Skip to content


Subversion checkout URL

You can clone with
Download ZIP


New system check to warn that Piwik is not compatible with mod_security #3371

mattab opened this Issue · 2 comments

1 participant


Reported in: #2997, some work was done in the early days in #1460

  • Hostgator users need to contact their host to disable mod_security. Hundreds of piwik users have had to contact their hosts to disable mod_security.
  • There are several known issues with Piwik and mod_security!

I have found that almost all rules in modsecurity_crs_41_sql_injection_attacks.conf need 

for google adwords, google analytics  and piwik to work ok with mod_security.
Pattern match "\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:pattern. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "1234123440"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"]
  U4n-qUIt@YIADWbyzkUAAAB1 35095 80

As a proposed solution to inform users of potential issues early:

  • Write a system check entry to check for mod_security and issue Warning if it is detected.

    • Suggest to user that it is OK to disable mod_security for Piwik app.
  • Maybe in this system check message we could also link to FAQ and this FAQ could list the rules to disable in the mod_security config. if some users reading here may contribute them?

See similar #5081


It's never going to happen I think!


Also reported here:,88617,page=1#msg-98619

In the custom rule file, add following lines:

# Allow Piwik queries
  SecRule REQUEST_FILENAME "^/path_to_your_piwik_dir/piwik\.php$" id:99998,log,phase:2,chain,allow
  SecRule ARGS_NAMES "^action_name$"

  SecRule REQUEST_FILENAME "^/path_to_your_piwik_dir/index\.php$" id:99999,log,phase:2,chain,allow
  SecRule ARGS_NAMES "^module$"

@mattab mattab removed the Major label
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.