Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Guide on how to secure a Piwik server #2790

Closed
mattab opened this issue Nov 22, 2011 · 4 comments
Closed

Guide on how to secure a Piwik server #2790

mattab opened this issue Nov 22, 2011 · 4 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Milestone

Comments

@mattab
Copy link
Member

mattab commented Nov 22, 2011

In Piwik we focus a lot on security and aim to track and fix all potential code issues. But there are often other reasons that would let intruders in a system. It could be interesting to give a list of interesting resources or Must-have regarding securing a Piwik server.

I am thinking in particular tips such as:

  • install Piwik in a new separate mysql db
  • use a new mysql user and password
  • make sure you use latest PHP, Mysql, Apache, OS
  • use SSH rather than FTP
  • If you must use FTP, do not store the password in your ftp software (easy prey for malwares)
  • Always keep your own computer up to date, including Flash, Acrobat Reader, your browser, OS vulnerabilities
  • Turn on SSL logins in your Piwik (better with a valid certificate on your Piwik domain)
  • backup and test the restore
  • use strong passwords

We could create a new section in the page: http://piwik.org/security/
with a simple list of items to do to make the Piwik server very secure.

Any feedback please comment!

@robocoder
Copy link
Contributor

  • .htaccess protect the root piwik folder (but allow piwik.php and js/ for all)
  • bootstrap.php to move .php files out of the public web folder
  • encrypting mysql password (see DBObsecurity plugin)

@mattab
Copy link
Member Author

mattab commented Jan 26, 2012

OK let's make this ticket a bullet point. I will then put it in a website page and link it from http://piwik.org/security/

Have you got any other suggestion Anthon?

@robocoder
Copy link
Contributor

The rest of my ideas will be implemented in code. ;)

@mattab
Copy link
Member Author

mattab commented Jan 27, 2012

I have updated the Piwik security page to make it more clear.

Create the new guide How to secure a Piwik server? and have put the few tips we had.

Have linked the page from the Optimize and secure section of the docs.

Any feedback please edit the page directly (vipsoft) or please put feedback here and I'll modify the page!

@mattab mattab added this to the 1.7 Piwik 1.7 milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Projects
None yet
Development

No branches or pull requests

2 participants