Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Guide on how to secure a Piwik server #2790

mattab opened this Issue · 4 comments

2 participants


In Piwik we focus a lot on security and aim to track and fix all potential code issues. But there are often other reasons that would let intruders in a system. It could be interesting to give a list of interesting resources or Must-have regarding securing a Piwik server.

I am thinking in particular tips such as:

  • install Piwik in a new separate mysql db
  • use a new mysql user and password
  • make sure you use latest PHP, Mysql, Apache, OS
  • use SSH rather than FTP
  • If you must use FTP, do not store the password in your ftp software (easy prey for malwares)
  • Always keep your own computer up to date, including Flash, Acrobat Reader, your browser, OS vulnerabilities
  • Turn on SSL logins in your Piwik (better with a valid certificate on your Piwik domain)
  • backup and test the restore
  • use strong passwords

We could create a new section in the page:
with a simple list of items to do to make the Piwik server very secure.

Any feedback please comment!

  • .htaccess protect the root piwik folder (but allow piwik.php and js/ for all)
  • bootstrap.php to move .php files out of the public web folder
  • encrypting mysql password (see DBObsecurity plugin)

OK let's make this ticket a bullet point. I will then put it in a website page and link it from

Have you got any other suggestion Anthon?


The rest of my ideas will be implemented in code. ;)


I have updated the Piwik security page to make it more clear.

Create the new guide How to secure a Piwik server? and have put the few tips we had.

Have linked the page from the Optimize and secure section of the docs.

Any feedback please edit the page directly (vipsoft) or please put feedback here and I'll modify the page!

@mattab mattab added this to the 1.7 Piwik 1.7 milestone
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.