The Matomo (Piwik) team does its best to ensure that the Matomo source code is secure. We do this by:
- proactively rewarding scientists for finding bugs
- conducting and supporting external professional security reviews
- conducting code reviews on commits
However, these security steps are restricted to the Matomo software. Once you download and install Matomo, more factors come into play.
Tips that will help you keep your Matomo secure
There are a few things that you can easily change in your routine to make your data more secure. This page will specifically explain how to harden your Matomo installation. This will ensure that it is difficult for anyone to enter, modify or simply read unwanted data on your server. Please check that the person who installs Matomo and handles the web server has read the following guide and spent some time implementing some or all of these changes.
Here are a few tips to make your Matomo server more secure and analytics data safer:
- Install Matomo in a separate MySQL Database
By doing this you are making sure that if a hacker gains access to your CMS database, they won’t be able to access Matomo, and vice versa.
- Use a New MySQL user and password for your Matomo DB
If you use the same user and password everywhere, you are making it easy for hackers to access your data.
Make sure the usernames and passwords are unique for each database, ensuring that SQL injection would only impact one product.
- Always use Matomo over https://
Sensitive information in Matomo includes the login, password, and token_auth (used for API authentication). This information is regularly included in the responses from the Matomo server, and could be viewed by anyone seeing the traffic. Public or unencrypted Wi-fi networks are easy to spy on. The solution is relatively simple: if you really care about your security and want to make sure that nobody could access your password or API tokens, make sure you always connect to Matomo over https://
- Turn on automatic SSL redirection in your Matomo: see FAQ.
- Back up your Matomo config/config.ini.php and the complete MySQL Database
Back up the config file and the MySQL Database, and make sure you test restoring it from the backup to ensure it is complete!
The config file is the file which holds the status of your Matomo install, including the MySQL password, so make sure you handle it safely.
- Use the latest PHP, MySQL, web server (Apache/Nginx), Operating System (Linux)
Performance and security updates are often released by these popular tools required by Matomo.
We highly recommend that you only use free software, for example Linux+Apache/Nginx and use the latest versions.
In case you are using Nginx, take a look at the Matomo Nginx configuration to make sure access to temporary files is blocked.
Often, you can also configure each piece of software to increase security e.g. enabling the firewall in your OS, using .htaccess in Apache, etc.
Subscribe to the Matomo changelog & keep Matomo up-to-date
When security issues are reported, we try to fix them as soon as possible and release a new version.
We highly recommend that you subscribe to the Changelog and keep your Matomo up-to-date (have you tried the one-click automatic upgrade?).
Purchase and Download the Activity Log plugin: Keep an eye on everything that is happening on your Matomo platform with the Activity Log plugin, also known as audit log or audit trail. It allows Matomo Super Users to quickly review the actions performed by members of your organization or clients, and also lets every user review details of their own actions. This premium plugin was created by the makers of Matomo and is recommended for all businesses especially when more than one person is using Matomo.
List of best practices for the professional Matomo administrator
Here are our best practices for the professional Matomo administrator:
- Always use strong, complicated, new passwords
Using secure passwords for all of your Matomo users, all users with Super User access, and your Matomo MySQL database, are fundamental ways to boost your security.
Use the Strong Password Generator if you can’t come up with one on your own.
- Use SSH (or sFTP) rather than FTP
These days, it is easy to listen on wi-fi networks and sniff traffic. Make sure that all of your connections to the Matomo server are encrypted and nobody can see your logins or password.
If you must use FTP, do not store the password in your ftp software (which would be easy prey for malware already running on many Windows computers).
- Keep your own PC up-to-date
Always keep your own computer up to date, including the Flash plugin, your browser(s), and operating system.On a Windows computer, always use a virus checker to minimize the risk of malware. Do not use Acrobat Reader: it has had too many severe security holes in the past. Instead, use Sumatra PDF.
- Change Matomo settings to respect your Users Privacy
Check out our guide to Enable Privacy features in Matomo and learn more about data privacy for your website visitors’ data.
Use .htaccess to restrict access to a few files only, and restrict by IP address
If you use an Apache web server, it’s easy to use .htaccess files to restrict access to Matomo to your IP address, or many more options. Check out the examples in the htaccess forum post.
When you restrict access to files, please note that you need to allow external access to the following files:
piwik.js, and also to the URL
index.php?module=CoreAdminHome&action=optOut(for the opt-out iframe).
Enable the Matomo Security Plugin and Modify all Security Issues to green
In Matomo, click on the admin link Marketplace and then install the SecurityInfo plugin which will automatically test your Matomo server security and reports a list of security recommendations.
For example, it tests to make sure that the PHP and Matomo versions are the latest, that display_errors, magic_quotes_gpc are disabled, and many other tests.
We highly recommend that all Matomo administrators enable the SecurityInfo plugin, and then view the Administration > Security menu. You can update the server and PHP configurations to follow the recommendations and try to have all items in green.
In particular, check that you disabled the php setting ‘display_errors’ and instead log all errors in a error log file.
A final (optional) security tip: use Firefox for all your web browsing.
The best free software browser!
If you have any feedback or additions to this list, please let us know at security at piwik.org.
If your server does not have access to the Internet or you wish to disable all features that require Internet connection, check our FAQ How do I configure Matomo on a server without Internet?
Happy & Secure Analytics!
PS: don’t forget to keep your Matomo up-to-date :)