Guide on how to secure a Piwik server

[matt]

In Piwik we focus a lot on security and aim to track and fix all potential code issues. But there are often other reasons that would let intruders in a system. It could be interesting to give a list of interesting resources or Must-have regarding securing a Piwik server.

I am thinking in particular tips such as:

• install Piwik in a new separate mysql db
• use a new mysql user and password
• make sure you use latest PHP, Mysql, Apache, OS
• use SSH rather than FTP
• If you must use FTP, do not store the password in your ftp software (easy prey for malwares)
• Always keep your own computer up to date, including Flash, Acrobat Reader, your browser, OS vulnerabilities
• Turn on SSL logins in your Piwik (better with a valid certificate on your Piwik domain)
• backup and test the restore
• use strong passwords

We could create a new section in the page: http://piwik.org/security/ with a simple list of items to do to make the Piwik server very secure.

Any feedback please comment!

[vipsoft]

• .htaccess protect the root piwik folder (but allow piwik.php and js/ for all)
• bootstrap.php to move .php files out of the public web folder
• encrypting mysql password (see DBObsecurity plugin)

[matt]

OK let's make this ticket a bullet point. I will then put it in a website page and link it from http://piwik.org/security/

Have you got any other suggestion Anthon?

[vipsoft]

The rest of my ideas will be implemented in code. ;)

[matt]

I have updated the Piwik security page to make it more clear.

Create the new guide How to secure a Piwik server? and have put the few tips we had.

Have linked the page from the Optimize and secure section of the docs.

Any feedback please edit the page directly (vipsoft) or please put feedback here and I'll modify the page!