Manage secure access to the Matomo Installer

From Matomo 5.2.0, we introduced a significant improvement to the on-premise installation process to ensure your setup remains secure. To enhance security and prevent unauthorised access, the installer now records a timestamp upon first access, creating a time-limited installation window of 72 hours. For flexibility, authorised users can manually reset this window if needed by following the instructions below. Write-access to the config file is a prerequisite for the installer to run the installation process.

Note: The installer relies on Unix time. If your server’s clock is incorrect, it may block the installer prematurely. Ensure your server time is synchronised with a reliable time source.

How does the installer timestamp mechanism work?

First Access
When the Matomo installer is accessed for the first time, the installation timestamp is written to the config.ini.php file.

Access Validation
On subsequent access attempts, the installer compares the current timestamp with the recorded one.

Blocking Access
If more than 3 days (72 hours) have passed since the first access, the installer prevents further access and displays a blocking access message.

Resetting the Installation
This mechanism is an integral part of Matomo’s installation security process and it cannot be disabled. However, you can remove the timestamp manually from the config.ini.php file to reset the installation process.

Reset the installer after being blocked

To maintain security and prevent unauthorised access, the installer does not automatically remove the timestamp. Manual intervention ensures that resetting the process is an intentional action by an authorised user.

  1. To reset the installer, open the config.ini.php file in your Matomo installation directory using a text editor.
  2. Locate the line containing the installation_first_accessed timestamp and remove it.
  3. Save the file and refresh the page to continue the installation process.

Edit the configuration file

Editing the config file file requires basic knowledge of text editing. If you’re unsure, contact your system administrator or follow these steps:

  1. Navigate to the Matomo installation directory on your server.
  2. Open the config.ini.php file using a text editor.
  3. Carefully remove the line with the timestamp, ensuring not to change anything else and save your changes.

By limiting access to the installer after the initial setup, it prevents unauthorised installations while still allowing flexibility through manual resets. To avoid any potential issues, verify your server clock is correctly synchronised and that the config.ini.php file has write permissions.

If you encounter issues, the reset process is straightforward and ensures you remain in control of your Matomo setup.

Previous FAQ: Is there a Video that explains how to Install Matomo?