Configure Matomo Cloud for security

Cloud

While Matomo Cloud implements backend and infrastructure security, as a Superuser, you can apply additional security measures at the user account and global level. Managing access and enforcing security policies can reduce the risk of unauthorised access and ensure you adhere to compliance requirements.

This guide outlines recommended steps for Superusers to strengthen the security of their Matomo Cloud instance using settings available through the user interface.

Manage secure user access

Managing user access securely ensures that only authorised individuals can view or modify data within your Matomo Cloud instance.

1. Enable Two-Factor Authentication (2FA)

It is strongly recommended to use two-factor authentication for the safety of your account.

  • To activate 2FA, go to Administration Settings Cog Icon > Personal > Security.
  • Click Turn on Two-Factor Authentication to enable.
    enable 2FA in matomo
  • When you set this up, make sure to backup your recovery codes (ideally in your encrypted password manager) in case you lose your mobile device or you cannot access it anymore. Superusers with 2FA enabled can force all users to login using a two-factor authentication method.

2. Enforce strong password requirements

Always use strong, complicated, new passwords. Superusers can enforce strong password requirements to improve account security and reduce the risk of brute-force attacks. This can be manually enabled through an admin setting.

  • Go to Administration Settings Cog Icon > System > General settings > Login.
  • Enable the option, Force strong passwords to be used and click Save.

Note: Store passwords in an encrypted password manager. Using a password manager like KeyPass helps with managing passwords while safely backing up or synchronising the encrypted file online. Read more on how to enforce strong password requirements.

3. Restrict allowed email domains

To allow only specific email domains when inviting users and for user login, you can add allowed email domains. This ensures that only users with email addresses from approved domains can access your Matomo instance:

  • Go to Administration Settings Cog Icon > System > General settings > Users Manager.
  • Add your organisation’s approved email domains to limit user invitations and logins to trusted domains.

4. Monitor inactive accounts

Superusers can enable monthly alerts to identify accounts inactive for more than 180 days.

  • Go to Administration Settings Cog Icon > System > General settings > Users Manager.
  • Enable the alerts for inactive users.
  • When you get the report, review and deactivate inactive users to reduce your security exposure.

Maintain secure account management

Effective account management and monitoring ensures that only authorised users retain the appropriate level of access to your Matomo Cloud instance.

1. Limit Superuser privileges

Superuser access grants full control over all sites, users, and settings. You should limit superuser access to a small number of trusted administrators.

  • Go to Administration Settings Cog Icon > System > Users.
  • Filter the list of users by access and select Superuser.
    filter user list by superuser
  • Review the list of all users with superuser access and modify access rights to limit the number of superusers.
  • Conduct periodic audits to confirm that all user roles (View, Write, Admin) match current responsibilities and downgrade access for users who have left the organisation or no longer need elevated privileges. It is recommended to document changes to maintain accountability and support compliance reporting.

2. Keep privacy features enabled

Matomo includes privacy settings that you can configure to safeguard visitor information and support your organisation’s data protection obligations. These controls help limit the collection and storage of identifiable data while maintaining the accuracy of your analytics.

  • Go to Administration Settings Cog Icon > Privacy > Anonymize data to review and configure your privacy options.
    configure privacy settings
  • Check that features such as IP anonymisation and masking identifiable data are enabled as required. Regularly reviewing these settings helps ensure your tracking setup remains aligned with data protection policies. Refer to the Privacy Compliance and ePrivacy guides for more information on data processing and compliance.

3. Monitor using Diagnostic tools

Matomo provides several diagnostic tools to help you detect irregularities and maintain a secure environment. With regular monitoring, you can identify technical issues early and address potential security concerns before they affect data accuracy or access.

  • Go to Administration Settings Cog Icon > Diagnostic and select one of the options:
    • Tracking failures: displays a list of failed tracking requests, including details such as the page URL, tracking URL, site ID, and associated actions.
    • Activity log: records all administrative and user actions across the system. Use this log to verify legitimate changes and detect any unusual or unauthorised activity.
    • Brute force log: shows IP addresses that have been temporarily blocked due to repeated failed login attempts.
    • Device detection: displays information about the device currently used to access Matomo, including the user agent string, operating system, browser, and device type.

Securing your Matomo Cloud instance is an ongoing process that depends on consistent reviews and good governance. By applying and monitoring privacy and security measures helps ensure that your Matomo Cloud environment remains secure and compliant.