymore. A user with super user access can force every user to have two-factor authentication enabled. In this case, you might be forced to set up two-factor authentication and you won’t be able to disable it anymore.
- Make as few files and directories writable by your webserver as possible.
For Matomo to work best, we recommend giving your webserver write access to these files and directories within your Matomo root directory:
tmpdirectory. Only the
tmpdirectory is absolutely required. A few features might not work if you have only the
tmpdirectory writable. Once you have limited file permissions, you won’t be able to use the one-click updater through the UI anymore. Also it won’t be possible to install any plugin from the Marketplace through the UI. We therefore recommend you configure the setting
enable_auto_update = 0within the
[General]section of your
config/config.ini.phpfile. You can then instead update Matomo manually and install plugins manually.
- If your Matomo is behind a proxy then you may want to configure to read the last IP instead of the first IP from a proxy header see your FAQ installing Matomo behind a proxy.
List of best practices for the professional Matomo administrator
Here are our best practices for the professional Matomo administrator:
- Always use strong, complicated, new passwords
Using secure passwords for all of your Matomo users, all users with Super User access, and your Matomo MySQL database, are fundamental ways to boost your security.
Use the Strong Password Generator if you can’t come up with one on your own.
- Store passwords in an encrypted password manager
Using for example KeyPass you can manage your passwords on your computer, and even safely backup or synchronise the encrypted file online.
- Use SSH (or sFTP) rather than FTP
These days, it is easy to listen on wi-fi networks and sniff traffic. Make sure that all of your connections to the Matomo server are encrypted and nobody can see your logins or password.
If you must use FTP, do not store the password in your ftp software (which would be easy prey for malware already running on many Windows computers).
- Keep your own PC up-to-date
Always keep your own computer up to date, including the Flash plugin, your browser(s), and operating system.On a Windows computer, always use a virus checker to minimize the risk of malware. Do not use Acrobat Reader: it has had too many severe security holes in the past. Instead, use Sumatra PDF for example.
- Change Matomo settings to respect your Users Privacy
Check out our guide to Enable Privacy features in Matomo and learn more about data privacy for your website visitors’ data.
Use web server features to restrict access to a few files only, and restrict by IP address
If you use an Apache web server, it’s easy to use
.htaccessfiles to restrict access to Matomo to your IP addresses, or many more options. Check out the examples in the htaccess forum post.
When you restrict access to files, please note that you need to allow external access to the following files:
- and to the URL
index.php?module=CoreAdminHome&action=optOutand for the files
favicon.icoto make sure the opt-out iframe will work without password prompt.
- and to
js/container_*.jsfiles for Tag Manager to deliver the container files
- and to
plugins/HeatmapSessionRecording/configs.phpif you use Heatmaps or Session recordings
Restrict what Super Users can do. In case where you may not 100% trust the Super Users in your Matomo, you can restrict Super Users from doing high risk actions.
Enable the Matomo Security Plugin and Modify all Security Issues to green
In Matomo, click on the admin link Marketplace and then install the SecurityInfo plugin which will automatically test your Matomo server security and reports a list of security recommendations.
For example, it tests to make sure that the PHP and Matomo versions are the latest, that display_errors, magic_quotes_gpc are disabled, and many other tests.
We highly recommend that all Matomo administrators enable the SecurityInfo plugin, and then view the Administration > Security menu. You can update the server and PHP configurations to follow the recommendations and try to have all items in green.
In particular, check that you disabled the php setting ‘display_errors’ and instead log all errors in a error log file.
A final (optional) security tip: use Firefox for all your web browsing.
The best free software browser!
If you have any feedback or additions to this list, please let us know at security at piwik.org.
If your server does not have access to the Internet or you wish to disable all features that require Internet connection, check our FAQ How do I configure Matomo on a server without Internet?
Check also the page: Matomo Security program.
Happy & Secure Analytics!
PS: don’t forget to keep your Matomo up-to-date :)