Guide on how to secure a Piwik server #2790

mattab opened this Issue Nov 22, 2011 · 4 comments

2 participants

Piwik Open Source Analytics member

In Piwik we focus a lot on security and aim to track and fix all potential code issues. But there are often other reasons that would let intruders in a system. It could be interesting to give a list of interesting resources or Must-have regarding securing a Piwik server.

I am thinking in particular tips such as:

  • install Piwik in a new separate mysql db
  • use a new mysql user and password
  • make sure you use latest PHP, Mysql, Apache, OS
  • use SSH rather than FTP
  • If you must use FTP, do not store the password in your ftp software (easy prey for malwares)
  • Always keep your own computer up to date, including Flash, Acrobat Reader, your browser, OS vulnerabilities
  • Turn on SSL logins in your Piwik (better with a valid certificate on your Piwik domain)
  • backup and test the restore
  • use strong passwords

We could create a new section in the page:
with a simple list of items to do to make the Piwik server very secure.

Any feedback please comment!

  • .htaccess protect the root piwik folder (but allow piwik.php and js/ for all)
  • bootstrap.php to move .php files out of the public web folder
  • encrypting mysql password (see DBObsecurity plugin)
Piwik Open Source Analytics member

OK let's make this ticket a bullet point. I will then put it in a website page and link it from

Have you got any other suggestion Anthon?


The rest of my ideas will be implemented in code. ;)

Piwik Open Source Analytics member

I have updated the Piwik security page to make it more clear.

Create the new guide How to secure a Piwik server? and have put the few tips we had.

Have linked the page from the Optimize and secure section of the docs.

Any feedback please edit the page directly (vipsoft) or please put feedback here and I'll modify the page!

@mattab mattab added this to the 1.7 Piwik 1.7 milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment